RE: [Nea] WG Review: Network Endpoint Assessment (nea)
Sam, I believe if we move 'quickly' in this WG we will be able to meet interoperability goals to certain extent atleast. The bottom-line is this technology is already being deployed by different vendors in academia and enterprises. The question is should IETF get involved in standardizing this or leave it to the individual vendors. I believe the IETF should and that standardization will certainly help the community, if we can move fast enough. The recent email by Jari Arkko to standardize some of the EAP methods which are being used and deployed today but no RFCs exist for them, is certainly a step in the right direction. My 2 cents, Hormuzd -Original Message- From: Sam Hartman [mailto:[EMAIL PROTECTED] Sent: Friday, October 13, 2006 12:43 PM To: Frank Yeh Jr Cc: Ted Hardie; [EMAIL PROTECTED]; ietf@ietf.org Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) >>>>> "Frank" == Frank Yeh <[EMAIL PROTECTED]> writes: Frank> Standardized VS vendor-specific attributes is not something that needs to be Frank> solved today. Solutions can start with vendor-specific and migrate toward a Frank> standard, if one develops, without changing the protocol. The specification Frank> should not preclude the addition of standardized attributes. IE the Frank> specification is like an alphabet, attributes are like vocabulary. You can add Frank> new words without changing the letters. One of the things coming out of the most recent BOF was a strong desire for PA-level interoperability. That can be accomplished through standardized attributes or vendor-specific attributes that are sufficiently well documented (and not subject to patents) that third parties can implement collectors or analysis tools that interoperate with the vendor tools for the vendor attributes. Will we be able to meet these interoperability goals? Why or why not? ___ Nea mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/nea ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: [Nea] WG Review: Network Endpoint Assessment (nea)
Ted Hardie wrote: > For the charter discussions, I want to know whether it will > be an aim of the working group to standardize: > > * a way of carrying this information > * the structure of this information (but not its content) > * a standard representation of the content, so that access to the vendor database > is no longer required I believe that we'll need to define all three of these. There may be times when access to an external database would be useful (if you want to know exactly which viruses are covered by which AV defs version, for example) but such access should not be required to use the standard attributes. Thanks, Steve ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
>> >> > >> Lets not forget that when (not if) NEA/NAP/NAC is deployed the IDSen >> people have deployed today to >> solve the lying-client-problem by scanning for common/current >> vulnerabilities as part of the network admission >> process will have to interface with PDPs part of a NEA intfrastructure. > > Could you rephrase please? I am afraid I don't understand what you > are saying. > It has been pointed out on this list that the main deliverable from NEA might well turn out to be the way host postures are described - the schema if you will. I'm positive that if someone deployes NEA/NAP/NAC etc the admin will want to combine data from the on-client posture client with information from external IDS (etc) services to a common Policy Decision Point. That means that a reason to do NEA is to get this schema standardized even if some people who care about lying clients to never use and/or trust client posture clients. > Oh, and lying endpoint problem cannot be solved by scanning for common > vulnerabilities! In fact, the two have no relation whatsoever. They have the single relation of both expressing claims about the state of a host. Cheers Leif ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
On Oct 17, 2006, at 11:22 AM, Eliot Lear wrote: I would think that five or six values are appropriate: 1. Vendor name (string) 2. Vendor engine version (integer) 3. Vendor virus definitions version (integer) 4. Enabled? (binary) 5. Buggered? (binary) 6. Other gobbledigook the vendor wants to include that might get standardized later. (blob) This still seems like too much. Information offered for access can be contained within one or more certificates. The information within these certificates should be limited to a minimal set of values: 1) creator 2) class 3) user-host 4) time-stamp 5) update resources The essential information would be the creator/class/user-host/time- stamp fields. When protection is not enabled or is buggered, then a newer certificate should not be offered. The virus definitions or patch updates can be deduced from the time-stamp or by extensions added to class, i.e. AVX-VISTA-37. If a vulnerability is reported subsequent to the time-stamp regarding the creator/class of service, then a new certificate could be required. This would simplify tracking at the access point. By keeping the information exchanged and decisions limited to this minimal information, NEA should provide a valuable services in many environments. Perhaps there should be some consideration given regarding which sets of certificates are offered in various environments. Allowing the certificates to be accessed beyond an authentication process seems to increase security exposures. As this information is not trustworthy, there would be also little gained sharing this information elsewhere. In fact, sharing this information may increase infection rates when this aids malware. -Doug ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
At 8:22 PM +0200 10/17/06, Eliot Lear wrote: > would think that five or six values are appropriate: > > 1. Vendor name (string) > 2. Vendor engine version (integer) > 3. Vendor virus definitions version (integer) > 4. Enabled? (binary) > 5. Buggered? (binary) > 6. Other gobbledigook the vendor wants to include that might get > standardized later. (blob) > >I could envision 3 being a bit of an issue if it is possible to update >specific viruses but not others. Thanks for this. I was assuming we were talking primarily about a "1 and 3" combined value. As it stands now, you need access to the vendor's database to know what viruses are covered by any specific version (your 3). For the charter discussions, I want to know whether it will be an aim of the working group to standardize: * a way of carrying this information * the structure of this information (but not its content) * a standard representation of the content, so that access to the vendor database is no longer required The tasks are substantially different in scope, and the level of interoperabilty the community can expect from them are similarly different. regards, Ted Hardie ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
Ted, Sorry, but doesn't "AV status" above refer to the existing, proprietary anti-virus systems? How does standardizing an attribute for carrying that help create a standardized understanding of what it means?Don't I still have to treat that as, essentially, a vendor attribute, since I have to know which vendor statuses cover which vulnerabilities? Or do you mean "there is some anti-virus software here"? I would think that five or six values are appropriate: 1. Vendor name (string) 2. Vendor engine version (integer) 3. Vendor virus definitions version (integer) 4. Enabled? (binary) 5. Buggered? (binary) 6. Other gobbledigook the vendor wants to include that might get standardized later. (blob) I could envision 3 being a bit of an issue if it is possible to update specific viruses but not others. I would expect the normal enterprise administrator to be able to act on the first 5. The 6th is there as a placeholder. I'm not sure I'd trust 5 if it's false. I'd also suggest we're well into solving the problem at this point. Eliot ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: [Nea] WG Review: Network Endpoint Assessment (nea)
At 2:04 AM -0400 10/17/06, Stephen Hanna wrote: > > Will we be able to meet these interoperability goals? Why or why not? > >Yes, we can. If we define a small set of standardized attributes >(OS and app version, AV status, etc.) and make them mandatory to >implement, Sorry, but doesn't "AV status" above refer to the existing, proprietary anti-virus systems? How does standardizing an attribute for carrying that help create a standardized understanding of what it means?Don't I still have to treat that as, essentially, a vendor attribute, since I have to know which vendor statuses cover which vulnerabilities? Or do you mean "there is some anti-virus software here"? Ted Hardie ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: [Nea] WG Review: Network Endpoint Assessment (nea)
At 12:00 AM 10/17/2006, Khosravi, Hormuzd M wrote: Sam, I believe if we move 'quickly' in this WG we will be able to meet interoperability goals to certain extent atleast. The bottom-line is this technology is already being deployed by different vendors in academia and enterprises. The question is should IETF get involved in standardizing this or leave it to the individual vendors. I believe the IETF should and that standardization will certainly help the community, if we can move fast enough. Whereas interoperability is a noble goal, the IETF also has the good habit of clearly specifying what our protocols do and don't do. Our bar is thankfully higher than marketing literature for example. The recent email by Jari Arkko to standardize some of the EAP methods which are being used and deployed today but no RFCs exist for them, is certainly a step in the right direction. Good example actually: 3748 contains brutal truths about some of the legacy EAP methods, for instance on MD5-Challenge -- which no one should really be using for access control -- it says: Auth. mechanism: Password or pre-shared key. Ciphersuite negotiation: No Mutual authentication: No Integrity protection: No Replay protection: No Confidentiality: No Key derivation:No Key strength: N/A Dictionary attack prot.: No Fast reconnect:No Crypt. binding:N/A Session independence: N/A Fragmentation: No Channel binding: No In other words, someone who uses that protocol gets zilch! Now of course, in the "real" world, a variant of this protocol was used and soon after publicly demonstrated to be useless. best regards, Lakshminath My 2 cents, Hormuzd ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: [Nea] WG Review: Network Endpoint Assessment (nea)
Vidya Narayanan wrote: > I am very apprehensive of achieving any meaningful PA-level > interoperability. I am not sure what minimum set of PA attributes will > be standardized, but, whatever that set is, I doubt will be sufficient > to provide any acceptable level of security, even for the endpoints. This is not surprising, since you have said that you don't see any security value to NEA. > Even assuming ongoing standardization of vendor specific attributes, it > is not totally realistic to assume that all applications will support > the appropriate attributes. The rate of standardization is also very > likely to be much slower than the rate of the growth in the number of > attributes needed for any continued meaningful protection. NEA is not based on applications supporting attributes. Attributes are supported by Posture Collectors and Posture Validators, specialized NEA components. An AV Posture Collector will handle attributes pertaining to AV, perhaps by interfacing with an existing AV application. Still, I agree that a given endpoint will typically only support a small subset of the universe of possible attributes. Not a problem. As long as the endpoint supports enough attributes that the Posture Broker can evaluate its compliance with the posture policy, that's enough. Thanks, Steve -Original Message- From: Narayanan, Vidya [mailto:[EMAIL PROTECTED] Sent: Monday, October 16, 2006 5:06 PM To: Sam Hartman; Frank Yeh Jr Cc: Hardie, Ted; [EMAIL PROTECTED]; ietf@ietf.org Subject: RE: [Nea] WG Review: Network Endpoint Assessment (nea) Sam, > -Original Message- > From: Sam Hartman [mailto:[EMAIL PROTECTED] > Sent: Friday, October 13, 2006 12:43 PM > To: Frank Yeh Jr > Cc: Hardie, Ted; [EMAIL PROTECTED]; ietf@ietf.org > Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > > >>>>> "Frank" == Frank Yeh <[EMAIL PROTECTED]> writes: > > Frank> Standardized VS vendor-specific attributes is not > something that needs to be > Frank> solved today. Solutions can start with > vendor-specific and migrate toward a > Frank> standard, if one develops, without changing the > protocol. The specification > Frank> should not preclude the addition of standardized > attributes. IE the > Frank> specification is like an alphabet, attributes are > like vocabulary. You can add > Frank> new words without changing the letters. > > > One of the things coming out of the most recent BOF was a > strong desire for PA-level interoperability. That can be > accomplished through standardized attributes or > vendor-specific attributes that are sufficiently well > documented (and not subject to patents) that third parties > can implement collectors or analysis tools that interoperate > with the vendor tools for the vendor attributes. > > Will we be able to meet these interoperability goals? Why or why not? > I am very apprehensive of achieving any meaningful PA-level interoperability. I am not sure what minimum set of PA attributes will be standardized, but, whatever that set is, I doubt will be sufficient to provide any acceptable level of security, even for the endpoints. Even assuming ongoing standardization of vendor specific attributes, it is not totally realistic to assume that all applications will support the appropriate attributes. The rate of standardization is also very likely to be much slower than the rate of the growth in the number of attributes needed for any continued meaningful protection. Regards, Vidya ___ Nea mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/nea ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: [Nea] WG Review: Network Endpoint Assessment (nea)
Sam Hartman wrote: > One of the things coming out of the most recent BOF was a > strong desire for PA-level interoperability. That can be > accomplished through standardized attributes or > vendor-specific attributes that are sufficiently well > documented (and not subject to patents) that third parties > can implement collectors or analysis tools that interoperate > with the vendor tools for the vendor attributes. > > Will we be able to meet these interoperability goals? Why or why not? Yes, we can. If we define a small set of standardized attributes (OS and app version, AV status, etc.) and make them mandatory to implement, then we will have interoperability with respect to those attributes. We should allow the definition of attributes that go beyond this minimal standard mandatory to implement (MTI) set but the MTI set will provide a baseline of information available for all endpoints that implement NEA. Thanks, Steve ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: [Nea] WG Review: Network Endpoint Assessment (nea)
Sam, > -Original Message- > From: Sam Hartman [mailto:[EMAIL PROTECTED] > Sent: Friday, October 13, 2006 12:43 PM > To: Frank Yeh Jr > Cc: Hardie, Ted; [EMAIL PROTECTED]; ietf@ietf.org > Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > > >>>>> "Frank" == Frank Yeh <[EMAIL PROTECTED]> writes: > > Frank> Standardized VS vendor-specific attributes is not > something that needs to be > Frank> solved today. Solutions can start with > vendor-specific and migrate toward a > Frank> standard, if one develops, without changing the > protocol. The specification > Frank> should not preclude the addition of standardized > attributes. IE the > Frank> specification is like an alphabet, attributes are > like vocabulary. You can add > Frank> new words without changing the letters. > > > One of the things coming out of the most recent BOF was a > strong desire for PA-level interoperability. That can be > accomplished through standardized attributes or > vendor-specific attributes that are sufficiently well > documented (and not subject to patents) that third parties > can implement collectors or analysis tools that interoperate > with the vendor tools for the vendor attributes. > > Will we be able to meet these interoperability goals? Why or why not? > I am very apprehensive of achieving any meaningful PA-level interoperability. I am not sure what minimum set of PA attributes will be standardized, but, whatever that set is, I doubt will be sufficient to provide any acceptable level of security, even for the endpoints. Even assuming ongoing standardization of vendor specific attributes, it is not totally realistic to assume that all applications will support the appropriate attributes. The rate of standardization is also very likely to be much slower than the rate of the growth in the number of attributes needed for any continued meaningful protection. Regards, Vidya ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
At 01:46 AM 10/16/2006, Leif Johansson wrote: Lakshminath Dondeti wrote: > At 01:42 AM 10/7/2006, Harald Alvestrand wrote: >>> >> Many universities require their students to buy their own laptops, >> but prohibit certain types of activity from those laptops (like >> spamming, DDOS-attacks and the like). They would love to have the >> ability to run some kind of NEA procedure to ensure that laptops are >> reasonably virus-free and free from known vulnerabilities, and are >> important enough in their students' lives that they can probably >> enforce it without a complaint about "violation of privacy". >> >> Just pointing out that there's one use case with user-managed >> endpoints where NEA is not obviously a bad idea. > > My email ventures into a bit of non-IETF territory, but we are > discussing use cases, and so I guess it's on topic. Universities > should be the last places to try antics like NEA. Whereas an > operational network would be a priority to them, it is also important > that they allow students to experiment with new applications. If we > are believing that general purpose computing will be taken away from > college students, we are indeed talking about a different world. > > In any event, the bottomline is NEA as a solution to "network > protection" is a leaky bucket at best. > > NEA at best *may* raise the bar in attacking a "closed" network where > endpoints are owned and tightly controlled by the organization that > owns the network. > Lets not forget that when (not if) NEA/NAP/NAC is deployed the IDSen people have deployed today to solve the lying-client-problem by scanning for common/current vulnerabilities as part of the network admission process will have to interface with PDPs part of a NEA intfrastructure. Could you rephrase please? I am afraid I don't understand what you are saying. Oh, and lying endpoint problem cannot be solved by scanning for common vulnerabilities! In fact, the two have no relation whatsoever. Lakshminath Cheers Leif ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
Lakshminath Dondeti wrote: > At 01:42 AM 10/7/2006, Harald Alvestrand wrote: >>> >> Many universities require their students to buy their own laptops, >> but prohibit certain types of activity from those laptops (like >> spamming, DDOS-attacks and the like). They would love to have the >> ability to run some kind of NEA procedure to ensure that laptops are >> reasonably virus-free and free from known vulnerabilities, and are >> important enough in their students' lives that they can probably >> enforce it without a complaint about "violation of privacy". >> >> Just pointing out that there's one use case with user-managed >> endpoints where NEA is not obviously a bad idea. > > My email ventures into a bit of non-IETF territory, but we are > discussing use cases, and so I guess it's on topic. Universities > should be the last places to try antics like NEA. Whereas an > operational network would be a priority to them, it is also important > that they allow students to experiment with new applications. If we > are believing that general purpose computing will be taken away from > college students, we are indeed talking about a different world. > > In any event, the bottomline is NEA as a solution to "network > protection" is a leaky bucket at best. > > NEA at best *may* raise the bar in attacking a "closed" network where > endpoints are owned and tightly controlled by the organization that > owns the network. > Lets not forget that when (not if) NEA/NAP/NAC is deployed the IDSen people have deployed today to solve the lying-client-problem by scanning for common/current vulnerabilities as part of the network admission process will have to interface with PDPs part of a NEA intfrastructure. Cheers Leif ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
> "Frank" == Frank Yeh <[EMAIL PROTECTED]> writes: Frank> Standardized VS vendor-specific attributes is not something that needs to be Frank> solved today. Solutions can start with vendor-specific and migrate toward a Frank> standard, if one develops, without changing the protocol. The specification Frank> should not preclude the addition of standardized attributes. IE the Frank> specification is like an alphabet, attributes are like vocabulary. You can add Frank> new words without changing the letters. One of the things coming out of the most recent BOF was a strong desire for PA-level interoperability. That can be accomplished through standardized attributes or vendor-specific attributes that are sufficiently well documented (and not subject to patents) that third parties can implement collectors or analysis tools that interoperate with the vendor tools for the vendor attributes. Will we be able to meet these interoperability goals? Why or why not? ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re:[Nea] WG Review: Network Endpoint Assessment (nea)
> I have a very basic fear that this working group is getting chartered > with a bunch of aims added by people who will not take on the > task of doing the work. After private discussion with folks > involved, my sense is that the very core of this work is a > perceived > need to be able to pass opaque strings between a host and the > network > prior to the host attaching. Those opaque strings are, essentially, > the vendor-specific strings currently associated with posture > assessment.The standard protocol carrying these strings would > connect on the network > side to a system that has plug-ins which understand the vendor- > specificstrings. > > With a charter that clarified that this was intended to assist the end > systems with vulnerabilities prior to attachment because the > network they are attaching to might be filled with danger, I > think this work would get done reasonably quickly. (As a control > mechanism to protect the network, I agree with the point made > clearly by others that this is not appropriate). > > I am less sure of the task of standardizing attributes. > > I am not sure that the number of attributes which can be standardized > will ever be high enough to be truly useful, and I am pretty sure > that all of these will be already covered by vendor-specific > attributes.Since there must be an assessor in place on the client > for those few > standardized attributes to be assessed and that assessor will > likely already > have these covered by vendor-specific attributes, in other words, > we seem to be standardizing redundancy. On the network attachment > side, it is possible, of course, that an offer of remediation > could be made > based on just the standard attributes, but it seems far more > likely that > it would be a two step process (assess standard attributes, then pass > vendor-specific attributes to vendor plug-in). Again, if the vendor's > attributes cover the standard attributes, then this is largely > redundantand may add measurable latency; it seems far more likely > that > step one would simply be skipped if there were a vendor-specific > stringand an available plug-in. Since there has to be an assessor, > the first > seems very likely to me. If you don't have a vendor's plug-in, then > I suppose there is some chance that you will trust and act based > on the standard > attributes, but the chance of getting the right remediation seems > pretty slight in those circumstances. Especially when many > vulnerabilitiesare a combination of conditions, (Browser version > Foo on OS patch level Bar) > that you could remediate by upgrading either one, checking for and > acting on the attributes which could be standardized seems of > very, very > limited utility. I think that most function should be completed through vendor-specific attributes and standard attributes are only basic information. ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
Ted Hardie <[EMAIL PROTECTED]> wrote on 10/08/2006 11:45:37 PM: > [snip] > my sense is that the very core of this work is a perceived > need to be able to pass opaque strings between a host and the network > prior to the host attaching. Yes, that is the essence of this work which is what we need to remember and focus on. It will probably be applied for various purposes. > Those opaque strings are, essentially, > the vendor-specific strings currently associated with posture assessment. > The standard protocol carrying these strings would connect on the network > side to a system that has plug-ins which understand the vendor-specific > strings. > > With a charter that clarified that this was intended to assist the end > systems with vulnerabilities prior to attachment because the > network they are attaching to might be filled with danger, I > think this work would get done reasonably quickly. (As a control > mechanism to protect the network, I agree with the point made > clearly by others that this is not appropriate). > There seems to be confusion as two why people would want to do this. In one sense we can protect things by not giving compromised endpoints access to network-attached resources, including parts of the network itself. This application has caused significant discussion as to the security of the protocol and solutions using it, which promises to be a subject of debate for the near future. Another way of looking at this is that it allows customers to use the network to enforce endpoint compliance to policy and provide a convenient "place" to challenge endpoints, collect data from them, thus providing an audit trail. > I am less sure of the task of standardizing attributes. > > I am not sure that the number of attributes which can be standardized > will ever be high enough to be truly useful, and I am pretty sure > that all of these will be already covered by vendor-specific attributes. > Since there must be an assessor in place on the client for those few > standardized attributes to be assessed and that assessor will likely already > have these covered by vendor-specific attributes, in other words, > we seem to be standardizing redundancy. On the network attachment > side, it is possible, of course, that an offer of remediation could be made > based on just the standard attributes, but it seems far more likely that > it would be a two step process (assess standard attributes, then pass > vendor-specific attributes to vendor plug-in). Again, if the vendor's > attributes cover the standard attributes, then this is largely redundant > and may add measurable latency; it seems far more likely that > step one would simply be skipped if there were a vendor-specific string > and an available plug-in. Since there has to be an assessor, the first > seems very likely to me. If you don't have a vendor's plug-in, then > I suppose there is some chance that you will trust and act based on > the standard > attributes, but the chance of getting the right remediation seems > pretty slight in those circumstances. Especially when many vulnerabilities > are a combination of conditions, (Browser version Foo on OS patch level Bar) > that you could remediate by upgrading either one, checking for and > acting on the attributes which could be standardized seems of very, very > limited utility. > Standardized VS vendor-specific attributes is not something that needs to be solved today. Solutions can start with vendor-specific and migrate toward a standard, if one develops, without changing the protocol. The specification should not preclude the addition of standardized attributes. IE the specification is like an alphabet, attributes are like vocabulary. You can add new words without changing the letters. > Ted Hardie > > ___ > Nea mailing list > [EMAIL PROTECTED] > https://www1.ietf.org/mailman/listinfo/nea Frank Yeh ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: Due process [Re: [Nea] WG Review: Network Endpoint Assessment (nea)]
Brian - what constitutes 'disrupting the normal conversation of the list' - disagreeing with the management of the list?. The issue isn't that I wasn't contributing - it was that the IPR and IP teams and the IETF process teams WILL NOT LET ME PARTICIPATE because I bring in non-engineering concerns with their IETF Operation's designs which makes them look like what they are - engineers instead of what they should be Operations Research or HR trained people so that they can look at human dynamics better. Your problem is that the LIST STRUCTURE of these entities DO NOT WANT ANYONE ELSE IN THE IETF TO KNOW WHAT THEY ARE DOING... What do you think would happen if a Broadcast Message was sent to the MEMBERSHIP of the IETF saying that the IPR WG was changing the LEGAL CONSTRAINTS that controlled their participation and that when it was done they would need to have their Sponsor's attorney's look it over to make sure it was 'clean' and appropopriate for them to continue participating under the new rules. By the way - if this IETF was audited - every one of my complaints would have been substantiated. Todd Glassey - Original Message - From: "Brian E Carpenter" <[EMAIL PROTECTED]> To: Sent: Thursday, October 12, 2006 2:55 AM Subject: Due process [Re: [Nea] WG Review: Network Endpoint Assessment (nea)] > Noel Chiappa wrote: > > > From: "Steven M. Bellovin" <[EMAIL PROTECTED]> > > > > >> it is better that we aren't copied because to do so would be unfair to > > >> the complainer(s). > > > > > As much as I've sparred with Glassey in the past ... I think he's right > > > in this case. In my opinion, any sort of disciplinary action needs to > > > be *perceived* as fair. ... I think we do need to follow due process. > > > > I'm going to disagree with you on this. My reasoning is that the decision of > > whether or not to suspend should be based almost entirely on the target > > person's posts, so the identity (and, indeed, the number) of people > > complaining is basically irrelevant. > > I see no failure of due process in the Sergeants At Arms stating that > they have received a number of complaints about messages which were sent > to a couple of thousand people. It isn't as if the complainers were > making an attack on the sender of the messages; they were complaining > that the messages were disrupting normal discussion on the list. Such > complaints don't need to be public in order to be valid. > > I don't want to substitute my judgement for that of the Sergeants; > but I think they have done the right thing. > > Brian > > ___ > Ietf mailing list > Ietf@ietf.org > https://www1.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Due process [Re: [Nea] WG Review: Network Endpoint Assessment (nea)]
Noel Chiappa wrote: > From: "Steven M. Bellovin" <[EMAIL PROTECTED]> >> it is better that we aren't copied because to do so would be unfair to >> the complainer(s). > As much as I've sparred with Glassey in the past ... I think he's right > in this case. In my opinion, any sort of disciplinary action needs to > be *perceived* as fair. ... I think we do need to follow due process. I'm going to disagree with you on this. My reasoning is that the decision of whether or not to suspend should be based almost entirely on the target person's posts, so the identity (and, indeed, the number) of people complaining is basically irrelevant. I see no failure of due process in the Sergeants At Arms stating that they have received a number of complaints about messages which were sent to a couple of thousand people. It isn't as if the complainers were making an attack on the sender of the messages; they were complaining that the messages were disrupting normal discussion on the list. Such complaints don't need to be public in order to be valid. I don't want to substitute my judgement for that of the Sergeants; but I think they have done the right thing. Brian ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: [Nea] WG Review: Network Endpoint Assessment (nea)
I completely agree with Noel on every detail of these comments. And, no, I was not one of the complainers either. :-) -- Eric --> -Original Message- --> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] --> Sent: Wednesday, October 11, 2006 11:26 AM --> To: ietf@ietf.org --> Cc: [EMAIL PROTECTED] --> Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) --> --> > From: "Steven M. Bellovin" <[EMAIL PROTECTED]> --> --> >> it is better that we aren't copied because to do so --> would be unfair to --> >> the complainer(s). --> --> > As much as I've sparred with Glassey in the past ... --> I think he's right --> > in this case. In my opinion, any sort of disciplinary --> action needs to --> > be *perceived* as fair. ... I think we do need to --> follow due process. --> --> I'm going to disagree with you on this. My reasoning is --> that the decision of --> whether or not to suspend should be based almost entirely --> on the target --> person's posts, so the identity (and, indeed, the number) of people --> complaining is basically irrelevant. --> --> The whole concept of "facing your accuser" came about --> because the accusers --> usually made factual claims ("I saw Joe steal Frank's --> car"). Traditionally, --> people wanted to be able to weigh the truthfulness of such claims by --> observing the person making the assertion, and observing --> their response to --> questioning. In addition, the target might know of some --> grudge that led the --> accuser to make a false accusation. In this case, however, there is --> absolutely no probative value coming from knowing *who* complained. --> --> To put it another way, I would hope if several people --> complained about some --> reasonable post, the SaA(s) would independently review the --> post, and if they --> thought it was reasonable, would take no action, the number --> or identity of --> the complainers notwithstanding. The issue is not who --> complained - the issue --> is the content of the posts - and that's all. --> --> Indeed, any miniscule probative value in knowing who --> complained is entire --> outweighed, IMO, by the possibility that making their --> identities public would --> result in a campaign of harrassment against them. --> --> And no, I was not one of the people who complained privately. --> --> --> > I do agree that the Sergeants-at-Arms can act on --> their own volition, --> > but if they do they should say so --> --> I have no probem with the SaA(s) disclosing whether or not --> they acted --> entirely on their own bat, in response to complaints, or --> both. In addition, I --> have no problem with them disclosing the number (if any) of --> complainters. --> --> However, I strenuously oppose making the names public, --> because the potential --> harm in that (possibility for harassment, and also the --> possibility that --> less-forthcoming people will sit on their hands rather than --> complain, if --> their names have to be made public) far outweighs any --> possible value in in --> mking them public. Indeed, it turns out that most police --> departments actually --> have anonymous tip lines, for precisely these reasons (and others). --> --> --> If the community decides to do elsewise, I offer myself up --> as an anonymizing --> agent for any complaints to the SaA(s); i.e. I will forward --> any complaints --> sent to me, as if they were my own, after removing the --> identity of the --> former. If I can recruit a few other people to do the same, --> that will suffice --> to avoid any issue with one person not being able to --> complain more than once. --> --> Noel --> --> ___ --> Ietf mailing list --> Ietf@ietf.org --> https://www1.ietf.org/mailman/listinfo/ietf --> ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: [Nea] WG Review: Network Endpoint Assessment (nea)
Hi Russ, > -Original Message- > From: Russ Housley [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 11, 2006 7:19 AM > To: Narayanan, Vidya > Cc: [EMAIL PROTECTED]; iesg@ietf.org; ietf@ietf.org > Subject: RE: [Nea] WG Review: Network Endpoint Assessment (nea) > > Vidya: > > >I'm not sure that the charter actually needs to get into the > modes at > >all - I'm guessing what happens after NEA (i.e., what is > done with the > >results from NEA) has zero impact on any work being done in > NEA itself. > >So, why not simply state something like "Once NEA is conducted on an > >endpoint, the results may be used by an organization in > accordance with > >any policies of the organization itself."? > > Discussions with the IAB and IESG prior to external review > lead to the addition of the modes discussion. The point is > that some networks will demand compliance to grant full > access, and other networks will simply notify that host that > they are not in compliance. A host my not want to change the > configuration to gain compliance. That is acceptable in the > second case, but not the first. > I don't disagree with the above. But, I was mainly wondering what impact any of these decisions may have on NEA itself? Aren't these just post-NEA actions? In general though, I have far less problems with this text than I do with the idea of NEA somehow protecting networks or NEA being performed on endpoints that is not owned by the organization performing NEA. Regards, Vidya > Russ > > > ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
Russ - I agree that something like a global NEA is necessary - just not that a new protocol is necessary to implement it. So let me ask... So then why not pass a new configuration mode model with SNMP - the point is that while the idea of some agent that could actually collect these separate logs and service records from the various 'aspects of compliance' built into the operating models of the system in question, is no new one. Tripwire's does this already. COPS and FREMONT can be made to with CRON and their configuration files. SNORT, AIDE, Heck they can even use SysLogNG as the transport for their log data which might also make sense as an addition... Or SCP/SFTP if they wanted to. The point is that while NEA is a good collective idea at the altitude the idea was hatched at, there are already things that do the NEA component functions today, and that can be aggregated together into a homogeneous utility environment without redesigning the wheel again. I don't dispute that the end goal of what the Creator's of the NEA idea wanted to accomplish is not good. It is clearly. But the issue is whether its necessary to have in the form they have proposed so far when other very similar and more widely deployed transports exist for the Inter-Nodal Communications Model that NEA purports to want to create. Again - SNMP and Syslog/SysLogNG can do allot of this already. Why not just add an Node-Integrity Reporting Process to either of them. From an Audit Perspective this would be a powerful addition to the SysLog protocols since it would better anchor them Just my 35c. Todd Glassey - Original Message - From: "Russ Housley" <[EMAIL PROTECTED]> To: "Narayanan, Vidya" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; ; Sent: Wednesday, October 11, 2006 7:18 AM Subject: RE: [Nea] WG Review: Network Endpoint Assessment (nea) > Vidya: > > >I'm not sure that the charter actually needs to get into the modes at > >all - I'm guessing what happens after NEA (i.e., what is done with the > >results from NEA) has zero impact on any work being done in NEA itself. > >So, why not simply state something like "Once NEA is conducted on an > >endpoint, the results may be used by an organization in accordance with > >any policies of the organization itself."? > > Discussions with the IAB and IESG prior to external review lead to > the addition of the modes discussion. The point is that some > networks will demand compliance to grant full access, and other > networks will simply notify that host that they are not in > compliance. A host my not want to change the configuration to gain > compliance. That is acceptable in the second case, but not the first. > > Russ > > > > ___ > Ietf mailing list > Ietf@ietf.org > https://www1.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
- Original Message - From: "Steven M. Bellovin" <[EMAIL PROTECTED]> To: "Fleischman, Eric" <[EMAIL PROTECTED]> Cc: "todd glassey" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; Sent: Wednesday, October 11, 2006 7:09 AM Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > On Tue, 10 Oct 2006 17:10:50 -0700, "Fleischman, Eric" > <[EMAIL PROTECTED]> wrote: > > > I'm sorry to enter this fray, but I'd like to point out that while I > > respect Todd's request to know who is accusing him and why, the rest of > > us don't need to be copied that information. In fact, it is better that > > we aren't copied because to do so would be unfair to the complainer(s). Eric - then talk to the SOA's - they posted the commentary as public notice - I just responded to it. > > > > Discipline is a difficult task to do fairly and because of this there > > are many advantages in respectfully permitting the protagonists to have > > privacy during key parts of the process. > > > As much as I've sparred with Glassey in the past (I suspended him from a > WG mailing list, and was the target of an appeal to the IESG by him), I > think he's right in this case. Scary thought that eh? > In my opinion, any sort of disciplinary > action needs to be *perceived* as fair. That may not be as much of an > issue here -- the public record of Todd's postings is appallingly clear -- > but I think we do need to follow due process. > > I do agree that the Sergeants-at-Arms can act on their own volition, Cool - when was this capability specifically placed into the IETF's Charter or the Job Description of the SOA? Who is accountable for that SOA's actions (including the party that appoints them?) And can they create policy to 'fit the moment' and if so how? > but > if they do they should say so; that gives the community grounds to judge > their behavior. And it also provides specific recourse in Courts against the IETF and that individual and their Sponser. > > --Steven M. Bellovin, http://www.cs.columbia.edu/~smb ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
> From: "Steven M. Bellovin" <[EMAIL PROTECTED]> >> it is better that we aren't copied because to do so would be unfair to >> the complainer(s). > As much as I've sparred with Glassey in the past ... I think he's right > in this case. In my opinion, any sort of disciplinary action needs to > be *perceived* as fair. ... I think we do need to follow due process. I'm going to disagree with you on this. My reasoning is that the decision of whether or not to suspend should be based almost entirely on the target person's posts, so the identity (and, indeed, the number) of people complaining is basically irrelevant. The whole concept of "facing your accuser" came about because the accusers usually made factual claims ("I saw Joe steal Frank's car"). Traditionally, people wanted to be able to weigh the truthfulness of such claims by observing the person making the assertion, and observing their response to questioning. In addition, the target might know of some grudge that led the accuser to make a false accusation. In this case, however, there is absolutely no probative value coming from knowing *who* complained. To put it another way, I would hope if several people complained about some reasonable post, the SaA(s) would independently review the post, and if they thought it was reasonable, would take no action, the number or identity of the complainers notwithstanding. The issue is not who complained - the issue is the content of the posts - and that's all. Indeed, any miniscule probative value in knowing who complained is entire outweighed, IMO, by the possibility that making their identities public would result in a campaign of harrassment against them. And no, I was not one of the people who complained privately. > I do agree that the Sergeants-at-Arms can act on their own volition, > but if they do they should say so I have no probem with the SaA(s) disclosing whether or not they acted entirely on their own bat, in response to complaints, or both. In addition, I have no problem with them disclosing the number (if any) of complainters. However, I strenuously oppose making the names public, because the potential harm in that (possibility for harassment, and also the possibility that less-forthcoming people will sit on their hands rather than complain, if their names have to be made public) far outweighs any possible value in in mking them public. Indeed, it turns out that most police departments actually have anonymous tip lines, for precisely these reasons (and others). If the community decides to do elsewise, I offer myself up as an anonymizing agent for any complaints to the SaA(s); i.e. I will forward any complaints sent to me, as if they were my own, after removing the identity of the former. If I can recruit a few other people to do the same, that will suffice to avoid any issue with one person not being able to complain more than once. Noel ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: Complaints and complainers (Re: [Nea] WG Review: Network Endpoint Assessment (nea))
Just FTR (and changing the subject, since this is not about NEA at all): I agree with the principle that the sergeants-at-arms are obliged to make up their own minds about whether or not a posting is inappropriate, and that they are responsible for their own decisions. Complaints are a means of calling their attention to a situation, nothing more. An IETF participant should not have to suffer rants and threats from a suspended person in his private email inbox just because he commented to a sergeant-at-arms that he found the person's postings offensive. I think the sergeants-at-arms have made the right call. I agree with everything Harald says here. Analogies to court situations and the notion of "facing your accuser" are IMO entirely inappropriate. A better analogy is to the many mechansisms that exist in various other contexts for providing tips, suggestions, recommendations and compliants. In many of these cases anonymity is not only allowed, it is required. I don't think this is a case where anonymity is absolutely required, but it is definitely beneficial. Ned ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: [Nea] WG Review: Network Endpoint Assessment (nea)
Vidya: I'm not sure that the charter actually needs to get into the modes at all - I'm guessing what happens after NEA (i.e., what is done with the results from NEA) has zero impact on any work being done in NEA itself. So, why not simply state something like "Once NEA is conducted on an endpoint, the results may be used by an organization in accordance with any policies of the organization itself."? Discussions with the IAB and IESG prior to external review lead to the addition of the modes discussion. The point is that some networks will demand compliance to grant full access, and other networks will simply notify that host that they are not in compliance. A host my not want to change the configuration to gain compliance. That is acceptable in the second case, but not the first. Russ ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
On Tue, 10 Oct 2006 17:10:50 -0700, "Fleischman, Eric" <[EMAIL PROTECTED]> wrote: > I'm sorry to enter this fray, but I'd like to point out that while I > respect Todd's request to know who is accusing him and why, the rest of > us don't need to be copied that information. In fact, it is better that > we aren't copied because to do so would be unfair to the complainer(s). > > Discipline is a difficult task to do fairly and because of this there > are many advantages in respectfully permitting the protagonists to have > privacy during key parts of the process. > As much as I've sparred with Glassey in the past (I suspended him from a WG mailing list, and was the target of an appeal to the IESG by him), I think he's right in this case. In my opinion, any sort of disciplinary action needs to be *perceived* as fair. That may not be as much of an issue here -- the public record of Todd's postings is appallingly clear -- but I think we do need to follow due process. I do agree that the Sergeants-at-Arms can act on their own volition, but if they do they should say so; that gives the community grounds to judge their behavior. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
The Delete button [Re: [Nea] WG Review: Network Endpoint Assessment (nea)]
Theodore Tso wrote: On Tue, Oct 10, 2006 at 07:45:48PM -0500, JORDI PALET MARTINEZ wrote: Hi Eric, I don't really agree with that. I've first the obligation to keep the privacy about any email received in private. Of course, I can always suggest that the people which complained in private speak up in the list, but I don't think that noise will help anyone. If there is a need to review my decision, the body in charge of that "appeal" will have the information about those complains, of course. Note that while we may use complaints from the community about whether or not postings are inappropriate, in the end it is up to the Sergeant-at-Arms about whether or not postings are appropriate and form a pattern of abuse. And the postings from the accused are publically available on mailing list archives, and can be judged on their own (dis-)merits. For that reason, I don't believe that there is any need to reveal private communications about complaints, since the in the end, the final determination is and can be made by the postings in isolation. That being said, we do periodically check in with the IETF Chair, who appointed us and has the power to dismiss us, whether or not in his opinion, we are using the appropriate trigger levels for enforcing violations of RFC 3005. And the Chair's opinion is that the Sergeants are using a light touch and are generally tolerant of a wide range of discourse. I would however repeat once again that the easiest way to deal with irrelevant mail is the Delete button. It's quicker than the Reply button and has fewer unintended side effects. Brian ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Complaints and complainers (Re: [Nea] WG Review: Network Endpoint Assessment (nea))
Just FTR (and changing the subject, since this is not about NEA at all): I agree with the principle that the sergeants-at-arms are obliged to make up their own minds about whether or not a posting is inappropriate, and that they are responsible for their own decisions. Complaints are a means of calling their attention to a situation, nothing more. An IETF participant should not have to suffer rants and threats from a suspended person in his private email inbox just because he commented to a sergeant-at-arms that he found the person's postings offensive. I think the sergeants-at-arms have made the right call. Harald, who gets the rants anyway Theodore Tso wrote: On Tue, Oct 10, 2006 at 07:45:48PM -0500, JORDI PALET MARTINEZ wrote: Hi Eric, I don't really agree with that. I've first the obligation to keep the privacy about any email received in private. Of course, I can always suggest that the people which complained in private speak up in the list, but I don't think that noise will help anyone. If there is a need to review my decision, the body in charge of that "appeal" will have the information about those complains, of course. Note that while we may use complaints from the community about whether or not postings are inappropriate, in the end it is up to the Sergeant-at-Arms about whether or not postings are appropriate and form a pattern of abuse. And the postings from the accused are publically available on mailing list archives, and can be judged on their own (dis-)merits. For that reason, I don't believe that there is any need to reveal private communications about complaints, since the in the end, the final determination is and can be made by the postings in isolation. That being said, we do periodically check in with the IETF Chair, who appointed us and has the power to dismiss us, whether or not in his opinion, we are using the appropriate trigger levels for enforcing violations of RFC 3005. Regards, - Ted ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
On Tue, Oct 10, 2006 at 07:45:48PM -0500, JORDI PALET MARTINEZ wrote: > Hi Eric, > > I don't really agree with that. I've first the obligation to keep the > privacy about any email received in private. Of course, I can always suggest > that the people which complained in private speak up in the list, but I > don't think that noise will help anyone. > > If there is a need to review my decision, the body in charge of that > "appeal" will have the information about those complains, of course. Note that while we may use complaints from the community about whether or not postings are inappropriate, in the end it is up to the Sergeant-at-Arms about whether or not postings are appropriate and form a pattern of abuse. And the postings from the accused are publically available on mailing list archives, and can be judged on their own (dis-)merits. For that reason, I don't believe that there is any need to reveal private communications about complaints, since the in the end, the final determination is and can be made by the postings in isolation. That being said, we do periodically check in with the IETF Chair, who appointed us and has the power to dismiss us, whether or not in his opinion, we are using the appropriate trigger levels for enforcing violations of RFC 3005. Regards, - Ted ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
Hi Eric, I don't really agree with that. I've first the obligation to keep the privacy about any email received in private. Of course, I can always suggest that the people which complained in private speak up in the list, but I don't think that noise will help anyone. If there is a need to review my decision, the body in charge of that "appeal" will have the information about those complains, of course. If we as a community, feel that this should work in a different way, we probably need to document/update the process used by the sergeant-at-arms. Regards, Jordi > De: "Fleischman, Eric" <[EMAIL PROTECTED]> > Responder a: <[EMAIL PROTECTED]> > Fecha: Tue, 10 Oct 2006 17:10:50 -0700 > Para: todd glassey <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, > > Conversación: [Nea] WG Review: Network Endpoint Assessment (nea) > Asunto: RE: [Nea] WG Review: Network Endpoint Assessment (nea) > > I'm sorry to enter this fray, but I'd like to point out that while I > respect Todd's request to know who is accusing him and why, the rest of > us don't need to be copied that information. In fact, it is better that > we aren't copied because to do so would be unfair to the complainer(s). > > Discipline is a difficult task to do fairly and because of this there > are many advantages in respectfully permitting the protagonists to have > privacy during key parts of the process. > > -Original Message- > From: todd glassey [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 10, 2006 4:51 PM > To: [EMAIL PROTECTED]; ietf@ietf.org > Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > > > Yes actually you do -how does anyone complained against know who is > complaining or why? - if the complaints are not public then the > oversight is not real - its a paper fiction - a lie in print. > > Speaking of lies in print this is why IETF complaints are addressed and > penalties for them assessed before the appeal can be resolved - because > the IETF's oversight policy and practice model is ineffective and setup > to allow the IETF to exact whatever penalties it wants from individuals > without the benefit of the appeal or the appeal process. > > So YES I want to know specifically who complained. > > Todd Glassey > > - Original Message - > From: "JORDI PALET MARTINEZ" <[EMAIL PROTECTED]> > To: "todd glassey" <[EMAIL PROTECTED]>; > Sent: Tuesday, October 10, 2006 2:11 PM > Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > > >> Todd, >> >> People got very irritated with this type of messages and actually even > >> complain why I'm not more strict. I got at the time being already 3 >> new complains after this message and obviouly I don't need to justify >> to you > who >> is complaining. >> >> Clearly you crossed the line once more, and it took you only a few >> seconds after getting my warning, so just instructed the secretariat >> to ban you > for >> two weeks from now. >> >> And please, understand that I don't have anything personal, just > fulfilling >> my mission. >> >> Regards, >> Jordi, acting as IETF Sergeant-at-arms >> >> >> >> >>> De: todd glassey <[EMAIL PROTECTED]> >>> Responder a: <[EMAIL PROTECTED]> >>> Fecha: Tue, 10 Oct 2006 12:42:30 -0700 >>> Para: <[EMAIL PROTECTED]>, , "Contreras, >>> Jorge" <[EMAIL PROTECTED]> >>> Asunto: Re: [Nea] WG Review: Network Endpoint Assessment (nea) >>> >>> Who filed the complaints? if you are accusing me of something I have > >>> the right to know of what I am accused and by whom. >>> >>> Todd Glassey >>> >>> - Original Message - >>> From: "JORDI PALET MARTINEZ" <[EMAIL PROTECTED]> >>> To: "todd glassey" <[EMAIL PROTECTED]>; <> >>> Cc: <[EMAIL PROTECTED]> >>> Sent: Tuesday, October 10, 2006 12:34 PM >>> Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) >>> >>> >>>> Todd, >>>> >>>> I've received several complains from people that think that you are >>> crossing >>>> the limit again and being off-topic with this thread and I >>>> seriously > agree >>>> with them. >>>> >>>> Consequently I warn you. If you keep going on this, I will apply a >>>> new > ban >>>> (two weeks, as it will be your se
RE: [Nea] WG Review: Network Endpoint Assessment (nea)
I'm sorry to enter this fray, but I'd like to point out that while I respect Todd's request to know who is accusing him and why, the rest of us don't need to be copied that information. In fact, it is better that we aren't copied because to do so would be unfair to the complainer(s). Discipline is a difficult task to do fairly and because of this there are many advantages in respectfully permitting the protagonists to have privacy during key parts of the process. -Original Message- From: todd glassey [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 10, 2006 4:51 PM To: [EMAIL PROTECTED]; ietf@ietf.org Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) Yes actually you do -how does anyone complained against know who is complaining or why? - if the complaints are not public then the oversight is not real - its a paper fiction - a lie in print. Speaking of lies in print this is why IETF complaints are addressed and penalties for them assessed before the appeal can be resolved - because the IETF's oversight policy and practice model is ineffective and setup to allow the IETF to exact whatever penalties it wants from individuals without the benefit of the appeal or the appeal process. So YES I want to know specifically who complained. Todd Glassey - Original Message - From: "JORDI PALET MARTINEZ" <[EMAIL PROTECTED]> To: "todd glassey" <[EMAIL PROTECTED]>; Sent: Tuesday, October 10, 2006 2:11 PM Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > Todd, > > People got very irritated with this type of messages and actually even > complain why I'm not more strict. I got at the time being already 3 > new complains after this message and obviouly I don't need to justify > to you who > is complaining. > > Clearly you crossed the line once more, and it took you only a few > seconds after getting my warning, so just instructed the secretariat > to ban you for > two weeks from now. > > And please, understand that I don't have anything personal, just fulfilling > my mission. > > Regards, > Jordi, acting as IETF Sergeant-at-arms > > > > > > De: todd glassey <[EMAIL PROTECTED]> > > Responder a: <[EMAIL PROTECTED]> > > Fecha: Tue, 10 Oct 2006 12:42:30 -0700 > > Para: <[EMAIL PROTECTED]>, , "Contreras, > > Jorge" <[EMAIL PROTECTED]> > > Asunto: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > > > > Who filed the complaints? if you are accusing me of something I have > > the right to know of what I am accused and by whom. > > > > Todd Glassey > > > > - Original Message - > > From: "JORDI PALET MARTINEZ" <[EMAIL PROTECTED]> > > To: "todd glassey" <[EMAIL PROTECTED]>; <> > > Cc: <[EMAIL PROTECTED]> > > Sent: Tuesday, October 10, 2006 12:34 PM > > Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > > > > > >> Todd, > >> > >> I've received several complains from people that think that you are > > crossing > >> the limit again and being off-topic with this thread and I > >> seriously agree > >> with them. > >> > >> Consequently I warn you. If you keep going on this, I will apply a > >> new ban > >> (two weeks, as it will be your second one in a very short period of time). > >> > >> Regards, > >> Jordi, acting as IETF Sergeant-at-arms > >> > >> > >> > >> > >>> De: todd glassey <[EMAIL PROTECTED]> > >>> Responder a: <[EMAIL PROTECTED]> > >>> Fecha: Tue, 10 Oct 2006 11:37:49 -0700 > >>> Para: Theodore Tso <[EMAIL PROTECTED]> > >>> CC: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>, > >>> Asunto: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > >>> > >>> Hey Ted - the more I thought about this post of yours the more it > > annoyed > >>> me. You see - when a WG chair doesn't want someone saying > >>> something in > > their > >>> WG and they control the number of players in that WG, they will > >>> always control the consensus such as it is. > >>> > >>> The point is that there is no where to permanently register a dissenting > >>> opinion in an effort or IETF program now that you claim that the charter > > for > >>> the IETF@IETF.ORG mailing list is restricted. > >>> > >>> The IETF needs IMHO one general list for everything that doesn't > >>> fall >
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
Yes actually you do -how does anyone complained against know who is complaining or why? - if the complaints are not public then the oversight is not real - its a paper fiction - a lie in print. Speaking of lies in print this is why IETF complaints are addressed and penalties for them assessed before the appeal can be resolved - because the IETF's oversight policy and practice model is ineffective and setup to allow the IETF to exact whatever penalties it wants from individuals without the benefit of the appeal or the appeal process. So YES I want to know specifically who complained. Todd Glassey - Original Message - From: "JORDI PALET MARTINEZ" <[EMAIL PROTECTED]> To: "todd glassey" <[EMAIL PROTECTED]>; Sent: Tuesday, October 10, 2006 2:11 PM Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > Todd, > > People got very irritated with this type of messages and actually even > complain why I'm not more strict. I got at the time being already 3 new > complains after this message and obviouly I don't need to justify to you who > is complaining. > > Clearly you crossed the line once more, and it took you only a few seconds > after getting my warning, so just instructed the secretariat to ban you for > two weeks from now. > > And please, understand that I don't have anything personal, just fulfilling > my mission. > > Regards, > Jordi, acting as IETF Sergeant-at-arms > > > > > > De: todd glassey <[EMAIL PROTECTED]> > > Responder a: <[EMAIL PROTECTED]> > > Fecha: Tue, 10 Oct 2006 12:42:30 -0700 > > Para: <[EMAIL PROTECTED]>, , "Contreras, Jorge" > > <[EMAIL PROTECTED]> > > Asunto: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > > > > Who filed the complaints? if you are accusing me of something I have the > > right to know of what I am accused and by whom. > > > > Todd Glassey > > > > ----- Original Message - > > From: "JORDI PALET MARTINEZ" <[EMAIL PROTECTED]> > > To: "todd glassey" <[EMAIL PROTECTED]>; <> > > Cc: <[EMAIL PROTECTED]> > > Sent: Tuesday, October 10, 2006 12:34 PM > > Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > > > > > >> Todd, > >> > >> I've received several complains from people that think that you are > > crossing > >> the limit again and being off-topic with this thread and I seriously agree > >> with them. > >> > >> Consequently I warn you. If you keep going on this, I will apply a new ban > >> (two weeks, as it will be your second one in a very short period of time). > >> > >> Regards, > >> Jordi, acting as IETF Sergeant-at-arms > >> > >> > >> > >> > >>> De: todd glassey <[EMAIL PROTECTED]> > >>> Responder a: <[EMAIL PROTECTED]> > >>> Fecha: Tue, 10 Oct 2006 11:37:49 -0700 > >>> Para: Theodore Tso <[EMAIL PROTECTED]> > >>> CC: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>, > >>> Asunto: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > >>> > >>> Hey Ted - the more I thought about this post of yours the more it > > annoyed > >>> me. You see - when a WG chair doesn't want someone saying something in > > their > >>> WG and they control the number of players in that WG, they will always > >>> control the consensus such as it is. > >>> > >>> The point is that there is no where to permanently register a dissenting > >>> opinion in an effort or IETF program now that you claim that the charter > > for > >>> the IETF@IETF.ORG mailing list is restricted. > >>> > >>> The IETF needs IMHO one general list for everything that doesn't fall > > under > >>> the rubric/charter/umbrella of some WG and their list, and personally > > after > >>> NETWORK was shutdown I thought that this was it. > >>> > >>> Todd Glassey > >>> > >>> > >>> > >>> - Original Message - > >>> From: "Theodore Tso" <[EMAIL PROTECTED]> > >>> To: "todd glassey" <[EMAIL PROTECTED]> > >>> Cc: <[EMAIL PROTECTED]>; > >>> Sent: Monday, October 09, 2006 3:16 PM > >>> Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > >>> > >>> > >>>> On Mon, Oct 09, 2006 at 02:39:46PM -0700, todd glassey wrote: > >>
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
Todd, People got very irritated with this type of messages and actually even complain why I'm not more strict. I got at the time being already 3 new complains after this message and obviouly I don't need to justify to you who is complaining. Clearly you crossed the line once more, and it took you only a few seconds after getting my warning, so just instructed the secretariat to ban you for two weeks from now. And please, understand that I don't have anything personal, just fulfilling my mission. Regards, Jordi, acting as IETF Sergeant-at-arms > De: todd glassey <[EMAIL PROTECTED]> > Responder a: <[EMAIL PROTECTED]> > Fecha: Tue, 10 Oct 2006 12:42:30 -0700 > Para: <[EMAIL PROTECTED]>, , "Contreras, Jorge" > <[EMAIL PROTECTED]> > Asunto: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > > Who filed the complaints? if you are accusing me of something I have the > right to know of what I am accused and by whom. > > Todd Glassey > > - Original Message - > From: "JORDI PALET MARTINEZ" <[EMAIL PROTECTED]> > To: "todd glassey" <[EMAIL PROTECTED]>; <> > Cc: <[EMAIL PROTECTED]> > Sent: Tuesday, October 10, 2006 12:34 PM > Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > > >> Todd, >> >> I've received several complains from people that think that you are > crossing >> the limit again and being off-topic with this thread and I seriously agree >> with them. >> >> Consequently I warn you. If you keep going on this, I will apply a new ban >> (two weeks, as it will be your second one in a very short period of time). >> >> Regards, >> Jordi, acting as IETF Sergeant-at-arms >> >> >> >> >>> De: todd glassey <[EMAIL PROTECTED]> >>> Responder a: <[EMAIL PROTECTED]> >>> Fecha: Tue, 10 Oct 2006 11:37:49 -0700 >>> Para: Theodore Tso <[EMAIL PROTECTED]> >>> CC: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>, >>> Asunto: Re: [Nea] WG Review: Network Endpoint Assessment (nea) >>> >>> Hey Ted - the more I thought about this post of yours the more it > annoyed >>> me. You see - when a WG chair doesn't want someone saying something in > their >>> WG and they control the number of players in that WG, they will always >>> control the consensus such as it is. >>> >>> The point is that there is no where to permanently register a dissenting >>> opinion in an effort or IETF program now that you claim that the charter > for >>> the IETF@IETF.ORG mailing list is restricted. >>> >>> The IETF needs IMHO one general list for everything that doesn't fall > under >>> the rubric/charter/umbrella of some WG and their list, and personally > after >>> NETWORK was shutdown I thought that this was it. >>> >>> Todd Glassey >>> >>> >>> >>> - Original Message - >>> From: "Theodore Tso" <[EMAIL PROTECTED]> >>> To: "todd glassey" <[EMAIL PROTECTED]> >>> Cc: <[EMAIL PROTECTED]>; >>> Sent: Monday, October 09, 2006 3:16 PM >>> Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) >>> >>> >>>> On Mon, Oct 09, 2006 at 02:39:46PM -0700, todd glassey wrote: >>>>> So then Ted are you formally saying that it is inappropriate to > discuss >>> IETF >>>>> operations or its processes on the IETF@IETF.ORG mailing list? >>>> >>>> If you have a specific and actionable suggestion regarding IETF >>>> direction, policy, meetings, and procedures, where there is not a more >>>> appropriate e-mail venue (such as the IPR wg list), then it is >>>> certainly, appropriate for the IETF list. >>>> >>>> Your recent postings, alas, have not met this test. >>>> >>>>> The problem with the IPR working group is simply that Harald kicks >>> people >>>>> off for disagreeing with him or his very limited charter. He doesn't >>> want to >>>>> hear about expanding the charter or how these other issues fit into > the >>> IPR >>>>> Working Group and in doing so he is violating my and others >>> participatory >>>>> rights as well as our First Amendment rights I believe too. >>>> >>>> First Amendment rights only apply when the US Government restricts >>>> speech. It does not apply anywhere else. I
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
Who filed the complaints? if you are accusing me of something I have the right to know of what I am accused and by whom. Todd Glassey - Original Message - From: "JORDI PALET MARTINEZ" <[EMAIL PROTECTED]> To: "todd glassey" <[EMAIL PROTECTED]>; <> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, October 10, 2006 12:34 PM Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > Todd, > > I've received several complains from people that think that you are crossing > the limit again and being off-topic with this thread and I seriously agree > with them. > > Consequently I warn you. If you keep going on this, I will apply a new ban > (two weeks, as it will be your second one in a very short period of time). > > Regards, > Jordi, acting as IETF Sergeant-at-arms > > > > > > De: todd glassey <[EMAIL PROTECTED]> > > Responder a: <[EMAIL PROTECTED]> > > Fecha: Tue, 10 Oct 2006 11:37:49 -0700 > > Para: Theodore Tso <[EMAIL PROTECTED]> > > CC: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>, > > Asunto: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > > > > Hey Ted - the more I thought about this post of yours the more it annoyed > > me. You see - when a WG chair doesn't want someone saying something in their > > WG and they control the number of players in that WG, they will always > > control the consensus such as it is. > > > > The point is that there is no where to permanently register a dissenting > > opinion in an effort or IETF program now that you claim that the charter for > > the IETF@IETF.ORG mailing list is restricted. > > > > The IETF needs IMHO one general list for everything that doesn't fall under > > the rubric/charter/umbrella of some WG and their list, and personally after > > NETWORK was shutdown I thought that this was it. > > > > Todd Glassey > > > > > > > > - Original Message - > > From: "Theodore Tso" <[EMAIL PROTECTED]> > > To: "todd glassey" <[EMAIL PROTECTED]> > > Cc: <[EMAIL PROTECTED]>; > > Sent: Monday, October 09, 2006 3:16 PM > > Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > > > > > >> On Mon, Oct 09, 2006 at 02:39:46PM -0700, todd glassey wrote: > >>> So then Ted are you formally saying that it is inappropriate to discuss > > IETF > >>> operations or its processes on the IETF@IETF.ORG mailing list? > >> > >> If you have a specific and actionable suggestion regarding IETF > >> direction, policy, meetings, and procedures, where there is not a more > >> appropriate e-mail venue (such as the IPR wg list), then it is > >> certainly, appropriate for the IETF list. > >> > >> Your recent postings, alas, have not met this test. > >> > >>> The problem with the IPR working group is simply that Harald kicks > > people > >>> off for disagreeing with him or his very limited charter. He doesn't > > want to > >>> hear about expanding the charter or how these other issues fit into the > > IPR > >>> Working Group and in doing so he is violating my and others > > participatory > >>> rights as well as our First Amendment rights I believe too. > >> > >> First Amendment rights only apply when the US Government restricts > >> speech. It does not apply anywhere else. In general, you have been > >> making various legal claims without being a lawyer, and fairly wild > >> ones which make it very clear that you don't know what you are talking > >> about. For what it's worth, be advised that I know of know legally > >> enforceable "right" that you might have towards participating in any > >> IETF forum, and certainly if you persist in sounding like someone who > >> does not know what they are talking about, no one is required to > >> listen to you, either --- and more and more people may in fact decide > >> that it is wise for them to exercise their right to ignore you. > >> > >> Regards, > >> > >> - Ted > > > > > > ___ > > Ietf mailing list > > Ietf@ietf.org > > https://www1.ietf.org/mailman/listinfo/ietf > > > > > ** > The IPv6 Portal: http://www.ipv6tf.org > > Bye 6Bone. Hi, IPv6 ! > http://www.ipv6day.org > > This electronic message contains information which may be privileged or confidential. The information is intended to be for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, including attached files, is prohibited. > > > ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
Todd, I've received several complains from people that think that you are crossing the limit again and being off-topic with this thread and I seriously agree with them. Consequently I warn you. If you keep going on this, I will apply a new ban (two weeks, as it will be your second one in a very short period of time). Regards, Jordi, acting as IETF Sergeant-at-arms > De: todd glassey <[EMAIL PROTECTED]> > Responder a: <[EMAIL PROTECTED]> > Fecha: Tue, 10 Oct 2006 11:37:49 -0700 > Para: Theodore Tso <[EMAIL PROTECTED]> > CC: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>, > Asunto: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > > Hey Ted - the more I thought about this post of yours the more it annoyed > me. You see - when a WG chair doesn't want someone saying something in their > WG and they control the number of players in that WG, they will always > control the consensus such as it is. > > The point is that there is no where to permanently register a dissenting > opinion in an effort or IETF program now that you claim that the charter for > the IETF@IETF.ORG mailing list is restricted. > > The IETF needs IMHO one general list for everything that doesn't fall under > the rubric/charter/umbrella of some WG and their list, and personally after > NETWORK was shutdown I thought that this was it. > > Todd Glassey > > > > - Original Message - > From: "Theodore Tso" <[EMAIL PROTECTED]> > To: "todd glassey" <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]>; > Sent: Monday, October 09, 2006 3:16 PM > Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > > >> On Mon, Oct 09, 2006 at 02:39:46PM -0700, todd glassey wrote: >>> So then Ted are you formally saying that it is inappropriate to discuss > IETF >>> operations or its processes on the IETF@IETF.ORG mailing list? >> >> If you have a specific and actionable suggestion regarding IETF >> direction, policy, meetings, and procedures, where there is not a more >> appropriate e-mail venue (such as the IPR wg list), then it is >> certainly, appropriate for the IETF list. >> >> Your recent postings, alas, have not met this test. >> >>> The problem with the IPR working group is simply that Harald kicks > people >>> off for disagreeing with him or his very limited charter. He doesn't > want to >>> hear about expanding the charter or how these other issues fit into the > IPR >>> Working Group and in doing so he is violating my and others > participatory >>> rights as well as our First Amendment rights I believe too. >> >> First Amendment rights only apply when the US Government restricts >> speech. It does not apply anywhere else. In general, you have been >> making various legal claims without being a lawyer, and fairly wild >> ones which make it very clear that you don't know what you are talking >> about. For what it's worth, be advised that I know of know legally >> enforceable "right" that you might have towards participating in any >> IETF forum, and certainly if you persist in sounding like someone who >> does not know what they are talking about, no one is required to >> listen to you, either --- and more and more people may in fact decide >> that it is wise for them to exercise their right to ignore you. >> >> Regards, >> >> - Ted > > > ___ > Ietf mailing list > Ietf@ietf.org > https://www1.ietf.org/mailman/listinfo/ietf ** The IPv6 Portal: http://www.ipv6tf.org Bye 6Bone. Hi, IPv6 ! http://www.ipv6day.org This electronic message contains information which may be privileged or confidential. The information is intended to be for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, including attached files, is prohibited. ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
Hey Ted - the more I thought about this post of yours the more it annoyed me. You see - when a WG chair doesn't want someone saying something in their WG and they control the number of players in that WG, they will always control the consensus such as it is. The point is that there is no where to permanently register a dissenting opinion in an effort or IETF program now that you claim that the charter for the IETF@IETF.ORG mailing list is restricted. The IETF needs IMHO one general list for everything that doesn't fall under the rubric/charter/umbrella of some WG and their list, and personally after NETWORK was shutdown I thought that this was it. Todd Glassey - Original Message - From: "Theodore Tso" <[EMAIL PROTECTED]> To: "todd glassey" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; Sent: Monday, October 09, 2006 3:16 PM Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > On Mon, Oct 09, 2006 at 02:39:46PM -0700, todd glassey wrote: > > So then Ted are you formally saying that it is inappropriate to discuss IETF > > operations or its processes on the IETF@IETF.ORG mailing list? > > If you have a specific and actionable suggestion regarding IETF > direction, policy, meetings, and procedures, where there is not a more > appropriate e-mail venue (such as the IPR wg list), then it is > certainly, appropriate for the IETF list. > > Your recent postings, alas, have not met this test. > > > The problem with the IPR working group is simply that Harald kicks people > > off for disagreeing with him or his very limited charter. He doesn't want to > > hear about expanding the charter or how these other issues fit into the IPR > > Working Group and in doing so he is violating my and others participatory > > rights as well as our First Amendment rights I believe too. > > First Amendment rights only apply when the US Government restricts > speech. It does not apply anywhere else. In general, you have been > making various legal claims without being a lawyer, and fairly wild > ones which make it very clear that you don't know what you are talking > about. For what it's worth, be advised that I know of know legally > enforceable "right" that you might have towards participating in any > IETF forum, and certainly if you persist in sounding like someone who > does not know what they are talking about, no one is required to > listen to you, either --- and more and more people may in fact decide > that it is wise for them to exercise their right to ignore you. > > Regards, > > - Ted ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
You know Ted you crack me up. Todd Glassey - Original Message - From: "Theodore Tso" <[EMAIL PROTECTED]> To: "todd glassey" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; Sent: Monday, October 09, 2006 3:16 PM Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > On Mon, Oct 09, 2006 at 02:39:46PM -0700, todd glassey wrote: > > So then Ted are you formally saying that it is inappropriate to discuss IETF > > operations or its processes on the IETF@IETF.ORG mailing list? > > If you have a specific and actionable suggestion regarding IETF > direction, policy, meetings, and procedures, where there is not a more > appropriate e-mail venue (such as the IPR wg list), then it is > certainly, appropriate for the IETF list. > > Your recent postings, alas, have not met this test. > > > The problem with the IPR working group is simply that Harald kicks people > > off for disagreeing with him or his very limited charter. He doesn't want to > > hear about expanding the charter or how these other issues fit into the IPR > > Working Group and in doing so he is violating my and others participatory > > rights as well as our First Amendment rights I believe too. > > First Amendment rights only apply when the US Government restricts > speech. It does not apply anywhere else. In general, you have been > making various legal claims without being a lawyer, and fairly wild > ones which make it very clear that you don't know what you are talking > about. For what it's worth, be advised that I know of know legally > enforceable "right" that you might have towards participating in any > IETF forum, and certainly if you persist in sounding like someone who > does not know what they are talking about, no one is required to > listen to you, either --- and more and more people may in fact decide > that it is wise for them to exercise their right to ignore you. > > Regards, > > - Ted ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
On Mon, Oct 09, 2006 at 02:39:46PM -0700, todd glassey wrote: > So then Ted are you formally saying that it is inappropriate to discuss IETF > operations or its processes on the IETF@IETF.ORG mailing list? If you have a specific and actionable suggestion regarding IETF direction, policy, meetings, and procedures, where there is not a more appropriate e-mail venue (such as the IPR wg list), then it is certainly, appropriate for the IETF list. Your recent postings, alas, have not met this test. > The problem with the IPR working group is simply that Harald kicks people > off for disagreeing with him or his very limited charter. He doesn't want to > hear about expanding the charter or how these other issues fit into the IPR > Working Group and in doing so he is violating my and others participatory > rights as well as our First Amendment rights I believe too. First Amendment rights only apply when the US Government restricts speech. It does not apply anywhere else. In general, you have been making various legal claims without being a lawyer, and fairly wild ones which make it very clear that you don't know what you are talking about. For what it's worth, be advised that I know of know legally enforceable "right" that you might have towards participating in any IETF forum, and certainly if you persist in sounding like someone who does not know what they are talking about, no one is required to listen to you, either --- and more and more people may in fact decide that it is wise for them to exercise their right to ignore you. Regards, - Ted ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
So then Ted are you formally saying that it is inappropriate to discuss IETF operations or its processes on the IETF@IETF.ORG mailing list? The problem with the IPR working group is simply that Harald kicks people off for disagreeing with him or his very limited charter. He doesn't want to hear about expanding the charter or how these other issues fit into the IPR Working Group and in doing so he is violating my and others participatory rights as well as our First Amendment rights I believe too. Todd Glassey. - Original Message - From: "Theodore Tso" <[EMAIL PROTECTED]> To: "todd glassey" <[EMAIL PROTECTED]> Cc: "Brian E Carpenter" <[EMAIL PROTECTED]>; ; <[EMAIL PROTECTED]> Sent: Monday, October 09, 2006 2:25 PM Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > On Mon, Oct 09, 2006 at 01:54:51PM -0700, todd glassey wrote: > > No you are wrong Ted, and its pretty funny too. As it happens you are > > incorrect for saying that this is inappropriate for the IETF's lists. > > > > You need to dig farther into the WIPO Site and find all the State Signatures > > to the Treaties - its them that the IETF is bound by whether it likes it or > > not. Since the countries through with the IETF's actions operate including > > the meetings, are all signatories to the WIPO Treaties you are exactly stuck > > with them. > > I said it was inappropraite for the IETF list. If you have specific > ideas as they relate to the ipr working group, feel free to be > specific about specific WIPO treaties that have resulted in national > legislation, and specific changes to be made to IETF's IPR policies, > feel free to make them on that list, but not on the main IETF list, > please. > > Thanks, > > - Ted ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
Jeff - - Original Message - From: "Jeffrey Hutzelman" <[EMAIL PROTECTED]> To: "todd glassey" <[EMAIL PROTECTED]>; "Narayanan, Vidya" <[EMAIL PROTECTED]>; ; Cc: <[EMAIL PROTECTED]>; "Jeffrey Hutzelman" <[EMAIL PROTECTED]> Sent: Monday, October 09, 2006 1:48 PM Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > > > > Ah two new terms of Art - "Posture" and "Devices". > > I only see one. I believe "device" is a fairly well-understood term, > though perhaps "node" would have been more appropriate in this context. > > However, I completely agree that this proposed charter uses the term > "posture" far too often not to define it. I fail to see how whether my > computer is sitting upright or lying on its side is relevant to whether it > should be allowed access to the network. > > -- Jeff OK Devices is really well defined in both a technical and legal sense per the Device based Frauds Act - the little brother of the CFAA. But in this instance I wanted to bring out the use of the misnomer "Posture" relative to a Device. The Device is what it is. The Posture is clearly a term for Operating Policy which includes change management, security/integrity proofing, and the general state-response policies that make up the controls and processes for the Entity in question. The problem we both saw was the indiscriminant use of the term Posture to define a group of policies which were specific to a number of things that the Charter was trying to lay claim to. I don't necessarily think the NEA is a bad idea - but its about auditing and so it needs to be crafted as an audit tool and use audit speak in the process IMHO. Todd Glassey ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
