Re: [Nea] Re: use of a design team to develop requirements

To: Alan DeKok <aland at deployingradius.com>
Subject: Re: [Nea] Re: use of a design team to develop requirements
From: John Vollbrecht <jrv at umich.edu>
Date: Mon, 18 Dec 2006 14:27:38 -0500
Cc: Keith Moore <moore at cs.utk.edu>, nea at ietf.org
In-reply-to: <4586D002.3050800@deployingradius.com>
List-archive: <http://www1.ietf.org/pipermail/nea>
List-help: <mailto:nea-request@ietf.org?subject=help>
List-id: Network Endpoint Assessment discussion list <nea.ietf.org>
List-post: <mailto:nea@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=unsubscribe>
References: <A6398B0DB62A474C82F61554EE93728701DB40C6@proton.jnpr.net> <a96eb4980612130657t3ea507fbv64de2c8f630c0438@mail.gmail.com> <a96eb4980612130950l6f7bbebbhefa294c3d735f75a@mail.gmail.com> <45804574.9040400@deployingradius.com> <a96eb4980612131139m17843741vd73034cc07e0b229@mail.gmail.com> <20061213155159.b457af48.moore@cs.utk.edu> <a96eb4980612131442s6c09d2deg74aa68322941968a@mail.gmail.com> <4580993D.1070405@deployingradius.com> <a96eb4980612131635y15836e24n48d43d2b6bfa0814@mail.gmail.com> <4580A0C4.2000605@cs.utk.edu> <a96eb4980612131715w22400d97j80624eab057ed24e@mail.gmail.com> <4586D002.3050800@deployingradius.com>


On Dec 18, 2006, at 12:29 PM, Alan DeKok wrote:

Mike Fratto wrote:
If the protocol can be designed that prevents open ended queries while still allowing queries,
  What kind of queries?  Do you have examples?
And I still don't see why *any* queries are required. Look at the target deployments specified by the charter, the enterprise admin "owns" the machines. So there is *always* a way for that admin to inform the machines off-line what information is required. This can be done when the machines are first configured, or as part of a remediation update.

i.e. remediation updates inform the machines of updates to local site policy. Updates to virus scanners, etc. are just subsets of updates to the local site policy. The updates will also include statements sycg as "install new software program X, and when you reconnect, tell me what it says."
  Requiring queries in the NEA protocol looks to me like the intended
deployment scenarios are *outside* of the scenarios described in the
charter.

I have assumed that the network could require information to allow access. The user could also refuse to provided certain information. The result on the network side might be to allow only access to a remediation network. The result on the user side might be to only allow the user to connect to a particular web site. The point is that policy exists at both places.

The value of queries  to at least some people is the reason for the wg.

Any protocol could be used for nefarious purposes. I don't think that
there is need for alarm that the work of the NEA will be abused any
more than any other protocol.


   Most network access protocols (PPP, DHCP, RADIUS, etc.) do NOT
support queries.  If the NEA protocol supports queries, it *will* be
abused more than protocols that do not support queries.

That conclusion is inescapable: The more functionality exists in a protocol, the more potential for abuse. We should therefore be careful to put only required functionality into NEA, and nothing more.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog

_______________________________________________
Nea mailing list
Nea at ietf.org
https://www1.ietf.org/mailman/listinfo/nea

_______________________________________________
Nea mailing list
Nea at ietf.org
https://www1.ietf.org/mailman/listinfo/nea

Follow-Ups:
- NEA requirements (was Re: [Nea] Re: use of a design team to develop requirements)
  - From: Alan DeKok

References:
- [Nea] Draft minutes from IETF 67 NEA WG meeting
  - From: Stephen Hanna
- Fwd: [Nea] Re: use of a design team to develop requirements
  - From: Mike Fratto
- Re: Fwd: [Nea] Re: use of a design team to develop requirements
  - From: Alan DeKok
- Re: Fwd: [Nea] Re: use of a design team to develop requirements
  - From: Mike Fratto
- Re: Fwd: [Nea] Re: use of a design team to develop requirements
  - From: Keith Moore
- Re: Fwd: [Nea] Re: use of a design team to develop requirements
  - From: Mike Fratto
- Re: Fwd: [Nea] Re: use of a design team to develop requirements
  - From: Alan DeKok
- Re: Fwd: [Nea] Re: use of a design team to develop requirements
  - From: Mike Fratto
- Re: Fwd: [Nea] Re: use of a design team to develop requirements
  - From: Keith Moore
- Re: Fwd: [Nea] Re: use of a design team to develop requirements
  - From: Mike Fratto
- Re: Fwd: [Nea] Re: use of a design team to develop requirements
  - From: Alan DeKok

Prev by Date: Re: Fwd: [Nea] Re: use of a design team to develop requirements
Next by Date: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)
Previous by thread: Re: Fwd: [Nea] Re: use of a design team to develop requirements
Next by thread: NEA requirements (was Re: [Nea] Re: use of a design team to develop requirements)
Index(es):
- Date
- Thread

Re: [Nea] Re: use of a design team to develop requirements

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.