RE: Hiroshima room rates (was Re: Non-smoking rooms at the Hiroshimavenue?)
David Morris wrote: || On Fri, 4 Sep 2009, Andrew Sullivan wrote: || ||| On Fri, Sep 04, 2009 at 07:43:15AM -0400, Lou Berger wrote: Yes. I checked Sept 14-18. Try it yourself, I expect you'll get the same results... ||| ||| I don't understand why the rate during another period is relevant to ||| the rate we might get. Remember that hotels, like everyone else, ||| charge more when demand is higher. || || And the cost of meeting space and/or other standard features || (i.e., internet service in the room) is built into rate for meeting || attendees. ___ As I understand the norm, it is meeting rooms and facilities are charged as a set fee with attendee room rates normally reduced due to the numbers involved. Like most things, volume purchases reduce prices and unless the meeting is held at a peak time for the hotel, good rates should be able to be negotiated. Rates may be higher than the norm if the negotiations included extras such as the provision of morning and afternoon teas etc. That is to be expected. I imagine the committee has concluded the best deal possible. Darryl (Dassa) Lynch ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
RE: Possible RFC 3683 PR-action
Spencer Dawkins wrote: || I've been carefully not posting in this thread for a while, || but can't control myself today. (So I'm not particularly || arguing with Ted's points, his e-mail is just the the latest e-mail || in the thread) || || My apologies in advance. || || As Ted said, in theory, all decisions are supposed to be || confirmed on the mailing list, but I haven't seen anyone || point out the reason why - because we also think it's || important to have very few barriers to participation in the || IETF, so we don't require attendance at any face-to-face || meeting, ever. || || So I'm not sure how we verify identities when anyone we || question can just post from an e-mail account at an ISP in || Tierra del Fuego, and say the next time you're in the tip || of South America, come by and verify my identity. SNIP My understanding is there is a system of peer validation in operation. If a contributor only posts once or twice, they are less likely to be taken seriously than someone who posts regularly and often, especially when first starting to participate. The damage done by sock puppets and stooges is minimised in such systems as they are fairly quickly recognised for what they are. It is more a matter of judging the content of contributions rather than the contributor. Darryl (Dassa) Lynch ___ IETF mailing list IETF@ietf.org https://www.ietf.org/mailman/listinfo/ietf
RE: IETF Eurasia
[EMAIL PROTECTED] wrote: Why do IETF meetings have to be monolithic and all-inclusive? || ||| I can tell you why we do - crosstalk. It can be incredibly useful ||| for people from the Security Area to look in on Applications, or for ||| Transport and RAI folks to understand the workings of the layers ||| beneath them and their users, for example. ||| ||| That doesn't make for a has to, but it seems like a good reason to ||| choose to, from my perspective. || || I agree with your reasoning. I should have asked, why do || *ALL* IETF meetings have to be monolithic and all-inclusive? || || Smaller meetings held outside North America could be located || in smaller cheaper hotels, and would encourage wider || participation in the IETF. In fact, smaller meetings in || North America would achieve the same ends. || || I'm not suggesting getting rid of the existing monolithic || meetings, but adding another type of meeting that is || smaller, cheaper to attend, and held in cities/countries || that are far from the USA but closer to people who should be || more involved in the IETF. For instance, Pune and Bangalore || India, Moscow and Ekaterinburg Russia, Dalian and Shanghai || China as well as places like Helsinki, Frankfurt, Tokyo, Seoul. || || Note that smaller regional meetings still provide the || opportunities for some crosstalk, even if the variety of WG || choices to attend will be smaller. And it increases the || amount of crosstalk and cross-fertilization between people || who regularly work in the IETF and those who have not done || IETF work because they have not had the opportunity to see || it in action, face to face. || || Note also that RIPE does something along these lines with || their regional meetings having more focus on education. I || expect that an IETF regional meeting would also have to have || more focus on education since a higher proportion of first-timers || would attend. Wouldn't the regional meetings you are suggesting have a totally different focus and be a different type of event all together compared to the main meetings currently? I would expect such regional meetings to have a focus on educating the local public about the IETF and be about increasing participation but not including any actual work on IETF content. Believe such regional meetings would be a great idea as a means to facilitate mentoring of future participants and encouraging new blood into the organization. Darryl (Dassa) Lynch ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: Travel Considerations
Jari Arkko wrote: Please save the planet by working on a better Internet, not by posting to an off-topic mail thread. Perhaps the IETF should consider purchasing carbon credits for each standards track document produced :) Darryl (Dassa) Lynch ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: joining the IETF is luxury Re: 70th IETF - Registration
Adrian Farrel wrote: We shall see, but I don't know that putting up the price necessarily fixes the registration income issue. You only have to deter a relatively small proportion of attendees to wipe out the increase in charge. I assume that the converse is also being applied: viz. cutting meeting costs. It's hard for us oiks to tell because we only see: - registration fee - breakfasts/cookies Anyway, registration is still the smallest component of attendance for me. Hotel and travel are still bigger problems, and I continue to wonder whether we could increase attendance (and hence registration income) by facilitating cheaper accommodation and travel. Like Adrian the associated costs are a factor for myself, the meeting fee itself is very reasonable compared to other conferences. The biggest factor for me is the time. I don't seem to have the time to contribute enough even on the online possibilities let alone attend meetings. I suspect that when I will have the time, the expense will not be a factor but by then the willingness to participate will have gone. At least at present everyone has the possibility of putting forward input either online or in person with the IETF, it is one of the main attractions I see with the organisation. Darryl (Dassa) Lynch ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: NATs as firewalls
Hallam-Baker, Phillip wrote: From: John C Klensin [mailto:[EMAIL PROTECTED] And, when I conclude that IPv6 is inevitable (unless someone comes up with another scheme for global unique addresses RSN), Here we disagree, I don't think that IPv6 is inevitable. When I model the pressures on the various parties in the system and consider the shortest route by which the participants can reach their short term goals there are certainly alternative schemes. I certainly do not want to see these schemes deployed but they are certainly possible outcomes. For example, a hyperNAT where the ISP NATs residential Internet as a matter of course. I suspect we will start to see this deployed on a large scale as soon as the market price for IP address allocation reaches a particular point. There is a major difference between a NAT box plugged into the real Internet and a NAT box plugged into another NAT box. It is a pretty ugly one for the residential user. I'm afraid it is already happening on a large scale in some parts. Here in Australia I've seen multiple ISP's who NAT all residential customers. Some of them amongst the largest players in the market. Even some commercial offerings are on NATs. Personally I'm more set against the wholesale blocking of ports and services which ISPs seem to be favouring at the moment, and the pricing that is applied to have the blocks removed. There are artificial blocks being deployed to keep usage down that are a bigger problem than NATs IMHO. Darryl (Dassa) Lynch ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: [Nea] Re: WG Review: Network Endpoint Assessment (nea)
Douglas Otis wrote: If an application happens to be malware, it seems it would be unlikely stop these applications. How about: vi) Provide application level advisory information pertaining to available services. Points that seem to be missing are: vii) Notification of non-compliance. (Perhaps this could become a restatement of i.) viii) Time or sequence sensitive compliance certificates provided following a remediation process or service. Often bad behavior is detected, such as scanning or sending spam which may violate AUPs. These violations may trigger a requirement for the endpoint to use a service that offers remedies the endpoint might use. There could then be a time-sensitive certificate of compliance offered following completion of a check-list and an agreement to comply with the recommendations. Those that remain infected after remediation, or that ignore the AUPs and are again detected, may find this process a reason to correct the situation or their behavior, or the provider may wish to permanently disable the account. Am I mistaken or is NEA intended to be a compliance check before a node is allowed onto the network? As such, observed behaviour and application abuse would seem to be issues that would be dealt with by other tools. NEA may be used to ensure certain applications are installed and some other characteristics of the node but actual behaviour may not be evident until such time as the node has joined the network and would be beyond the scope of detection by NEA IMHO. NEA may be used to assist in limiting the risk of such behaviour but that is about the extent of it that I see. My reading of the charter gives me the impression NEA is only intended for a specific task and some of what we have been discussing seems to extend well beyond the limited scope proposed. Darryl (Dassa) Lynch ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: [Nea] Re: WG Review: Network Endpoint Assessment (nea)
Brian E Carpenter wrote: I run a very closed network, ports are closed and not opened unless there is a validated request, external drives are disabled etc etc. A contractor comes in with a notebook and needs to work on some files located on our internal secure network. A trusted staff member rings in with the request to open a specified port. The port is opened and the contractor hooks up the laptop to it. NEA does it's thing and if the laptop doesn't match the requirements of the internal network policy it is directed to a sandbox network for remediation. If the laptop does meet the policy then it allowed onto the internal network. What if your contractor has carefully configured the laptop to give all the right answers? What if it has already been infected with a virus that causes it to give all the right answers? The first case is certainly current practice, and the second one could arrive any day. Hello Brian I would be monitoring for unusual behaviour on the network and would be warned if the laptop started to behave in ways not expected. NEA would only save time in getting the system onto the network as instead of physically inspecting it I'd be relying on automated means to judge compliance. It would be an acceptable risk. The risk of someone wishing to hack in or being infected with a virus as you describe is low. I'd mainly be using NEA to assist in those situations where the trust isn't total but there isn't harmful intent. If you know of a system that provides total protection, is easy for users to perform their duties and doesn't have me or IT staff doing physical checks I'd be more than willing to look at it. Let's face it, there will always be a risk of someone getting around any informational or protection mechanism put into play, we all have to judge that risk and set up networks accordingly. If we really want to be secure we wouldn't allow any ad hoc connections at all. Darryl (Dassa) Lynch ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: [Nea] Re: WG Review: Network Endpoint Assessment (nea)
Hello Ted Comments inline as appropriate. Ted Hardie wrote: At 7:55 PM +1000 10/11/06, Darryl \(Dassa\) Lynch wrote: I run a very closed network, ports are closed and not opened unless there is a validated request, external drives are disabled etc etc. A contractor comes in with a notebook and needs to work on some files located on our internal secure network. A trusted staff member rings in with the request to open a specified port. The port is opened and the contractor hooks up the laptop to it. NEA does it's thing and if the laptop doesn't match the requirements of the internal network policy it is directed to a sandbox network for remediation. One of the points that has been made here several times is that the rosy promise of a sandbox for remediation has a number of thorns, even in the case where a posture assessment method has identified a potential issue. As it stands, there are commonly multiple ways to work around a vulnerability, including base-levels upgrades (from OS Foo v3 to v4) specific patches (either to the OS or to the application), and, in some cases, configurations (turning off functionality BAR). Assessing those is difficult; offering remediation is trickier yet, especially when one or more of the systems which may need remediation may not even been active at the time of attachment. As I have expressed before, I have serious doubts that the standardized parameters will be sufficient to do any reasonable assessment, and the same carries through in spades for remediation, since that involves a check that none of the remediations has already been applied. Very true, any remediation is difficult. It may be there will be options provided so once a system fails to meet NEA compliance they are offered a number of options instead of remediation, perhaps limited access, no access or intervention by IT staff, all this is beyond the scope of NEA at this stage IMHO. Maintaining a valid, *current* set of patches, OS upgrades, and the like for remediation is going to be a very big task; managing the licensing on it a nasty problem; and handling the potential liability of applying the *wrong* remediation a nightmare. Handling unknown states (even for those running recognized assessors) is an even more problematic issue, but you may not care that some folks run development drops of OSes and applications, since you can always remediate them by offering a downgrade. What is the difference to maintaining the network nodes already on the system. They all have to be maintained and kept in compliance already. NEA just provides some information on what may be needed. In your example, the contractor presumably also agrees to your mucking with their laptop configuration as part of the contract, but the number of cases in which this is going to be wise is clearly a subset of all cases and it may be a tiny subset. If I came into your network and offered to work with you, my corporate IT folks would be upset if I allowed you to do any of the updates discussed above, so the sandbox is effectively a denial of network access. That's a policy decision you are welcome to make (it's your network), but it's a complex and risky way to make it. If they don't agree to the network policy then alternatives would need to be available such as providing a trusted system for them to use. Hackers and theives wouldn't agree to abide by any policy in place but that doesn't mean I have to provide methods to make their life easier :). I continue to think that the core of this work (passing an opaque string prior to attachment) has some benefits I don't disagree. snip Just another tool to give network administrators information and systems they can use to ensure the majority of users get their requirements met in a reasonable and timely manner. And I believe others agree with your tool in the toolkit view. But if you advertise a saw as a hammer, someone is going to get cut. Most accidents occur in the home. People do have to take some responsibility for themselves. Darryl (Dassa) Lynch ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: [Nea] Re: WG Review: Network Endpoint Assessment (nea)
Hi Vidya Comments inline as appropriate. Narayanan, Vidya wrote: Your email indicates that you would: a) somehow require that a visitor's laptop run an NEA client, b) expect the device to support PAs that the server requires to be checked, and c) trust data coming out of it, rather than treat that endpoint as an unknown endpoint and do IDS/IPS in the network. You are limiting my options to a small subset of what I would have available. I may sandbox systems that don't have an NEA client and are unwilling to install one, they would be treated as an unknown node and given very limited access, they wouldn't be allowed onto the trusted network for instance. I would expect some information to be available which I would then be able to check against my policy. I would assume a limited amount of trust but would continue to have other mechanisms in place to be informed where that limited trust has been abused. Other than finding this a rather bizzarre trust model, I have to say that there will be a very small set of such endpoints where the owner of that endpoint is going to be thrilled to allow you to place such clients on his/her device and perform updates on it. If they wish to join my network they have to abide by the policies I have in place, they don't like it, they don't get to play. In short, this is exactly the type of endpoint I wouldn't imagine NEA being useful for! NEA is a means to automate the information gathering about this endpoint, if they don't agree to the policies, they will have options to. If a person or device doesn't agree with the policies in place, it doesn't mean I should still provide full access for them. Risk management will dictate what will or will not be allowed. Darryl (Dassa) Lynch ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: [Nea] WG Review: Network Endpoint Assessment (nea)
