Re: [Nea] UPDATED: WG Review: Network Endpoint Assessment (nea)

[Keith Moore <moore at cs.utk.edu>]

> > my argument is that standardization of NEA as it is currently understood 
> > (whether through IETF or as a vendor de facto standard) would be a bad 
> > thing for the Internet community because it would enable more networks 
> > to impose draconian policies that were harmful to users.
>
>   Again, what about the owners of the networks involved?  Or the
> people who own the machines the users are using?  It is perfectly
> reasonable for an enterprise to control access to its network.  Doing
> so across heterogeneous platforms requires standards-based solutions.

I don't accept as an axiom that it's perfectly reasonable for an 
enterprise to control access to its network based on whether the hosts 
that attach to the network are willing to run spyware.  The reason we 
have standards for networking is so that a wide variety of hosts can 
attach to those networks and a wide variety of applications can run on 
those hosts.  NEA defeats the very purpose of network standardization.

>   Forcing people to authenticate themselves through PPP before they
> access an ISP's services can be viewed as a draconian limitation on
> their freedoms.  So?  There's a gray area... where do we draw the line?

like any other decision we make in IETF - we each choose what in our 
best personal judgment is best for the Internet as a whole.  whatever 
consensus results from that set of individual choices is what we end up 
with.  I'm arguing against standardizing spyware.  I don't think it's 
hard to understand why standardized spyware is a bad idea.

> > for instance, if NEA were defined in such a way that the protocol was 
> > incapable of asking any questions of a host that were not themselves 
> > standardized, or were defined in such a way that there was no way for a 
> > host to sign its answers to questions (so that any host would be capable 
> > of lying).  but I have a hard time seeing IETF defining NEA in that way.
>
>   Hmm... those requirements would effectively define NEA to be useless.

indeed.  but if we are left to choose between expending effort to 
produce something useless, expending effort to produce something 
harmful, and not expending any effort, the last option seems like the 
best one.

> > >   I'm not sure any NEA variant will be applied to access networks.
> > yup.  pretend it's not a problem, and maybe the problem will go away.
>
>   Let's turn of all network access controls, then.

there's a broad consensus that access controls at their current level of 
precision are useful and generally beneficial.  there's not (afaik) a 
broad consensus that access controls at the level of precision 
facilitated by NEA are a good thing.

>   There has to be a happy medium in between completely open and
> completely locked down. 

maybe we've already reached it, or something close to it.

maybe NEA is going down a completely wrong path.  a major premise behind 
NEA seems to be that networks can be made more secure if host operating 
systems and applications are kept at a current patch level.  however we 
know from empirical evidence that the number of bugs in software tends 
(after an initial decrease) to increase over time (especially if new 
features are added, as is almost inevitable for any product that 
continues to be supported).  maybe investing in an NEA solution is like 
a cat trying to chase its tail - an investment of effort that is not 
only wasted but results in additional burdens that persist long after 
the investment is made.

we got ourselves into this mess because (a) the market chose a woefully 
insecure operating system as a de facto standard, (b) the vendor of that 
woefully insecure operating system failed to implement even the most 
basic of the security recommendations in MIME and other standards, and 
(c) that same vendor waited approximately 15 years after the rest of the 
industry (i.e. after the Morris worm) to start taking security 
seriously.  now you're proposing that other kinds of hosts be crippled 
and essentially taxed to make up for the market's lack of foresight and 
the gross negligence of that vendor.  yes, it's true that security holes 
exist on virtually all platforms, but no other platform has the 
combination of gross negligence and a monoculture that makes windoze 
such a fertile ground for malware.  (and maybe vista will be better, but 
that remains to be seen...we've heard that before)


--

let's back up a bit.

I would be the first to say that the biggest threat to an enterprise 
network is from the hosts that attach to it.  I'm very sympathetic to 
the idea that a network can to a useful degree protect itself, and other 
hosts on that network, from attack if it has better mechanisms to 
establish the trustworthiness of those hosts and the software that runs 
on those hosts.  However, I also see numerous potential problems 
associated with a mechanism that tries to establish that trustworthiness 
by examining the configurations of those hosts.  What I'm saying is, 
it's not acceptable to dismiss or overlook those problems.  They're 
real.  And there's a very real potential for NEA doing more harm than 
good unless those problems are understood and addressed.  We in IETF 
have accepted a responsibility to do what we believe is best for the 
Internet as a whole, and it's hard to understand how we can be doing 
that if we're deliberately overlooking problems that have this much 
potential for harm.

_______________________________________________
Nea mailing list
Nea at ietf.org
https://www1.ietf.org/mailman/listinfo/nea