-----Original Message-----
From: Alan DeKok [mailto:aland(_at_)deployingradius(_dot_)com]
Sent: Tuesday, October 24, 2006 11:29 AM
To: Keith Moore
Cc: nea(_at_)ietf(_dot_)org; iesg(_at_)ietf(_dot_)org;
ietf(_at_)ietf(_dot_)org
Subject: Re: [Nea] UPDATED: WG Review: Network Endpoint
Assessment (nea)
Keith Moore <moore(_at_)cs(_dot_)utk(_dot_)edu> wrote:
I don't think it's a good analogy because modem pools are very
special-purpose devices, whereas a host can potentially do anything
that needs to communicate with something else. For that matter,
RADIUS doesn't have the intent of preventing some kinds of
modem pools
from connecting to the network.
No, but it has the explicit intent of preventing some kinds
of hosts from connecting to the network. Current RADIUS
deployments implement almost anything you can imagine to
control network access for hosts and/or users, down to
filtering the users network traffic. Current RADIUS
deployments *already* do ad-hoc posture assessment, there are
a number of startups implementing this today.
I don't see how NEA is such a big philosophical change from
existing RADIUS practices.
I can sort of buy the analogy to RADIUS, although the AAA protocols are
intended to do a lot more (the third "A" for instance). However, RADIUS
doesn't inherently claim any security properties, while NEA seems to.
RADIUS (or Diameter, for that matter) cannot really guarantee any level
of security for network access control - that is dependent on what is
carried in RADIUS (sometimes, a couple of levels down - e.g., EAP Method
over EAP over RADIUS, where the strength is really dependent on the EAP
method). Also, the strength of the second "A" in AAA depends on the kind
of authorization policies in place. AAA is just a framework facilitating
these - not a protocol that has some security claims to it.
Vidya
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf