On Fri, 26 May 2006, Gray, Eric wrote:
For those of us that are just trying to follow this discussion, what does the word "posture" mean in this context?
according to draft-thomson-nea-problem-statement-02.txt "Posture: Posture refers to the hardware or software configuration of an endpoint as it pertains to an organization's security policy. Posture may include knowledge about the types of hardware and software installed and their configurations, e.g. OS name and version, application patch levels, and anti-virus signature file version."
-- Eric --> -----Original Message----- --> From: Narayanan, Vidya [mailto:vidyan@xxxxxxxxxxxx] --> Sent: Friday, May 26, 2006 2:05 PM --> To: Sam Hartman; Bernard Aboba --> Cc: ietf@xxxxxxxx --> Subject: RE: The Emperor Has No Clothes: Is PANA actually useful? --> --> > --> > >>>>> "Bernard" == Bernard Aboba <aboba@xxxxxxxxxxxxx> writes: --> > --> > >> My question is more why do they need EAP in --> situations where --> > >> they are not running at the link layer than why do --> they want or --> > >> not want PANA. --> > --> > Bernard> The simple answer is that there are --> situations which IEEE --> > Bernard> 802.1X cannot handle on wired networks. As --> specified, --> > Bernard> IEEE 802.1X is "network port control", which --> means that --> > Bernard> authorization is controllable only at the --> port level. If --> > Bernard> there is more than one host connected to a --> switch port, --> > Bernard> then that model no longer applies. --> > --> > Yeah. I guess I wonder whether you are actually getting --> > network access authenticatino at that point or whether you --> > are getting a service that allows you to check posture. It --> > seems that a service that simply allows you to check posture --> > should be not EAP. --> > --> --> --> I fully agree. As far as I can tell, using EAP in this manner merely --> reduces it to a posture transport protocol. The level of security --> provided by EAPoUDP does not seem to be any greater than a --> kerberos-based authentication done today in most enterprise --> networks, --> considering the presence of switched ethernet. Hence, the --> only reason to --> move to EAPoUDP would be to check posture and I agree with Sam that --> making EAP the posture transport protocol is a bad idea. --> --> Vidya --> --> --> > _______________________________________________ --> > Ietf mailing list --> > Ietf@xxxxxxxx --> > https://www1.ietf.org/mailman/listinfo/ietf --> > --> --> _______________________________________________ --> Ietf mailing list --> Ietf@xxxxxxxx --> https://www1.ietf.org/mailman/listinfo/ietf --> _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf
-- Lucy E. Lynch Academic User Services Computing Center University of Oregon llynch @darkwing.uoregon.edu (541) 346-1774 _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf