> -----Original Message----- > From: Alan DeKok [mailto:aland@xxxxxxxxxxxxxxxxxxx] > Sent: Tuesday, October 24, 2006 11:29 AM > To: Keith Moore > Cc: nea@xxxxxxxx; iesg@xxxxxxxx; ietf@xxxxxxxx > Subject: Re: [Nea] UPDATED: WG Review: Network Endpoint > Assessment (nea) > > Keith Moore <moore@xxxxxxxxxx> wrote: > > I don't think it's a good analogy because modem pools are very > > special-purpose devices, whereas a host can potentially do anything > > that needs to communicate with something else. For that matter, > > RADIUS doesn't have the intent of preventing some kinds of > modem pools > > from connecting to the network. > > No, but it has the explicit intent of preventing some kinds > of hosts from connecting to the network. Current RADIUS > deployments implement almost anything you can imagine to > control network access for hosts and/or users, down to > filtering the users network traffic. Current RADIUS > deployments *already* do ad-hoc posture assessment, there are > a number of startups implementing this today. > > I don't see how NEA is such a big philosophical change from > existing RADIUS practices. > I can sort of buy the analogy to RADIUS, although the AAA protocols are intended to do a lot more (the third "A" for instance). However, RADIUS doesn't inherently claim any security properties, while NEA seems to. RADIUS (or Diameter, for that matter) cannot really guarantee any level of security for network access control - that is dependent on what is carried in RADIUS (sometimes, a couple of levels down - e.g., EAP Method over EAP over RADIUS, where the strength is really dependent on the EAP method). Also, the strength of the second "A" in AAA depends on the kind of authorization policies in place. AAA is just a framework facilitating these - not a protocol that has some security claims to it. Vidya _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf