On Oct 12, 2006, at 2:27 PM, Darryl ((Dassa)) Lynch wrote:
Am I mistaken or is NEA intended to be a compliance check before a
node is allowed onto the network?
It seems impractical to specify system requirements or expect a
suitable examination be done realtime prior to obtaining access. NEA
should be seen more as a notification process with the goal of
avoiding self inflicted trouble tickets. Bad actors will always be
able to falsify this information, so the NEA does not offer protection.
As such, observed behaviour and application abuse would seem to be
issues that would be dealt with by other tools.
Agreed. When these other tools withdraw services after bad behavior
is detected, NEA can notify the endpoint nothing is malfunctioning,
but rather these services have been withheld. A selection of
certificates may then be required before additional (or any) services
are subsequently granted. The NEA should be viewed as a process
that eliminates many of the security related support calls.
NEA may be used to ensure certain applications are installed and
some other characteristics of the node but actual behaviour may not
be evident until such time as the node has joined the network and
would be beyond the scope of detection by NEA IMHO. NEA may be
used to assist in limiting the risk of such behaviour but that is
about the extent of it that I see.
It seems impractical to expect NEA will prevent bad actors from
producing the expected results. There is little that prevents the
NEA from providing falsified information. There are anti-virus and
OS updating services that could produce a certificate that includes:
1) certificate creator for validation
2) a time-stamp
3) class
4) the user/host identifier
5) resources required for updating the certificate
It seems unwise to expect an endpoint to open their robes to the
access point. However, the access point could offer certification
services they require prior to granting access. This service may be
something as simple as agreeing to the AUP presented on a web-form,
or agreeing to remedy the cause of abusive behavior.
The NEA should also be helpful in deciding whether a range of
services are acceptable, and how this can be changed. Perhaps
different certificates are required before specific services are
granted. Rather than talking about the posture of the endpoint,
consider the NEA to be little more than a repository for time-
sensitive compliance certificates offering just the five points listed.
My reading of the charter gives me the impression NEA is only
intended for a specific task and some of what we have been
discussing seems to extend well beyond the limited scope proposed.
It seems that the NEA charter delves into too many details. The NEA
can act as a bidirectional notification of services. From the access
standpoint, these are services granted and compliance services
required to upgrade what is being granted. From the endpoint
standpoint, their certificates indicate which compliance services
have been previously obtained, and the resources needed to renew
these certificates when they are considered out-of-date by the access
point.
-Doug
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf