Lucy,
Thanks!
--
E
--> -----Original Message-----
--> From: Lucy E. Lynch [mailto:llynch(_at_)darkwing(_dot_)uoregon(_dot_)edu]
--> Sent: Friday, May 26, 2006 2:31 PM
--> To: Gray, Eric
--> Cc: Narayanan, Vidya; Sam Hartman; Bernard Aboba; ietf(_at_)ietf(_dot_)org
--> Subject: RE: The Emperor Has No Clothes: Is PANA actually useful?
-->
--> On Fri, 26 May 2006, Gray, Eric wrote:
-->
--> > For those of us that are just trying to follow this discussion,
--> > what does the word "posture" mean in this context?
-->
--> according to draft-thomson-nea-problem-statement-02.txt
-->
--> "Posture: Posture refers to the hardware or software
--> configuration of
--> an endpoint as it pertains to an organization's security policy.
--> Posture may include knowledge about the types of hardware and
--> software installed and their configurations, e.g. OS name and
--> version, application patch levels, and anti-virus signature file
--> version."
-->
-->
-->
--> > --
--> > Eric
--> >
--> > --> -----Original Message-----
--> > --> From: Narayanan, Vidya [mailto:vidyan(_at_)qualcomm(_dot_)com]
--> > --> Sent: Friday, May 26, 2006 2:05 PM
--> > --> To: Sam Hartman; Bernard Aboba
--> > --> Cc: ietf(_at_)ietf(_dot_)org
--> > --> Subject: RE: The Emperor Has No Clothes: Is PANA
--> actually useful?
--> > -->
--> > --> >
--> > --> > >>>>> "Bernard" == Bernard Aboba
--> <aboba(_at_)internaut(_dot_)com> writes:
--> > --> >
--> > --> > >> My question is more why do they need EAP in
--> > --> situations where
--> > --> > >> they are not running at the link layer than why do
--> > --> they want or
--> > --> > >> not want PANA.
--> > --> >
--> > --> > Bernard> The simple answer is that there are
--> > --> situations which IEEE
--> > --> > Bernard> 802.1X cannot handle on wired networks. As
--> > --> specified,
--> > --> > Bernard> IEEE 802.1X is "network port control", which
--> > --> means that
--> > --> > Bernard> authorization is controllable only at the
--> > --> port level. If
--> > --> > Bernard> there is more than one host connected to a
--> > --> switch port,
--> > --> > Bernard> then that model no longer applies.
--> > --> >
--> > --> > Yeah. I guess I wonder whether you are actually getting
--> > --> > network access authenticatino at that point or whether you
--> > --> > are getting a service that allows you to check posture. It
--> > --> > seems that a service that simply allows you to check posture
--> > --> > should be not EAP.
--> > --> >
--> > -->
--> > -->
--> > --> I fully agree. As far as I can tell, using EAP in
--> this manner merely
--> > --> reduces it to a posture transport protocol. The level
--> of security
--> > --> provided by EAPoUDP does not seem to be any greater than a
--> > --> kerberos-based authentication done today in most enterprise
--> > --> networks,
--> > --> considering the presence of switched ethernet. Hence, the
--> > --> only reason to
--> > --> move to EAPoUDP would be to check posture and I agree
--> with Sam that
--> > --> making EAP the posture transport protocol is a bad idea.
--> > -->
--> > --> Vidya
--> > -->
--> > -->
--> > --> > _______________________________________________
--> > --> > Ietf mailing list
--> > --> > Ietf(_at_)ietf(_dot_)org
--> > --> > https://www1.ietf.org/mailman/listinfo/ietf
--> > --> >
--> > -->
--> > --> _______________________________________________
--> > --> Ietf mailing list
--> > --> Ietf(_at_)ietf(_dot_)org
--> > --> https://www1.ietf.org/mailman/listinfo/ietf
--> > -->
--> >
--> > _______________________________________________
--> > Ietf mailing list
--> > Ietf(_at_)ietf(_dot_)org
--> > https://www1.ietf.org/mailman/listinfo/ietf
--> >
-->
--> --
--> Lucy E. Lynch Academic User Services
--> Computing Center University of Oregon
--> llynch @darkwing.uoregon.edu (541) 346-1774
-->
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf