Hi Vidya
Inline ...
<snip>
How about adding this text - "It should be noted that the networks at
large are exposed to attacks from lying endpoints and
external entities
attaching to the networks as well as any problems arising from unknown
vulnerabilities on NEA compliant endpoints. Hence, NEA must not be
considered a protection mechanism for networks. Further, mechanisms
needed to protect the network from all kinds of vulnerabilities are
expected to be a superset of any protection that may be achieved by
employing NEA"?
It seems to me that this better belongs in a security considerations
section of the NEA spec, especially given where we are in the review
cycle and the amount of time spent on this specific section already.
<snip>
Bearing the original motivation in mind, would the following
work better?
"An organization may make a range of policy decisions based
on the posture of an endpoint. NEA is not intended to be
prescriptive in this regard. For example, potential
deployment scenarios may include,but are not limited to,
providing normal access regardless of compliance with
recommendations for remediation ("advisory mode"), as well as
providing restricted access sufficient for remediation
purposes and any essential services until an endpoint is in
compliance ("mandatory mode").
I'm not sure that the charter actually needs to get into the modes at
all - I'm guessing what happens after NEA (i.e., what is done with the
results from NEA) has zero impact on any work being done in
NEA itself.
So, why not simply state something like "Once NEA is conducted on an
endpoint, the results may be used by an organization in
accordance with
any policies of the organization itself."?
Again, the text was added at the request of the security AD. I have no
problem with Sam Hartman's modification to the text I proposed, your
text above, or none at all.
<snip>
That is not necessarily putting any requirements in the choice of the
mandatory to implement protocol itself, as I see it. I believe that
stating something like "The mandatory to implement PT protocol must be
generic enough to allow the execution of the NEA procedure without
forcing the need to re-execute network access procedures".
I think protocol requirements belong in the requirements I-D.
<snip>
Not only do I not see anything in the charter or milestones that
indicates that the WG is going to spend time exploring this,
I strongly
believe this WG should not be spending any time looking at this. The
trust models for the cases where the devices are not owned by the
organization performing NEA are hugely different and can take
up its own
WG to actually find something that applies there, if at all. For one,
this could be considered a violation of privacy by the user of the
device. Secondly, the end user's perspective of attacks may
be entirely
different from the organization's perspective in this case. Third, I
simply can't see what the organization's interests would be in
protecting a device that doesn't even belong to it. Last but not the
least, this requires the endpoint to be running an NEA client (that is
interoperable with the NEA server of the organization) -
which in itself
is often an unrealistic requirement.
Organizations that provide services in their networks to end users are
worried about protecting their resources (i.e., networks, servers,
etc.). As we have agreed, NEA does not protect such resources anyway.
Plus, there is absolutely no reason such organizations should believe
that devices they don't own are in fact, truthful endpoints.
So, thinking that this WG must be looking into resolving this seems
flawed at several levels. In the interest of having a focused WG that
can get something useful accomplished, this does not make sense.
No argument with your gist here. The point I was trying to make is that
I think applicability may not be quite as "black and white" as your
original text suggests, and it would be better if the applicability and
security considerations associated with NEA be addressed in the WG and
specified in the appropriate NEA documents.
The charter could express itself better in this regard. If the last
sentence was replaced with something like: "NEA can be limited in its
applicability when the endpoint and the organization providing network
access are owned by different parties. NEA applicability and security
considerations will be described in the appropriate NEA documents."
Would this work?
Thanks
Susan
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf