Lucy, Thanks! -- E --> -----Original Message----- --> From: Lucy E. Lynch [mailto:llynch@xxxxxxxxxxxxxxxxxxxx] --> Sent: Friday, May 26, 2006 2:31 PM --> To: Gray, Eric --> Cc: Narayanan, Vidya; Sam Hartman; Bernard Aboba; ietf@xxxxxxxx --> Subject: RE: The Emperor Has No Clothes: Is PANA actually useful? --> --> On Fri, 26 May 2006, Gray, Eric wrote: --> --> > For those of us that are just trying to follow this discussion, --> > what does the word "posture" mean in this context? --> --> according to draft-thomson-nea-problem-statement-02.txt --> --> "Posture: Posture refers to the hardware or software --> configuration of --> an endpoint as it pertains to an organization's security policy. --> Posture may include knowledge about the types of hardware and --> software installed and their configurations, e.g. OS name and --> version, application patch levels, and anti-virus signature file --> version." --> --> --> --> > -- --> > Eric --> > --> > --> -----Original Message----- --> > --> From: Narayanan, Vidya [mailto:vidyan@xxxxxxxxxxxx] --> > --> Sent: Friday, May 26, 2006 2:05 PM --> > --> To: Sam Hartman; Bernard Aboba --> > --> Cc: ietf@xxxxxxxx --> > --> Subject: RE: The Emperor Has No Clothes: Is PANA --> actually useful? --> > --> --> > --> > --> > --> > >>>>> "Bernard" == Bernard Aboba --> <aboba@xxxxxxxxxxxxx> writes: --> > --> > --> > --> > >> My question is more why do they need EAP in --> > --> situations where --> > --> > >> they are not running at the link layer than why do --> > --> they want or --> > --> > >> not want PANA. --> > --> > --> > --> > Bernard> The simple answer is that there are --> > --> situations which IEEE --> > --> > Bernard> 802.1X cannot handle on wired networks. As --> > --> specified, --> > --> > Bernard> IEEE 802.1X is "network port control", which --> > --> means that --> > --> > Bernard> authorization is controllable only at the --> > --> port level. If --> > --> > Bernard> there is more than one host connected to a --> > --> switch port, --> > --> > Bernard> then that model no longer applies. --> > --> > --> > --> > Yeah. I guess I wonder whether you are actually getting --> > --> > network access authenticatino at that point or whether you --> > --> > are getting a service that allows you to check posture. It --> > --> > seems that a service that simply allows you to check posture --> > --> > should be not EAP. --> > --> > --> > --> --> > --> --> > --> I fully agree. As far as I can tell, using EAP in --> this manner merely --> > --> reduces it to a posture transport protocol. The level --> of security --> > --> provided by EAPoUDP does not seem to be any greater than a --> > --> kerberos-based authentication done today in most enterprise --> > --> networks, --> > --> considering the presence of switched ethernet. Hence, the --> > --> only reason to --> > --> move to EAPoUDP would be to check posture and I agree --> with Sam that --> > --> making EAP the posture transport protocol is a bad idea. --> > --> --> > --> Vidya --> > --> --> > --> --> > --> > _______________________________________________ --> > --> > Ietf mailing list --> > --> > Ietf@xxxxxxxx --> > --> > https://www1.ietf.org/mailman/listinfo/ietf --> > --> > --> > --> --> > --> _______________________________________________ --> > --> Ietf mailing list --> > --> Ietf@xxxxxxxx --> > --> https://www1.ietf.org/mailman/listinfo/ietf --> > --> --> > --> > _______________________________________________ --> > Ietf mailing list --> > Ietf@xxxxxxxx --> > https://www1.ietf.org/mailman/listinfo/ietf --> > --> --> -- --> Lucy E. Lynch Academic User Services --> Computing Center University of Oregon --> llynch @darkwing.uoregon.edu (541) 346-1774 --> _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf