Hi Susan,
-----Original Message-----
From: Susan Thomson (sethomso) [mailto:sethomso(_at_)cisco(_dot_)com]
Sent: Sunday, October 08, 2006 3:27 PM
To: Narayanan, Vidya
Cc: nea(_at_)ietf(_dot_)org; iesg(_at_)ietf(_dot_)org;
ietf(_at_)ietf(_dot_)org
Subject: RE: [Nea] WG Review: Network Endpoint Assessment (nea)
Hi Vidya
Inline ...
<snip>
How about adding this text - "It should be noted that the
networks at
large are exposed to attacks from lying endpoints and external
entities attaching to the networks as well as any problems arising
from unknown vulnerabilities on NEA compliant endpoints. Hence, NEA
must not be considered a protection mechanism for networks.
Further,
mechanisms needed to protect the network from all kinds of
vulnerabilities are expected to be a superset of any
protection that
may be achieved by employing NEA"?
It seems to me that this better belongs in a security
considerations section of the NEA spec, especially given
where we are in the review cycle and the amount of time spent
on this specific section already.
No, this text definitely needs to be on the charter. From the number of
discussions even at this stage, it is clear that the charter lacks the
clarity in this space. This is not text about a particular draft in NEA
- it is about the scope of the WG.
<snip>
That is not necessarily putting any requirements in the
choice of the
mandatory to implement protocol itself, as I see it. I believe that
stating something like "The mandatory to implement PT
protocol must be
generic enough to allow the execution of the NEA procedure without
forcing the need to re-execute network access procedures".
I think protocol requirements belong in the requirements I-D.
The charter text elsewhere does get into performing NEA procedures at
network access. Perhaps that could be removed from the charter too? If
the charter only specified that the PT protocol was out of scope and
left out any text about the timing of execution of the PT protcol w.r.t.
network access, that would be fine.
<snip>
Not only do I not see anything in the charter or milestones that
indicates that the WG is going to spend time exploring this, I
strongly believe this WG should not be spending any time looking at
this. The trust models for the cases where the devices are
not owned
by the organization performing NEA are hugely different and
can take
up its own WG to actually find something that applies there, if at
all. For one, this could be considered a violation of
privacy by the
user of the device. Secondly, the end user's perspective of attacks
may be entirely different from the organization's
perspective in this
case. Third, I simply can't see what the organization's interests
would be in protecting a device that doesn't even belong to
it. Last
but not the least, this requires the endpoint to be running an NEA
client (that is interoperable with the NEA server of the
organization)
- which in itself is often an unrealistic requirement.
Organizations that provide services in their networks to
end users are
worried about protecting their resources (i.e., networks, servers,
etc.). As we have agreed, NEA does not protect such
resources anyway.
Plus, there is absolutely no reason such organizations
should believe
that devices they don't own are in fact, truthful endpoints.
So, thinking that this WG must be looking into resolving this seems
flawed at several levels. In the interest of having a
focused WG that
can get something useful accomplished, this does not make sense.
No argument with your gist here. The point I was trying to
make is that I think applicability may not be quite as "black
and white" as your original text suggests, and it would be
better if the applicability and security considerations
associated with NEA be addressed in the WG and specified in
the appropriate NEA documents.
This again is not necessarily a document-specific issue. It applies in
general to anything that will be produced by this WG.
The charter could express itself better in this regard. If
the last sentence was replaced with something like: "NEA can
be limited in its applicability when the endpoint and the
organization providing network access are owned by different
parties. NEA applicability and security considerations will
be described in the appropriate NEA documents."
Would this work?
Why would the charter not be limited to producing solutions that may be
relevant to the case where the organization owns the end devices? As
long as we agree that NEA is not intending to protect the network and is
only meant to protect endpoints, keeping the scope to this would allow
for more focussed and useful work. To that effect, here is some modified
text:
"NEA can be limited in its applicability when the endpoint and the
organization providing network access are owned by different parties.
The resources and threat models in these cases can be vastly different
and such cases are outside the scope of this WG. NEA applicability and
security considerations will also be described in the appropriate NEA
documents."
Vidya
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf