I have seen a lot of discussion about whether NEA provides "network protection". In fact, it has been suggested that the charter be revised to say "NEA must not be considered a protection mechanism for networks." I don't agree. Let's start by examining this concept of "network protection". It's an awfully broad concept. No single security technology can provide total protection for a network against all attacks. Instead, a careful threat analysis must be done and layered countermeasures put in place: firewalls, malware scanning, intrusion detection and prevention, strong authentication and authorization, strong encryption for data at rest and in transit, user education, etc. In the context of an overall security program and when combined with other security technologies, NEA can help protect networks. Let me list the ways. First, NEA can help improve the security of cooperating, truthful endpoints. When a cooperating, truthful endpoint connects to the network, its health can be checked and any problems fixed before it can come under attack. This helps protect networks by keeping endpoints healthy so that fewer endpoints become infected and potentially impact the network through port scanning and other misbehavior. The protection provided by NEA alone is not absolute. Healthy endpoints can be vulnerable to a zero day attack. And NEA on its own provides no protection against lying endpoints and no protection against hosts that don't participate in NEA protocols. But it's a lot better than today's situation where some endpoints are completely unprotected with patches or anti-virus software. Second, NEA can be used with technology for detecting lying endpoints. This prevents compromised systems from lying to gain access to the network, thus providing a huge improvement in network security. I recognize that technology for detecting lying endpoints is out of scope for the NEA effort but we shouldn't pretend that it doesn't exist. Without NEA or similar protocols, it will be hard to integrate lying endpoint detection systems into network access control. That's why the NEA BOF in Montreal agreed to include language in the charter saying that "the protocols developed by the NEA WG must be designed to accommodate emerging technologies for identifying and dealing with lying endpoints." Third, endpoints that don't initially participate in NEA protocols can be quarantined for further examination with an external vulnerability scanner or a dynamically downloaded NEA client. Again, this is not part of the proposed NEA WG charter but it is another example of ways that NEA can be used with other security technologies to improve network security. To summarize, the NEA protocols will increase network security on their own. When combined with other technologies, the increase in network security is much greater. But either way it is not accurate to say that NEA is not a protection mechanism for networks. Thanks, Steve _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf