Re: Fwd: [Nea] Re: use of a design team to develop requirements

To: Keith Moore <moore at cs.utk.edu>
Subject: Re: Fwd: [Nea] Re: use of a design team to develop requirements
From: Alan DeKok <aland at deployingradius.com>
Date: Wed, 13 Dec 2006 19:20:25 -0800
Cc: nea at ietf.org
In-reply-to: <4580A75D.5020609@cs.utk.edu>
List-archive: <http://www1.ietf.org/pipermail/nea>
List-help: <mailto:nea-request@ietf.org?subject=help>
List-id: Network Endpoint Assessment discussion list <nea.ietf.org>
List-post: <mailto:nea@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=unsubscribe>
References: <A6398B0DB62A474C82F61554EE93728701DB40C6@proton.jnpr.net> <4579EDA2.1050104@cs.utk.edu> <tslbqm9i40a.fsf@cz.mit.edu> <457ECD5D.8040906@cs.utk.edu> <457F059C.2010200@deployingradius.com> <a96eb4980612130657t3ea507fbv64de2c8f630c0438@mail.gmail.com> <a96eb4980612130950l6f7bbebbhefa294c3d735f75a@mail.gmail.com> <45804574.9040400@deployingradius.com> <a96eb4980612131139m17843741vd73034cc07e0b229@mail.gmail.com> <20061213155159.b457af48.moore@cs.utk.edu> <a96eb4980612131442s6c09d2deg74aa68322941968a@mail.gmail.com> <45808B42.8000802@cs.utk.edu> <45809601.80105@deployingradius.com> <4580985A.1000002@cs.utk.edu> <45809C79.6090309@deployingradius.com> <4580A75D.5020609@cs.utk.edu>
User-agent: Thunderbird 1.5.0.8 (Windows/20061025)

Keith Moore wrote:
>>   Which is why *informative* protocols are much more robust than ones
>> that perform queries.
> 
> the word "informative" seems rather vague.

  I'm trying to come up with useful vocabulary for behaviors that aren't
currently well described.

  What I mean is that many IETF protocols involve the client sending a
list of attributes/values to a server, which thinks about the data, and
sends a response.  I've called this "informative", in that the client
informs the server of what it has, and the server informs the client of
the response.

 PPP, RADIUS, and many other protocols work like this.  There is no
explicit query in the protocol (which is currently an ongoing problem in
RADIUS).  Contrast those protocols with LDAP or SQL, where the intent is
to permit nearly arbitrary queries.

> somehow I think the concept of a remediation network really should be
> out of scope for the NEA discussion.  we understand that this is one way
> that NEA might be used, of course, but the idea that there should be a
> separate remediation network seems very shortsighted from an
> architectural perspective.  also, in some cases (zero-day exploits)
> remediation may not be immediately possible.

  Yes.  Remediation can be done as part of gaining network access
(you're at patchlevel X?  Here's patch Y...), but existing network
access protocols can't carry arbitrary amounts of data.  So some kind of
network access is required to perform remediation, but they can't be
allowed on the network until they have gone through the remediation process.

  But I do *not* think it's desirable or even useful to design NEA such
that it can carry arbitrary amounts of data for remediation.  We already
have too many network protocols that have turned into IP tunnels.

  And for zero-day exploits, shutting down the network may be cheaper
than having it destroyed by an attacker.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog

_______________________________________________
Nea mailing list
Nea at ietf.org
https://www1.ietf.org/mailman/listinfo/nea

References:
- [Nea] Draft minutes from IETF 67 NEA WG meeting
  - From: Stephen Hanna
- [Nea] use of a design team to develop requirements
  - From: Keith Moore
- [Nea] Re: use of a design team to develop requirements
  - From: Sam Hartman
- [Nea] Re: use of a design team to develop requirements
  - From: Keith Moore
- Re: [Nea] Re: use of a design team to develop requirements
  - From: Alan DeKok
- Fwd: [Nea] Re: use of a design team to develop requirements
  - From: Mike Fratto
- Re: Fwd: [Nea] Re: use of a design team to develop requirements
  - From: Alan DeKok
- Re: Fwd: [Nea] Re: use of a design team to develop requirements
  - From: Mike Fratto
- Re: Fwd: [Nea] Re: use of a design team to develop requirements
  - From: Keith Moore
- Re: Fwd: [Nea] Re: use of a design team to develop requirements
  - From: Mike Fratto
- Re: Fwd: [Nea] Re: use of a design team to develop requirements
  - From: Keith Moore
- Re: Fwd: [Nea] Re: use of a design team to develop requirements
  - From: Alan DeKok
- Re: Fwd: [Nea] Re: use of a design team to develop requirements
  - From: Keith Moore
- Re: Fwd: [Nea] Re: use of a design team to develop requirements
  - From: Alan DeKok
- Re: Fwd: [Nea] Re: use of a design team to develop requirements
  - From: Keith Moore

Prev by Date: Re: Fwd: [Nea] Re: use of a design team to develop requirements
Next by Date: Re: Fwd: [Nea] Re: use of a design team to develop requirements
Previous by thread: Re: Fwd: [Nea] Re: use of a design team to develop requirements
Next by thread: Re: Fwd: [Nea] Re: use of a design team to develop requirements
Index(es):
- Date
- Thread

Re: Fwd: [Nea] Re: use of a design team to develop requirements

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.