Hi Vidya
Inline ...
<snip>
>
> How about adding this text - "It should be noted that the networks at
> large are exposed to attacks from lying endpoints and
> external entities
> attaching to the networks as well as any problems arising from unknown
> vulnerabilities on NEA compliant endpoints. Hence, NEA must not be
> considered a protection mechanism for networks. Further, mechanisms
> needed to protect the network from all kinds of vulnerabilities are
> expected to be a superset of any protection that may be achieved by
> employing NEA"?
>
It seems to me that this better belongs in a security considerations
section of the NEA spec, especially given where we are in the review
cycle and the amount of time spent on this specific section already.
<snip>
> >
> > Bearing the original motivation in mind, would the following
> > work better?
> > "An organization may make a range of policy decisions based
> > on the posture of an endpoint. NEA is not intended to be
> > prescriptive in this regard. For example, potential
> > deployment scenarios may include,but are not limited to,
> > providing normal access regardless of compliance with
> > recommendations for remediation ("advisory mode"), as well as
> > providing restricted access sufficient for remediation
> > purposes and any essential services until an endpoint is in
> > compliance ("mandatory mode").
> >
>
> I'm not sure that the charter actually needs to get into the modes at
> all - I'm guessing what happens after NEA (i.e., what is done with the
> results from NEA) has zero impact on any work being done in
> NEA itself.
> So, why not simply state something like "Once NEA is conducted on an
> endpoint, the results may be used by an organization in
> accordance with
> any policies of the organization itself."?
>
Again, the text was added at the request of the security AD. I have no
problem with Sam Hartman's modification to the text I proposed, your
text above, or none at all.
<snip>
> That is not necessarily putting any requirements in the choice of the
> mandatory to implement protocol itself, as I see it. I believe that
> stating something like "The mandatory to implement PT protocol must be
> generic enough to allow the execution of the NEA procedure without
> forcing the need to re-execute network access procedures".
>
I think protocol requirements belong in the requirements I-D.
<snip>
> Not only do I not see anything in the charter or milestones that
> indicates that the WG is going to spend time exploring this,
> I strongly
> believe this WG should not be spending any time looking at this. The
> trust models for the cases where the devices are not owned by the
> organization performing NEA are hugely different and can take
> up its own
> WG to actually find something that applies there, if at all. For one,
> this could be considered a violation of privacy by the user of the
> device. Secondly, the end user's perspective of attacks may
> be entirely
> different from the organization's perspective in this case. Third, I
> simply can't see what the organization's interests would be in
> protecting a device that doesn't even belong to it. Last but not the
> least, this requires the endpoint to be running an NEA client (that is
> interoperable with the NEA server of the organization) -
> which in itself
> is often an unrealistic requirement.
>
> Organizations that provide services in their networks to end users are
> worried about protecting their resources (i.e., networks, servers,
> etc.). As we have agreed, NEA does not protect such resources anyway.
> Plus, there is absolutely no reason such organizations should believe
> that devices they don't own are in fact, truthful endpoints.
>
> So, thinking that this WG must be looking into resolving this seems
> flawed at several levels. In the interest of having a focused WG that
> can get something useful accomplished, this does not make sense.
>
No argument with your gist here. The point I was trying to make is that
I think applicability may not be quite as "black and white" as your
original text suggests, and it would be better if the applicability and
security considerations associated with NEA be addressed in the WG and
specified in the appropriate NEA documents.
The charter could express itself better in this regard. If the last
sentence was replaced with something like: "NEA can be limited in its
applicability when the endpoint and the organization providing network
access are owned by different parties. NEA applicability and security
considerations will be described in the appropriate NEA documents."
Would this work?
Thanks
Susan
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf