RE: [Nea] UPDATED: WG Review: Network Endpoint Assessment (nea)

To: "Alan DeKok" <aland at deployingradius.com>, "Keith Moore" <moore at cs.utk.edu>
Subject: RE: [Nea] UPDATED: WG Review: Network Endpoint Assessment (nea)
From: "Narayanan, Vidya" <vidyan at qualcomm.com>
Date: Tue, 24 Oct 2006 12:10:39 -0700
Cc: nea at ietf.org, iesg at ietf.org, ietf at ietf.org
In-reply-to: <20061024182917.9B86516CE0@mail.nitros9.org>
List-help: <mailto:ietf-request@ietf.org?subject=help>
List-id: IETF-Discussion <ietf.ietf.org>
List-post: <mailto:ietf@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
Thread-index: Acb3m/IHVFdbLy9WRsO3x1sLyhTtAAAAItgw
Thread-topic: [Nea] UPDATED: WG Review: Network Endpoint Assessment (nea)

> -----Original Message-----
> From: Alan DeKok [mailto:aland at deployingradius.com] 
> Sent: Tuesday, October 24, 2006 11:29 AM
> To: Keith Moore
> Cc: nea at ietf.org; iesg at ietf.org; ietf at ietf.org
> Subject: Re: [Nea] UPDATED: WG Review: Network Endpoint 
> Assessment (nea) 
> 
> Keith Moore <moore at cs.utk.edu> wrote:
> > I don't think it's a good analogy because modem pools are very 
> > special-purpose devices, whereas a host can potentially do anything 
> > that needs to communicate with something else.  For that matter, 
> > RADIUS doesn't have the intent of preventing some kinds of 
> modem pools 
> > from connecting to the network.
> 
>   No, but it has the explicit intent of preventing some kinds 
> of hosts from connecting to the network.  Current RADIUS 
> deployments implement almost anything you can imagine to 
> control network access for hosts and/or users, down to 
> filtering the users network traffic.  Current RADIUS 
> deployments *already* do ad-hoc posture assessment, there are 
> a number of startups implementing this today.
> 
>   I don't see how NEA is such a big philosophical change from 
> existing RADIUS practices.
> 

I can sort of buy the analogy to RADIUS, although the AAA protocols are
intended to do a lot more (the third "A" for instance). However, RADIUS
doesn't inherently claim any security properties, while NEA seems to.
RADIUS (or Diameter, for that matter) cannot really guarantee any level
of security for network access control - that is dependent on what is
carried in RADIUS (sometimes, a couple of levels down - e.g., EAP Method
over EAP over RADIUS, where the strength is really dependent on the EAP
method). Also, the strength of the second "A" in AAA depends on the kind
of authorization policies in place. AAA is just a framework facilitating
these - not a protocol that has some security claims to it. 

Vidya

_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

References:
- Re: [Nea] UPDATED: WG Review: Network Endpoint Assessment (nea)
  - From: Alan DeKok

Prev by Date: Re: Last Call: 'Progressive Posting Rights Supsensions' to BCP (draft-carpenter-rescind-3683)
Next by Date: Re: Last Call: 'Progressive Posting Rights Supsensions' to BCP (draft-carpenter-rescind-3683)
Previous by thread: Re: [Nea] UPDATED: WG Review: Network Endpoint Assessment (nea)
Next by thread: Re: [Nea] UPDATED: WG Review: Network Endpoint Assessment (nea)
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

RE: [Nea] UPDATED: WG Review: Network Endpoint Assessment (nea)

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.