On Mon, Oct 09, 2006 at 01:54:51PM -0700, todd glassey wrote: > No you are wrong Ted, and its pretty funny too. As it happens you are > incorrect for saying that this is inappropriate for the IETF's lists. > > You need to dig farther into the WIPO Site and find all the State Signatures > to the Treaties - its them that the IETF is bound by whether it likes it or > not. Since the countries through with the IETF's actions operate including > the meetings, are all signatories to the WIPO Treaties you are exactly stuck > with them. I said it was inappropraite for the IETF list. If you have specific ideas as they relate to the ipr working group, feel free to be specific about specific WIPO treaties that have resulted in national legislation, and specific changes to be made to IETF's IPR policies, feel free to make them on that list, but not on the main IETF list, please. Thanks, - Ted ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: [Nea] WG Review: Network Endpoint Assessment (nea)
Harald Alvestrand wrote: >> Posture checking is certainly a leaky bucket. It doesn't >> protect all kinds of endpoint, it doesn't protect the >> endpoints against all kinds of threats, and it doesn't >> protect much of anything against a smart, resourceful >> attacker who is deeply familiar with the NEA system in use >> and is interested in investing considerable resources in >> attacking or circumventing it. NEA itself may not offer any protection, it is more an informational tool from my perspective. How that information may be used could lead to some protection but that would vary with each deployment. >> But (to recycle a very old simile) the fact that I can open >> the locks of most doors with a crowbar doesn't mean that locks are >> not useful. Organizations that have deployed products that do >> something like what NEA is talking about have reported that their >> TCO is reduced. In these days of information overload I still maintain, the more information available the better it is. Darryl (Dassa) Lynch ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
No you are wrong Ted, and its pretty funny too. As it happens you are incorrect for saying that this is inappropriate for the IETF's lists. You need to dig farther into the WIPO Site and find all the State Signatures to the Treaties - its them that the IETF is bound by whether it likes it or not. Since the countries through with the IETF's actions operate including the meetings, are all signatories to the WIPO Treaties you are exactly stuck with them. Todd Glassey - Original Message - From: "Theodore Tso" <[EMAIL PROTECTED]> To: "todd glassey" <[EMAIL PROTECTED]> Cc: "Brian E Carpenter" <[EMAIL PROTECTED]>; ; <[EMAIL PROTECTED]> Sent: Monday, October 09, 2006 12:09 PM Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > On Mon, Oct 09, 2006 at 09:08:42AM -0700, todd glassey wrote: > > No it wasn't Brian - the WIPO IP Framework calls for a set of protections > > for Industrial Designs which ALL of the work that happens here is controlled > > by right? Otherwise, do you formally want to make a declaration as the > > IETF's Chair that the IETF and the ISOC are immune from Global IP Law and > > can pretty much do anything they want. > > Todd, > > According to the WIPO web site: > > "The World Intellectual Property Organization (WIPO) is a > specialized agency of the United Nations. It is dedicated to > developing a balanced and accessible international intellectual > property (IP) system, which rewards creativity, stimulates innovation > and contributes to economic development while safeguarding the public > interest." > > What the WIPO might or might not call for might perhaps be of interest > to various national legislative bodies, but it is completely out of > scope for the IETF list. > > Regards, > > - Ted > IETF Sergeant-at-Arms > ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
On Wednesday, October 04, 2006 02:31:36 PM -0700 todd glassey <[EMAIL PROTECTED]> wrote: Vidya good commentary, maybe I can add some more. The NEA, per the charter-need's justification statement says: Network Endpoint Assessment (NEA) architectures have been implemented in the industry to assess the "posture" of endpoint devices Ah two new terms of Art - "Posture" and "Devices". I only see one. I believe "device" is a fairly well-understood term, though perhaps "node" would have been more appropriate in this context. However, I completely agree that this proposed charter uses the term "posture" far too often not to define it. I fail to see how whether my computer is sitting upright or lying on its side is relevant to whether it should be allowed access to the network. -- Jeff ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
On Mon, Oct 09, 2006 at 09:08:42AM -0700, todd glassey wrote: > No it wasn't Brian - the WIPO IP Framework calls for a set of protections > for Industrial Designs which ALL of the work that happens here is controlled > by right? Otherwise, do you formally want to make a declaration as the > IETF's Chair that the IETF and the ISOC are immune from Global IP Law and > can pretty much do anything they want. Todd, According to the WIPO web site: "The World Intellectual Property Organization (WIPO) is a specialized agency of the United Nations. It is dedicated to developing a balanced and accessible international intellectual property (IP) system, which rewards creativity, stimulates innovation and contributes to economic development while safeguarding the public interest." What the WIPO might or might not call for might perhaps be of interest to various national legislative bodies, but it is completely out of scope for the IETF list. Regards, - Ted IETF Sergeant-at-Arms ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: [Nea] WG Review: Network Endpoint Assessment (nea)
Hi Susan, > -Original Message- > From: Susan Thomson (sethomso) [mailto:[EMAIL PROTECTED] > Sent: Sunday, October 08, 2006 3:27 PM > To: Narayanan, Vidya > Cc: [EMAIL PROTECTED]; iesg@ietf.org; ietf@ietf.org > Subject: RE: [Nea] WG Review: Network Endpoint Assessment (nea) > > > Hi Vidya > > Inline ... > > > > > > How about adding this text - "It should be noted that the > networks at > > large are exposed to attacks from lying endpoints and external > > entities attaching to the networks as well as any problems arising > > from unknown vulnerabilities on NEA compliant endpoints. Hence, NEA > > must not be considered a protection mechanism for networks. > Further, > > mechanisms needed to protect the network from all kinds of > > vulnerabilities are expected to be a superset of any > protection that > > may be achieved by employing NEA"? > > > > It seems to me that this better belongs in a security > considerations section of the NEA spec, especially given > where we are in the review cycle and the amount of time spent > on this specific section already. > No, this text definitely needs to be on the charter. From the number of discussions even at this stage, it is clear that the charter lacks the clarity in this space. This is not text about a particular draft in NEA - it is about the scope of the WG. > > That is not necessarily putting any requirements in the > choice of the > > mandatory to implement protocol itself, as I see it. I believe that > > stating something like "The mandatory to implement PT > protocol must be > > generic enough to allow the execution of the NEA procedure without > > forcing the need to re-execute network access procedures". > > > > I think protocol requirements belong in the requirements I-D. > The charter text elsewhere does get into performing NEA procedures at network access. Perhaps that could be removed from the charter too? If the charter only specified that the PT protocol was out of scope and left out any text about the timing of execution of the PT protcol w.r.t. network access, that would be fine. > > > Not only do I not see anything in the charter or milestones that > > indicates that the WG is going to spend time exploring this, I > > strongly believe this WG should not be spending any time looking at > > this. The trust models for the cases where the devices are > not owned > > by the organization performing NEA are hugely different and > can take > > up its own WG to actually find something that applies there, if at > > all. For one, this could be considered a violation of > privacy by the > > user of the device. Secondly, the end user's perspective of attacks > > may be entirely different from the organization's > perspective in this > > case. Third, I simply can't see what the organization's interests > > would be in protecting a device that doesn't even belong to > it. Last > > but not the least, this requires the endpoint to be running an NEA > > client (that is interoperable with the NEA server of the > organization) > > - which in itself is often an unrealistic requirement. > > > > Organizations that provide services in their networks to > end users are > > worried about protecting their resources (i.e., networks, servers, > > etc.). As we have agreed, NEA does not protect such > resources anyway. > > Plus, there is absolutely no reason such organizations > should believe > > that devices they don't own are in fact, truthful endpoints. > > > > So, thinking that this WG must be looking into resolving this seems > > flawed at several levels. In the interest of having a > focused WG that > > can get something useful accomplished, this does not make sense. > > > No argument with your gist here. The point I was trying to > make is that I think applicability may not be quite as "black > and white" as your original text suggests, and it would be > better if the applicability and security considerations > associated with NEA be addressed in the WG and specified in > the appropriate NEA documents. > This again is not necessarily a document-specific issue. It applies in general to anything that will be produced by this WG. > The charter could express itself better in this regard. If > the last sentence was replaced with something like: "NEA can > be limited in its applicability when the endpoint and the > organization providing network access are owned by different > parties. NEA applicability and security consider
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
On Mon, Oct 09, 2006 at 09:08:42AM -0700, todd glassey wrote: > No it wasn't Brian - the WIPO IP Framework calls for a set of protections > for Industrial Designs which ALL of the work that happens here is controlled > by right? I suppose you might consider ALL IETF work as protected or threatened by WIPO Inustrial Designs [1] treaties if you first accept that "ALL" IETF work is ornamental. But of course, the joke isn't funny if you have to explain it. [1] http://www.wipo.int/designs/en/designs.html -- ISC Training! October 16-20, 2006, in the San Francisco Bay Area, covering topics from DNS to DDNS & DHCP. Email [EMAIL PROTECTED] -- David W. Hankins"If you don't do it right the first time, Software Engineer you'll just have to do it again." Internet Systems Consortium, Inc. -- Jack T. Hankins pgpDD8XpWGVLf.pgp Description: PGP signature ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: [Nea] WG Review: Network Endpoint Assessment (nea)
Hi Darrly, > >> > >> It appears that the NEA charter is completely misleading to some > >> people from what is stated in this email. As the NEA > charter alludes > >> to, NEA does nothing to protect against compromised > devices. Also, as > >> has been agreed, NEA is not a protection mechanism for the > network - > >> it is meant to be a protection mechanism for compliant, > truthful and > >> as yet uncompromised end hosts against known vulnerabilities. > > True the NEA doesn't "do" anything to protect against > compromised devices but it does assist in limiting the known > compromises on endpoint devices by being a mechanism for the > checking and reporting on compliance to what ever network > policy is in place including virus and patch levels. I'm not sure what you mean by "known compromises" - did you mean known vulnerabilities? If so, yes - I was not questioning the role of NEA in dealing with known vulnerabilities on truthful endpoints. The discussion was about using NEA as a protection mechanism for the network and that doesn't make sense to me and as I understand from Susan, that is not the intention of the charter either. > As a > network administrator I already deploy mechanisms for doing > just this, but at a higher level than the NEA charter > indicates. To me the difference is between being reactive or > proactive. Compliance testing I already run occurs after an > end node has joined the network, with NEA the possibility is > for compliance checking before being allowed onto the network > so isolation and immediate remediation is possible. > > >> Any network, in its own best interests, must assume that > it has lying > >> and compromised endpoints connecting to it and that there > are unknown > >> vulnerabilities on any NEA-compliant devices connecting to it. Any > >> kind of protection that addresses these general threats that the > >> network may be exposed to at any time will simply obviate the need > >> for NEA from the network perspective. > > Reliance on one protection or reporting mechanism is not > enough. We need a lot of varied tools to cover all the bases > and minimise risk. > This is repitition at this point - but, when a network has mechanisms to protect itself against lying endpoints and unknown vulnerabilites, that should cover protection against truthful ones with known vulnerabilities. Otherwise, the network is obviously not adequately protected against the broader set of threats. So, one would employ NEA in their networks to protect the end hosts attaching to the network, not the network itself. > >> A network operator that thinks the network is getting any > protection > >> by employing NEA is clearly ignoring the obvious real threats that > >> the network is exposed to at any time. > > No, NEA would just be one more tool used to improve overall > security and minimise risk. It would be at a different level > to the tools some of already deploy. > > >> This is what I meant when I said that the charter is > unclear and it > >> must explicitly state that NEA is not meant as a > protection mechanism > >> of any sort for the network. > > I don't believe the Charter needs to delve into this at all. > If some people see it as part of their protection mechanisms, > so be it. > That is a terrible approach to take, given how misleading the charter obviously has been to many. The charter must be clear about what the WG is doing and what is out of scope. Vidya ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
Fritz this is a much bigger issue than ANYONE thinks at this time and its based on the idea that the WIPO standard says that the IETF MUST be doing Industrial Design IP Models, and it only does Copyright which is a violation of the WIPO IP protection framework and the treaties ALL of the Member States have signed. Interesting eh? Todd Glassey - Original Message - From: "Fritz F. Saad" <[EMAIL PROTECTED]> To: "todd glassey" <[EMAIL PROTECTED]>; "Brian E Carpenter" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; Sent: Monday, October 09, 2006 6:58 AM Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > Tood, > > > > Agreed, we should work to fix that. > > > > Fritz. > > > > - Original Message - > From: "todd glassey" <[EMAIL PROTECTED]> > To: "Brian E Carpenter" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]>; > Sent: Monday, October 09, 2006 7:17 AM > Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > > > The IETF has an obligation to WIPO and to the DMCA and well - so far its > failed those pretty well I think. > > Todd Glassey > > ----- Original Message - > From: "Brian E Carpenter" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]>; > Sent: Monday, October 09, 2006 2:07 AM > Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > > > > > > >>>This is what I meant when I said that the charter is unclear > > >>>and it must explicitly state that NEA is not meant as a > > >>>protection mechanism of any sort for the network. > > > > > > > > > I don't believe the Charter needs to delve into this at all. If some > people > > > see it as part of their protection mechanisms, so be it. > > > > > > Darryl (Dassa) Lynch > > > > The IETF has an obligation to "truth in advertising" so IMHO we should not > > claim protection that doesn't exist, even implicitly. > > > > Brian > > > > ___ > > Ietf mailing list > > Ietf@ietf.org > > https://www1.ietf.org/mailman/listinfo/ietf > > > ___ > Ietf mailing list > Ietf@ietf.org > https://www1.ietf.org/mailman/listinfo/ietf > ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
