Re: Fwd: NEA requirements (was Re: Fwd: [Nea] Re: use of a design team to develop requirements)

[Alan DeKok <aland at deployingradius.com>]

Keith Moore wrote:
> not clear.  at least the format of the profiles needs to be
> standardized, IMHO, otherwise there's no capability for interoperation
> and no point to having an NEA standard.

  Yes.

> ...  that
> implies to me that the profile downloading should be able to happen via
> NEA, rather than introduce a situation where NEA can't tell whether a
> client is trustworthy or not because the client doesn't have a current
> profile.

  My main concern with this is that NEA is *before* the machine obtains
full network access.  So... how does it download potentially megabytes
of updates?  IP tunneling inside of NEA?  Yuck...

> what do you mean by "real networks"?  do you assume that NEA will
> operate over something besides TCP/IP? TCP seems perfectly capable of
> carrying enough data to transmit an NEA profile.

  No, I mean TCP/IP shouldn't operate over NEA.  That way lies madness.

  Remediation must use TCP/IP to download updates, but it can't use a
public/open network (otherwise you wouldn't be using NEA).  The
remediation process therefore must severely limit the capability of the
clients network connection.  This can be done via a quarantine network
as people do today. Or, it can be done via massive & dynamically updated
filter rules, which are fragile and difficult to administer.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog

_______________________________________________
Nea mailing list
Nea at ietf.org
https://www1.ietf.org/mailman/listinfo/nea