Harald Alvestrand wrote: SNIP Posture checking is certainly a leaky bucket. It doesn't protect all kinds of endpoint, it doesn't protect the endpoints against all kinds of threats, and it doesn't protect much of anything against a smart, resourceful attacker who is deeply familiar with the NEA system in use and is interested in investing considerable resources in attacking or circumventing it. NEA itself may not offer any protection, it is more an informational tool from my perspective. How that information may be used could lead to some protection but that would vary with each deployment. But (to recycle a very old simile) the fact that I can open the locks of most doors with a crowbar doesn't mean that locks are not useful. Organizations that have deployed products that do something like what NEA is talking about have reported that their TCO is reduced. In these days of information overload I still maintain, the more information available the better it is. Darryl (Dassa) Lynch ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: [Nea] WG Review: Network Endpoint Assessment (nea)
Hi Vidya Narayanan, Vidya wrote: -Original Message- From: Susmit Panjwani [mailto:[EMAIL PROTECTED] Sent: Saturday, October 07, 2006 5:04 PM To: Harald Alvestrand Cc: Narayanan, Vidya; [EMAIL PROTECTED]; iesg@ietf.org; ietf@ietf.org Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) Third, I simply can't see what the organization's interests would be in protecting a device that doesn't even belong to it. An organization might not be interested in protecting a device that does not belong to it but would definitely be interested in preventing the attacks originating from such device (if compromised) when it joins the organization network. It appears that the NEA charter is completely misleading to some people from what is stated in this email. As the NEA charter alludes to, NEA does nothing to protect against compromised devices. Also, as has been agreed, NEA is not a protection mechanism for the network - it is meant to be a protection mechanism for compliant, truthful and as yet uncompromised end hosts against known vulnerabilities. True the NEA doesn't do anything to protect against compromised devices but it does assist in limiting the known compromises on endpoint devices by being a mechanism for the checking and reporting on compliance to what ever network policy is in place including virus and patch levels. As a network administrator I already deploy mechanisms for doing just this, but at a higher level than the NEA charter indicates. To me the difference is between being reactive or proactive. Compliance testing I already run occurs after an end node has joined the network, with NEA the possibility is for compliance checking before being allowed onto the network so isolation and immediate remediation is possible. Any network, in its own best interests, must assume that it has lying and compromised endpoints connecting to it and that there are unknown vulnerabilities on any NEA-compliant devices connecting to it. Any kind of protection that addresses these general threats that the network may be exposed to at any time will simply obviate the need for NEA from the network perspective. Reliance on one protection or reporting mechanism is not enough. We need a lot of varied tools to cover all the bases and minimise risk. A network operator that thinks the network is getting any protection by employing NEA is clearly ignoring the obvious real threats that the network is exposed to at any time. No, NEA would just be one more tool used to improve overall security and minimise risk. It would be at a different level to the tools some of already deploy. This is what I meant when I said that the charter is unclear and it must explicitly state that NEA is not meant as a protection mechanism of any sort for the network. I don't believe the Charter needs to delve into this at all. If some people see it as part of their protection mechanisms, so be it. Darryl (Dassa) Lynch ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: Meetings in other regions
| -Original Message- | From: JORDI PALET MARTINEZ [mailto:[EMAIL PROTECTED] | Sent: Saturday, July 15, 2006 1:05 AM | To: ietf@ietf.org | Subject: Re: Meetings in other regions | | There are two issues: I believe there are far more issues which makes the whole thing much more complex than most of us would like and it is sometimes a good idea to hash over the issues now and again to see if there have been any changes which may assist with future direction. | 1) Cost. IETF has limited resources, so unless each of us | want to pay more and more for the registration fees or we | are able to compensate the cost with more sponsors (which is | every day more difficult), we need to look for cheaper locations. For someone like me who is involved in a lot of things from personal interest and inclination without corporate backing, costs are an important issue. I've given some thought to this, how participation is restricted for individuals and have come to the conclusion it is not such a bad thing. Individuals can participate in the IETF without having it cost them a fortune which is different to a lot of other organisations, even if that participation is somewhat limited. It is one of the great things about the IETF I like, how anyone can become involved. | 2) Is un fair that the main driver is only looking at where | more people comes from (this is fortunately changing anyway, | and thus will less and less easy to match). Even worst if | that's a country with doesn't allow everyone to come in. I'm not sure if it is because I'm getting older and have more understanding or if I have seen enough evidence to support it but I find myself relying more on the intrinsic good will of people and assuming they make decisions after considering all factors, more often than not. As has been pointed out, the location will affect demographics and I'm satisfied this is considered when a decision is made on where the next meeting will be held. As are a lot of other factors. There will always be ideas put forward for alternative locations and ways to decide on the selection. This is a good thing. It keeps the whole process on track. Darryl (Dassa) Lynch ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