No it wasn't Brian - the WIPO IP Framework calls for a set of protections for Industrial Designs which ALL of the work that happens here is controlled by right? Otherwise, do you formally want to make a declaration as the IETF's Chair that the IETF and the ISOC are immune from Global IP Law and can pretty much do anything they want. Todd Glassey - Original Message - From: "Brian E Carpenter" <[EMAIL PROTECTED]> To: Cc: <[EMAIL PROTECTED]> Sent: Monday, October 09, 2006 7:31 AM Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > > Agreed, we should work to fix that. > ... > > The IETF has an obligation to WIPO and to the DMCA > ... > > I can only assume this was intended as some form of joke. > > Brian > > ___ > Ietf mailing list > Ietf@ietf.org > https://www1.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
The IETF has an obligation to WIPO and to the DMCA ... I can only assume this was intended as some form of joke. regardless of intent, it should be treated as such. Keith ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
Agreed, we should work to fix that. ... The IETF has an obligation to WIPO and to the DMCA ... I can only assume this was intended as some form of joke. Brian ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
Tood, Agreed, we should work to fix that. Fritz. - Original Message - From: "todd glassey" <[EMAIL PROTECTED]> To: "Brian E Carpenter" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; Sent: Monday, October 09, 2006 7:17 AM Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) The IETF has an obligation to WIPO and to the DMCA and well - so far its failed those pretty well I think. Todd Glassey - Original Message - From: "Brian E Carpenter" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; Sent: Monday, October 09, 2006 2:07 AM Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > > >>>This is what I meant when I said that the charter is unclear > >>>and it must explicitly state that NEA is not meant as a > >>>protection mechanism of any sort for the network. > > > > > > I don't believe the Charter needs to delve into this at all. If some people > > see it as part of their protection mechanisms, so be it. > > > > Darryl (Dassa) Lynch > > The IETF has an obligation to "truth in advertising" so IMHO we should not > claim protection that doesn't exist, even implicitly. > > Brian > > ___ > Ietf mailing list > Ietf@ietf.org > https://www1.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
The IETF has an obligation to WIPO and to the DMCA and well - so far its failed those pretty well I think. Todd Glassey - Original Message - From: "Brian E Carpenter" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; Sent: Monday, October 09, 2006 2:07 AM Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > > >>>This is what I meant when I said that the charter is unclear > >>>and it must explicitly state that NEA is not meant as a > >>>protection mechanism of any sort for the network. > > > > > > I don't believe the Charter needs to delve into this at all. If some people > > see it as part of their protection mechanisms, so be it. > > > > Darryl (Dassa) Lynch > > The IETF has an obligation to "truth in advertising" so IMHO we should not > claim protection that doesn't exist, even implicitly. > > Brian > > ___ > Ietf mailing list > Ietf@ietf.org > https://www1.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
This is what I meant when I said that the charter is unclear and it must explicitly state that NEA is not meant as a protection mechanism of any sort for the network. I don't believe the Charter needs to delve into this at all. If some people see it as part of their protection mechanisms, so be it. Darryl (Dassa) Lynch The IETF has an obligation to "truth in advertising" so IMHO we should not claim protection that doesn't exist, even implicitly. Brian ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: [Nea] WG Review: Network Endpoint Assessment (nea)
Hi Vidya Inline ... > > How about adding this text - "It should be noted that the networks at > large are exposed to attacks from lying endpoints and > external entities > attaching to the networks as well as any problems arising from unknown > vulnerabilities on NEA compliant endpoints. Hence, NEA must not be > considered a protection mechanism for networks. Further, mechanisms > needed to protect the network from all kinds of vulnerabilities are > expected to be a superset of any protection that may be achieved by > employing NEA"? > It seems to me that this better belongs in a security considerations section of the NEA spec, especially given where we are in the review cycle and the amount of time spent on this specific section already. > > > > Bearing the original motivation in mind, would the following > > work better? > > "An organization may make a range of policy decisions based > > on the posture of an endpoint. NEA is not intended to be > > prescriptive in this regard. For example, potential > > deployment scenarios may include,but are not limited to, > > providing normal access regardless of compliance with > > recommendations for remediation ("advisory mode"), as well as > > providing restricted access sufficient for remediation > > purposes and any essential services until an endpoint is in > > compliance ("mandatory mode"). > > > > I'm not sure that the charter actually needs to get into the modes at > all - I'm guessing what happens after NEA (i.e., what is done with the > results from NEA) has zero impact on any work being done in > NEA itself. > So, why not simply state something like "Once NEA is conducted on an > endpoint, the results may be used by an organization in > accordance with > any policies of the organization itself."? > Again, the text was added at the request of the security AD. I have no problem with Sam Hartman's modification to the text I proposed, your text above, or none at all. > That is not necessarily putting any requirements in the choice of the > mandatory to implement protocol itself, as I see it. I believe that > stating something like "The mandatory to implement PT protocol must be > generic enough to allow the execution of the NEA procedure without > forcing the need to re-execute network access procedures". > I think protocol requirements belong in the requirements I-D. > Not only do I not see anything in the charter or milestones that > indicates that the WG is going to spend time exploring this, > I strongly > believe this WG should not be spending any time looking at this. The > trust models for the cases where the devices are not owned by the > organization performing NEA are hugely different and can take > up its own > WG to actually find something that applies there, if at all. For one, > this could be considered a violation of privacy by the user of the > device. Secondly, the end user's perspective of attacks may > be entirely > different from the organization's perspective in this case. Third, I > simply can't see what the organization's interests would be in > protecting a device that doesn't even belong to it. Last but not the > least, this requires the endpoint to be running an NEA client (that is > interoperable with the NEA server of the organization) - > which in itself > is often an unrealistic requirement. > > Organizations that provide services in their networks to end users are > worried about protecting their resources (i.e., networks, servers, > etc.). As we have agreed, NEA does not protect such resources anyway. > Plus, there is absolutely no reason such organizations should believe > that devices they don't own are in fact, truthful endpoints. > > So, thinking that this WG must be looking into resolving this seems > flawed at several levels. In the interest of having a focused WG that > can get something useful accomplished, this does not make sense. > No argument with your gist here. The point I was trying to make is that I think applicability may not be quite as "black and white" as your original text suggests, and it would be better if the applicability and security considerations associated with NEA be addressed in the WG and specified in the appropriate NEA documents. The charter could express itself better in this regard. If the last sentence was replaced with something like: "NEA can be limited in its applicability when the endpoint and the organization providing network access are owned by different parties. NEA applicability and security considerations will be described in the appropriate NEA documents." Would this work? Thanks Susan ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: [Nea] WG Review: Network Endpoint Assessment (nea)
Hi Vidya Narayanan, Vidya wrote: >>> -Original Message- >>> From: Susmit Panjwani [mailto:[EMAIL PROTECTED] >>> Sent: Saturday, October 07, 2006 5:04 PM >>> To: Harald Alvestrand >>> Cc: Narayanan, Vidya; [EMAIL PROTECTED]; iesg@ietf.org; ietf@ietf.org >>> Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) >>> >>>>> Third, I simply can't see what the organization's interests would be in >>>>> protecting a device that doesn't even belong to it. >>> >>>> An organization might not be interested in protecting a device that >>>> does not belong to it but would definitely be interested in >>>> preventing the attacks originating from such device (if >>>> compromised) when it joins the organization network. >> >> It appears that the NEA charter is completely misleading to >> some people from what is stated in this email. As the NEA >> charter alludes to, NEA does nothing to protect against >> compromised devices. Also, as has been agreed, NEA is not a >> protection mechanism for the network - it is meant to be a >> protection mechanism for compliant, truthful and as yet >> uncompromised end hosts against known vulnerabilities. True the NEA doesn't "do" anything to protect against compromised devices but it does assist in limiting the known compromises on endpoint devices by being a mechanism for the checking and reporting on compliance to what ever network policy is in place including virus and patch levels. As a network administrator I already deploy mechanisms for doing just this, but at a higher level than the NEA charter indicates. To me the difference is between being reactive or proactive. Compliance testing I already run occurs after an end node has joined the network, with NEA the possibility is for compliance checking before being allowed onto the network so isolation and immediate remediation is possible. >> Any network, in its own best interests, must assume that it >> has lying and compromised endpoints connecting to it and >> that there are unknown vulnerabilities on any NEA-compliant >> devices connecting to it. Any kind of protection that >> addresses these general threats that the network may be >> exposed to at any time will simply obviate the need for NEA from the >> network perspective. Reliance on one protection or reporting mechanism is not enough. We need a lot of varied tools to cover all the bases and minimise risk. >> A network operator that thinks the network is getting any >> protection by employing NEA is clearly ignoring the obvious >> real threats that the network is exposed to at any time. No, NEA would just be one more tool used to improve overall security and minimise risk. It would be at a different level to the tools some of already deploy. >> This is what I meant when I said that the charter is unclear >> and it must explicitly state that NEA is not meant as a >> protection mechanism of any sort for the network. I don't believe the Charter needs to delve into this at all. If some people see it as part of their protection mechanisms, so be it. Darryl (Dassa) Lynch ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
Lakshminath Dondeti wrote: At 01:42 AM 10/7/2006, Harald Alvestrand wrote: Many universities require their students to buy their own laptops, but prohibit certain types of activity from those laptops (like spamming, DDOS-attacks and the like). They would love to have the ability to run some kind of NEA procedure to ensure that laptops are reasonably virus-free and free from known vulnerabilities, and are important enough in their students' lives that they can probably enforce it without a complaint about "violation of privacy". Just pointing out that there's one use case with user-managed endpoints where NEA is not obviously a bad idea. My email ventures into a bit of non-IETF territory, but we are discussing use cases, and so I guess it's on topic. Universities should be the last places to try antics like NEA. Whereas an operational network would be a priority to them, it is also important that they allow students to experiment with new applications. If we are believing that general purpose computing will be taken away from college students, we are indeed talking about a different world. In any event, the bottomline is NEA as a solution to "network protection" is a leaky bucket at best. NEA at best *may* raise the bar in attacking a "closed" network where endpoints are owned and tightly controlled by the organization that owns the network. Posture checking is certainly a leaky bucket. It doesn't protect all kinds of endpoint, it doesn't protect the endpoints against all kinds of threats, and it doesn't protect much of anything against a smart, resourceful attacker who is deeply familiar with the NEA system in use and is interested in investing considerable resources in attacking or circumventing it. But (to recycle a very old simile) the fact that I can open the locks of most doors with a crowbar doesn't mean that locks are not useful. Organizations that have deployed products that do something like what NEA is talking about have reported that their TCO is reduced. Harald ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: [Nea] WG Review: Network Endpoint Assessment (nea)
> -Original Message- > From: Lakshminath Dondeti [mailto:[EMAIL PROTECTED] > Sent: Saturday, October 07, 2006 10:43 AM > To: Harald Alvestrand; Narayanan, Vidya > Cc: [EMAIL PROTECTED]; iesg@ietf.org; ietf@ietf.org > Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > > At 01:42 AM 10/7/2006, Harald Alvestrand wrote: > >> > >Many universities require their students to buy their own > laptops, but > >prohibit certain types of activity from those laptops (like > spamming, > >DDOS-attacks and the like). They would love to have the > ability to run > >some kind of NEA procedure to ensure that laptops are reasonably > >virus-free and free from known vulnerabilities, and are important > >enough in their students' lives that they can probably enforce it > >without a complaint about "violation of privacy". > > > >Just pointing out that there's one use case with > user-managed endpoints > >where NEA is not obviously a bad idea. > > My email ventures into a bit of non-IETF territory, but we > are discussing use cases, and so I guess it's on topic. > Universities should be the last places to try antics like > NEA. Whereas an operational network would be a priority to > them, it is also important that they allow students to > experiment with new applications. If we are believing that > general purpose computing will be taken away from college > students, we are indeed talking about a different world. > I agree. Even in a controlled environment, there is bound to be software/hardware that does not quite support NEA or specific posture attributes. In a university environment, while some basic posture reporting is feasible, there is bound to be a lot of software/hardware that does not support any NEA parameters. The protection that even the endhost may be getting from NEA is quite limited. > In any event, the bottomline is NEA as a solution to "network > protection" is a leaky bucket at best. > The charter must be clarified to dispel this myth about NEA protecting the network from anything. Vidya > NEA at best *may* raise the bar in attacking a "closed" > network where endpoints are owned and tightly controlled by > the organization that owns the network. > > Lakshminath > > > >Harald > > > > > >___ > >Ietf mailing list > >Ietf@ietf.org > >https://www1.ietf.org/mailman/listinfo/ietf > > ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: [Nea] WG Review: Network Endpoint Assessment (nea)
