Re: [Nea] REQ: Section 3

[Alan DeKok <aland at deployingradius.com>]

Paul Sangster wrote:

> For -00 it seemed reasonable to talk about both sides of the "and/or" so
> the WG could decide whether to allow it to remain.  Please note the "or
> expected to conform to the policies set forth by the organization"
> phrase.  We certainly welcome dialog on whether the spec went to far (or
> not far enough) in this regard.

  Both sides of the "and/or" involve endpoints, not networks.  The
charter is clear: enterprise networks, client endpoints.  The
requirements document discusses non-enterprise networks as being
applicable for NEA.  I believe such non-enterprise networks are out of
scope.

> Does the WG believe we should not claim that scenarios where the
> Endpoint is Owned by a different party then the Owner of the network
> must always be out of scope?

  No.  It is a charter requirement that the ownership of endpoints can
be different than the ownership of the enterprise networks.

>> The requirements document SHOULD say that the ISP, etc. 
>> scenarios are explicitely not being considered.  The document 
>> SHOULD say that NEA SHOULD NOT be used in those scenarios.
> 
> The text gives an ISP oriented example in paragraph 4 and says "NEA is
> not expected to be applicable"  We could consider making the language
> stronger if necessary.

 Please do so.  It should be clear that the ISP deployment of NEA is
forbidden due to unknown security, privacy, and legal concerns.  And we
don't have time to discuss those issues, so they won't be resolved here.

> Its my impression that this document provides context and requirements
> for NEA protocol selection by the NEA WG.  The text suggested reads like
> a normative requirement applying to the deployer and not to the NEA WG
> selection of appropriate protocols for NEA.

  It does both.  The protocol needs to include the capability that an
endpoint can decline an NEA protocol exchange, likely with more than
simple silence.

>  Could this be reworded to
> state the NEA WG intentions for how we envision NEA's use (and what it
> was designed for) without 2119 language?

  Likely, yes.  I can't suggest much right now.

> Again expanding the "..." which seems to be causing confusion the "..."
> reads:

> That is what this text (see the expanded "..." text above) says.  We're
> stating where NEA is not applicable in this paragraph.  I'm open to
> mentioning the charter of our WG if that adds clarity to our NEA
> protocol selection process.

  My concern is less with the elided text than with the phrase "is not
expected to".  It reads as "we expect to follow the charter
requirements", which is more open to non-charter work than "we will
follow the charter requirements".

> Can you suggest a different word then "intends" which make it more clear
> that we aren't planning to include this in our scope.  We could change
> the last phrase to "so the NEA WG will not address such areas."

  Yes.

> Ok, it was trying to say there are 3 parties involved and if they have
> different owners they need to have a contract-based expectation of
> conformance and willingness to expose information with each other or
> this scenario is not applicable.  Will reword.

  So the parties are: endpoint, network infrastructure owner, and
network service provider.

  Are we really saying that enterprise networks have two owners, who
don't mutually disclose security policies?  I don't understand.  What
use-case is satisfied by modeling the enterprise network this way?

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog

_______________________________________________
Nea mailing list
Nea at ietf.org
https://www1.ietf.org/mailman/listinfo/nea