RE: The Emperor Has No Clothes: Is PANA actually useful?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Lucy,

	Thanks!

--
E 

--> -----Original Message-----
--> From: Lucy E. Lynch [mailto:llynch@xxxxxxxxxxxxxxxxxxxx] 
--> Sent: Friday, May 26, 2006 2:31 PM
--> To: Gray, Eric
--> Cc: Narayanan, Vidya; Sam Hartman; Bernard Aboba; ietf@xxxxxxxx
--> Subject: RE: The Emperor Has No Clothes: Is PANA actually useful?
--> 
--> On Fri, 26 May 2006, Gray, Eric wrote:
--> 
--> > For those of us that are just trying to follow this discussion,
--> > what does the word "posture" mean in this context?
--> 
--> according to draft-thomson-nea-problem-statement-02.txt
--> 
--> "Posture: Posture refers to the hardware or software 
--> configuration of
-->     an endpoint as it pertains to an organization's security policy.
-->     Posture may include knowledge about the types of hardware and
-->     software installed and their configurations, e.g.  OS name and
-->     version, application patch levels, and anti-virus signature file
-->     version."
--> 
--> 
--> 
--> > --
--> > Eric
--> >
--> > --> -----Original Message-----
--> > --> From: Narayanan, Vidya [mailto:vidyan@xxxxxxxxxxxx]
--> > --> Sent: Friday, May 26, 2006 2:05 PM
--> > --> To: Sam Hartman; Bernard Aboba
--> > --> Cc: ietf@xxxxxxxx
--> > --> Subject: RE: The Emperor Has No Clothes: Is PANA 
--> actually useful?
--> > -->
--> > --> >
--> > --> > >>>>> "Bernard" == Bernard Aboba 
--> <aboba@xxxxxxxxxxxxx> writes:
--> > --> >
--> > --> >     >> My question is more why do they need EAP in
--> > --> situations where
--> > --> >     >> they are not running at the link layer than why do
--> > --> they want or
--> > --> >     >> not want PANA.
--> > --> >
--> > --> >     Bernard> The simple answer is that there are
--> > --> situations which IEEE
--> > --> >     Bernard> 802.1X cannot handle on wired networks.  As
--> > --> specified,
--> > --> >     Bernard> IEEE 802.1X is "network port control", which
--> > --> means that
--> > --> >     Bernard> authorization is controllable only at the
--> > --> port level.  If
--> > --> >     Bernard> there is more than one host connected to a
--> > --> switch port,
--> > --> >     Bernard> then that model no longer applies.
--> > --> >
--> > --> > Yeah.  I guess I wonder whether you are actually getting
--> > --> > network access authenticatino at that point or whether you
--> > --> > are getting a service that allows you to check posture.  It
--> > --> > seems that a service that simply allows you to check posture
--> > --> > should be not EAP.
--> > --> >
--> > -->
--> > -->
--> > --> I fully agree. As far as I can tell, using EAP in 
--> this manner merely
--> > --> reduces it to a posture transport protocol. The level 
--> of security
--> > --> provided by EAPoUDP does not seem to be any greater than a
--> > --> kerberos-based authentication done today in most enterprise
--> > --> networks,
--> > --> considering the presence of switched ethernet. Hence, the
--> > --> only reason to
--> > --> move to EAPoUDP would be to check posture and I agree 
--> with Sam that
--> > --> making EAP the posture transport protocol is a bad idea.
--> > -->
--> > --> Vidya
--> > -->
--> > -->
--> > --> > _______________________________________________
--> > --> > Ietf mailing list
--> > --> > Ietf@xxxxxxxx
--> > --> > https://www1.ietf.org/mailman/listinfo/ietf
--> > --> >
--> > -->
--> > --> _______________________________________________
--> > --> Ietf mailing list
--> > --> Ietf@xxxxxxxx
--> > --> https://www1.ietf.org/mailman/listinfo/ietf
--> > -->
--> >
--> > _______________________________________________
--> > Ietf mailing list
--> > Ietf@xxxxxxxx
--> > https://www1.ietf.org/mailman/listinfo/ietf
--> >
--> 
--> -- 
--> Lucy E. Lynch 				Academic User Services
--> Computing Center			University of Oregon
--> llynch  @darkwing.uoregon.edu		(541) 346-1774
--> 

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]