ietf
[Top] [All Lists]

RE: The Emperor Has No Clothes: Is PANA actually useful?

2006-05-26 11:32:33
On Fri, 26 May 2006, Gray, Eric wrote:

For those of us that are just trying to follow this discussion,
what does the word "posture" mean in this context?

according to draft-thomson-nea-problem-statement-02.txt

"Posture: Posture refers to the hardware or software configuration of
   an endpoint as it pertains to an organization's security policy.
   Posture may include knowledge about the types of hardware and
   software installed and their configurations, e.g.  OS name and
   version, application patch levels, and anti-virus signature file
   version."



--
Eric

--> -----Original Message-----
--> From: Narayanan, Vidya [mailto:vidyan(_at_)qualcomm(_dot_)com]
--> Sent: Friday, May 26, 2006 2:05 PM
--> To: Sam Hartman; Bernard Aboba
--> Cc: ietf(_at_)ietf(_dot_)org
--> Subject: RE: The Emperor Has No Clothes: Is PANA actually useful?
-->
--> >
--> > >>>>> "Bernard" == Bernard Aboba <aboba(_at_)internaut(_dot_)com> writes:
--> >
--> >     >> My question is more why do they need EAP in
--> situations where
--> >     >> they are not running at the link layer than why do
--> they want or
--> >     >> not want PANA.
--> >
--> >     Bernard> The simple answer is that there are
--> situations which IEEE
--> >     Bernard> 802.1X cannot handle on wired networks.  As
--> specified,
--> >     Bernard> IEEE 802.1X is "network port control", which
--> means that
--> >     Bernard> authorization is controllable only at the
--> port level.  If
--> >     Bernard> there is more than one host connected to a
--> switch port,
--> >     Bernard> then that model no longer applies.
--> >
--> > Yeah.  I guess I wonder whether you are actually getting
--> > network access authenticatino at that point or whether you
--> > are getting a service that allows you to check posture.  It
--> > seems that a service that simply allows you to check posture
--> > should be not EAP.
--> >
-->
-->
--> I fully agree. As far as I can tell, using EAP in this manner merely
--> reduces it to a posture transport protocol. The level of security
--> provided by EAPoUDP does not seem to be any greater than a
--> kerberos-based authentication done today in most enterprise
--> networks,
--> considering the presence of switched ethernet. Hence, the
--> only reason to
--> move to EAPoUDP would be to check posture and I agree with Sam that
--> making EAP the posture transport protocol is a bad idea.
-->
--> Vidya
-->
-->
--> > _______________________________________________
--> > Ietf mailing list
--> > Ietf(_at_)ietf(_dot_)org
--> > https://www1.ietf.org/mailman/listinfo/ietf
--> >
-->
--> _______________________________________________
--> Ietf mailing list
--> Ietf(_at_)ietf(_dot_)org
--> https://www1.ietf.org/mailman/listinfo/ietf
-->

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf


--
Lucy E. Lynch                           Academic User Services
Computing Center                        University of Oregon
llynch  @darkwing.uoregon.edu           (541) 346-1774

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>