> -Original Message- > From: Susmit Panjwani [mailto:[EMAIL PROTECTED] > Sent: Saturday, October 07, 2006 5:04 PM > To: Harald Alvestrand > Cc: Narayanan, Vidya; [EMAIL PROTECTED]; iesg@ietf.org; ietf@ietf.org > Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > > Third, I > > simply can't see what the organization's > interests would be in > > > protecting a device that doesn't even belong to it. > > An organization might not be interested in protecting a > device that does not belong to it but would definitely be > interested in preventing the attacks originating from such > device (if compromised) when it joins the organization > network. It appears that the NEA charter is completely misleading to some people from what is stated in this email. As the NEA charter alludes to, NEA does nothing to protect against compromised devices. Also, as has been agreed, NEA is not a protection mechanism for the network - it is meant to be a protection mechanism for compliant, truthful and as yet uncompromised end hosts against known vulnerabilities. Any network, in its own best interests, must assume that it has lying and compromised endpoints connecting to it and that there are unknown vulnerabilities on any NEA-compliant devices connecting to it. Any kind of protection that addresses these general threats that the network may be exposed to at any time will simply obviate the need for NEA from the network perspective. A network operator that thinks the network is getting any protection by employing NEA is clearly ignoring the obvious real threats that the network is exposed to at any time. This is what I meant when I said that the charter is unclear and it must explicitly state that NEA is not meant as a protection mechanism of any sort for the network. Vidya > To cite a study that we performed at > UMD: we did a cost-benefit analysis based on the captured > attacks from within the organization, and it turns out that > the organization would benefit significantly if they > implement any trusted network access technology. > > I do realize that there would be issues in terms of user > privacy and interoperability(which this charter is trying to > tackle) but just wanted to mention that there would be > significant benefits if they can implement it. This is > especially true for university environment. As a matter of > fact I am aware of some universities/departments that were > planning to implement a home grown solution for this. > > Susmit > > -- > Susmit Panjwani > > PhD Candidate, > Center for Risk and Reliability, > University of Maryland > Cell: 240-460-9782 > > > On 10/7/06, Harald Alvestrand <[EMAIL PROTECTED]> wrote: > > > > > > The reason we left it open is to allow the working group to spend > > > more > > > > time exploring the range of use cases in this area to better > > > > determine requirements and applicability. For example, > it may be > > > > useful to classify endpoints as network-managed versus > > > > user-managed versus 3rd-party managed. A user-managed > endpoint may > > > > want the choice to opt in or opt out, say. > > > > > > > > > > > > > Not only do I not see anything in the charter or milestones that > > > indicates that the WG is going to spend time exploring this, I > > > strongly believe this WG should not be spending any time > looking at > > > this. The trust models for the cases where the devices > are not owned > > > by the organization performing NEA are hugely different > and can take > > > up its own WG to actually find something that applies > there, if at > > > all. For one, this could be considered a violation of > privacy by the > > > user of the device. Secondly, the end user's perspective > of attacks > > > may be entirely different from the organization's perspective in > > > this case. Third, I simply can't see what the organization's > > > interests would be in protecting a device that doesn't > even belong > > > to it. Last but not the least, this requires the endpoint to be > > > running an NEA client (that is interoperable with the NEA > server of > > > the organization) - which in itself is often an > unrealistic requirement. > > Many universities require their students to buy their own > laptops, but > > prohibit certain types of activity from those laptops (like > spamming, > > DDOS-attacks and the like). They would love to have the > ability to run > > some kind of NEA procedure to
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
On Oct 7, 2006, at 10:42 AM, Lakshminath Dondeti wrote: At 01:42 AM 10/7/2006, Harald Alvestrand wrote: Many universities require their students to buy their own laptops, but prohibit certain types of activity from those laptops (like spamming, DDOS-attacks and the like). They would love to have the ability to run some kind of NEA procedure to ensure that laptops are reasonably virus-free and free from known vulnerabilities, and are important enough in their students' lives that they can probably enforce it without a complaint about "violation of privacy". Just pointing out that there's one use case with user-managed endpoints where NEA is not obviously a bad idea. My email ventures into a bit of non-IETF territory, but we are discussing use cases, and so I guess it's on topic. Universities should be the last places to try antics like NEA. Whereas an operational network would be a priority to them, it is also important that they allow students to experiment with new applications. If we are believing that general purpose computing will be taken away from college students, we are indeed talking about a different world. In any event, the bottomline is NEA as a solution to "network protection" is a leaky bucket at best. NEA at best *may* raise the bar in attacking a "closed" network where endpoints are owned and tightly controlled by the organization that owns the network. Services are currently offered that detect abnormal traffic, where users are directed to scrubbing services suitable for ISPs or universities. This is done through walled garden techniques. Once remediation is completed, restrictions are removed. This does not depend upon specific conformance standardization, but rather specialized utilities loaded with a browser where restrictions are also applied. When the system in question is not using a browser, other methods of notification of a need for remediation are needed. A standardize signaling of asserted conformance and a need for remediation might be where this effort is best focused. -Doug ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
At 01:42 AM 10/7/2006, Harald Alvestrand wrote: Many universities require their students to buy their own laptops, but prohibit certain types of activity from those laptops (like spamming, DDOS-attacks and the like). They would love to have the ability to run some kind of NEA procedure to ensure that laptops are reasonably virus-free and free from known vulnerabilities, and are important enough in their students' lives that they can probably enforce it without a complaint about "violation of privacy". Just pointing out that there's one use case with user-managed endpoints where NEA is not obviously a bad idea. My email ventures into a bit of non-IETF territory, but we are discussing use cases, and so I guess it's on topic. Universities should be the last places to try antics like NEA. Whereas an operational network would be a priority to them, it is also important that they allow students to experiment with new applications. If we are believing that general purpose computing will be taken away from college students, we are indeed talking about a different world. In any event, the bottomline is NEA as a solution to "network protection" is a leaky bucket at best. NEA at best *may* raise the bar in attacking a "closed" network where endpoints are owned and tightly controlled by the organization that owns the network. Lakshminath Harald ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
Harald - get Microsoft to buy into this idea and its done. Todd Glassey - Original Message - From: "Harald Alvestrand" <[EMAIL PROTECTED]> To: "Narayanan, Vidya" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; ; Sent: Saturday, October 07, 2006 1:42 AM Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea) > > > > Not only do I not see anything in the charter or milestones that > > indicates that the WG is going to spend time exploring this, I strongly > > believe this WG should not be spending any time looking at this. The > > trust models for the cases where the devices are not owned by the > > organization performing NEA are hugely different and can take up its own > > WG to actually find something that applies there, if at all. For one, > > this could be considered a violation of privacy by the user of the > > device. Secondly, the end user's perspective of attacks may be entirely > > different from the organization's perspective in this case. Third, I > > simply can't see what the organization's interests would be in > > protecting a device that doesn't even belong to it. Last but not the > > least, this requires the endpoint to be running an NEA client (that is > > interoperable with the NEA server of the organization) - which in itself > > is often an unrealistic requirement. > > Many universities require their students to buy their own laptops, but > prohibit certain types of activity from those laptops (like spamming, > DDOS-attacks and the like). They would love to have the ability to run > some kind of NEA procedure to ensure that laptops are reasonably > virus-free and free from known vulnerabilities, and are important enough > in their students' lives that they can probably enforce it without a > complaint about "violation of privacy". > > Just pointing out that there's one use case with user-managed endpoints > where NEA is not obviously a bad idea. > > Harald > > > ___ > Ietf mailing list > Ietf@ietf.org > https://www1.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
The reason we left it open is to allow the working group to spend more > time exploring the range of use cases in this area to better determine > requirements and applicability. For example, it may be useful to > classify endpoints as network-managed versus user-managed versus > 3rd-party managed. A user-managed endpoint may want the > choice to opt in > or opt out, say. > Not only do I not see anything in the charter or milestones that indicates that the WG is going to spend time exploring this, I strongly believe this WG should not be spending any time looking at this. The trust models for the cases where the devices are not owned by the organization performing NEA are hugely different and can take up its own WG to actually find something that applies there, if at all. For one, this could be considered a violation of privacy by the user of the device. Secondly, the end user's perspective of attacks may be entirely different from the organization's perspective in this case. Third, I simply can't see what the organization's interests would be in protecting a device that doesn't even belong to it. Last but not the least, this requires the endpoint to be running an NEA client (that is interoperable with the NEA server of the organization) - which in itself is often an unrealistic requirement. Many universities require their students to buy their own laptops, but prohibit certain types of activity from those laptops (like spamming, DDOS-attacks and the like). They would love to have the ability to run some kind of NEA procedure to ensure that laptops are reasonably virus-free and free from known vulnerabilities, and are important enough in their students' lives that they can probably enforce it without a complaint about "violation of privacy". Just pointing out that there's one use case with user-managed endpoints where NEA is not obviously a bad idea. Harald ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: [Nea] WG Review: Network Endpoint Assessment (nea)
Hi Susan, Please see inline. > -Original Message- > From: Susan Thomson (sethomso) [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 05, 2006 12:22 PM > To: Narayanan, Vidya > Cc: [EMAIL PROTECTED]; iesg@ietf.org; ietf@ietf.org > Subject: RE: [Nea] WG Review: Network Endpoint Assessment (nea) > > Hi Vidya > > Thanks for your comments. > > Inline ... > > > -Original Message- > > From: Narayanan, Vidya [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, October 04, 2006 12:48 PM > > To: iesg@ietf.org > > Cc: [EMAIL PROTECTED] > > Subject: RE: [Nea] WG Review: Network Endpoint Assessment (nea) > > > > > > All, > > Comments on the charter inline below. > > > > > -Original Message- > > > From: IESG Secretary [mailto:[EMAIL PROTECTED] > > > Sent: Monday, October 02, 2006 7:30 AM > > > To: ietf-announce@ietf.org > > > Cc: [EMAIL PROTECTED] > > > Subject: [Nea] WG Review: Network Endpoint Assessment (nea) > > > > > > A new IETF working group has been proposed in the Security Area. > > > The IESG has not made any determination as yet. The > following draft > > > charter was submitted, and is provided for informational purposes > > > only. > > > Please send your comments to the IESG mailing list > > > (iesg@ietf.org) by October 9. > > > > > > +++ > > > > > > Network Endpoint Assessment (nea) > > > == > > > > > > Current Status: Proposed Working Group > > > > > > Chair(s): > > > TBD > > > > > > Security Area Director(s): > > > Russ Housley <[EMAIL PROTECTED]> > > > Sam Hartman <[EMAIL PROTECTED]> > > > > > > Security Area Advisor: > > > Russ Housley <[EMAIL PROTECTED]> > > > > > > Mailing List: [EMAIL PROTECTED] > > > > > > Description of Working Group: > > > > > > Network Endpoint Assessment (NEA) architectures have been > > > implemented in the industry to assess the "posture" of endpoint > > > devices for the purposes of monitoring compliance to an > > > organization's posture policy and optionally restricting access > > > until the endpoint has been updated to satisfy the posture > > > requirements. An endpoint that does not comply with > posture policy > > > may be vulnerable to a number of known threats that may > exist on the > > > network. The intent of NEA is to facilitate corrective actions to > > > address these known vulnerabilities before a host is exposed to > > > potential attack. > > > > > > Is it fair to then say that NEA is attempting to protect > the endhost > > and not necessarily the network? > > Yes, this is the focus. > > > That is not immediately clear in the > > charter. Obviously, the network must deal with all kinds of > known and > > unknown threats and a process like NEA is inadequate to > protect it at > > any acceptable level. That is why we employ a number of other > > mechanisms like firewalls, access control, packet filters, IDS/IPS, > > etc. in any combination to appropriately protect the networks. > > > > So, stating that NEA is not attempting to protect the > network at large > > would bring a lot of clarity to the charter. > > > > Since we have been around the block a few times on this > section, could you suggest precise text that you would like > to see to make this clearer? > How about adding this text - "It should be noted that the networks at large are exposed to attacks from lying endpoints and external entities attaching to the networks as well as any problems arising from unknown vulnerabilities on NEA compliant endpoints. Hence, NEA must not be considered a protection mechanism for networks. Further, mechanisms needed to protect the network from all kinds of vulnerabilities are expected to be a superset of any protection that may be achieved by employing NEA"? > > > > > Two deployment scenarios will be supported: advisory mode and > > > mandatory mode. > > > In advisory mode, an endpoint may be advised of the result of > > > posture assessment and any recommended remediation > actions, but is > > > provided normal network access regardless of the result. In > > > mandatory mode, a non-compliant endpoint is given > restricted access > > > to the network sufficient for remediation purposes and &g
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
> "Susan" == Susan Thomson (sethomso) <[EMAIL PROTECTED]> writes: Susan> regard. For example, potential deployment scenarios may Susan> include,but are not limited to, providing normal access Drop the may include. You want to have at least one or two deployments that you commit to solving to check your requirements against. You can have include but are not limited if you like. Susan> Susan> regardless of compliance with recommendations for Susan> remediation ("advisory mode"), as well as providing Susan> restricted access sufficient for remediation purposes and Susan> any essential services until an endpoint is in compliance Susan> ("mandatory mode"). I express no preference on whether or not the new or old text is better. I just want to commit to at least one deployment. ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: [Nea] WG Review: Network Endpoint Assessment (nea)
Hi Vidya Thanks for your comments. Inline ... > -Original Message- > From: Narayanan, Vidya [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 04, 2006 12:48 PM > To: iesg@ietf.org > Cc: [EMAIL PROTECTED] > Subject: RE: [Nea] WG Review: Network Endpoint Assessment (nea) > > > All, > Comments on the charter inline below. > > > -Original Message- > > From: IESG Secretary [mailto:[EMAIL PROTECTED] > > Sent: Monday, October 02, 2006 7:30 AM > > To: ietf-announce@ietf.org > > Cc: [EMAIL PROTECTED] > > Subject: [Nea] WG Review: Network Endpoint Assessment (nea) > > > > A new IETF working group has been proposed in the Security Area. > > The IESG has not made any determination as yet. The following > > draft charter was submitted, and is provided for > > informational purposes only. > > Please send your comments to the IESG mailing list > > (iesg@ietf.org) by October 9. > > > > +++ > > > > Network Endpoint Assessment (nea) > > == > > > > Current Status: Proposed Working Group > > > > Chair(s): > > TBD > > > > Security Area Director(s): > > Russ Housley <[EMAIL PROTECTED]> > > Sam Hartman <[EMAIL PROTECTED]> > > > > Security Area Advisor: > > Russ Housley <[EMAIL PROTECTED]> > > > > Mailing List: [EMAIL PROTECTED] > > > > Description of Working Group: > > > > Network Endpoint Assessment (NEA) architectures have been > > implemented in the industry to assess the "posture" of > > endpoint devices for the purposes of monitoring compliance to > > an organization's posture policy and optionally restricting > > access until the endpoint has been updated to satisfy the > > posture requirements. An endpoint that does not comply with > > posture policy may be vulnerable to a number of known threats > > that may exist on the network. The intent of NEA is to > > facilitate corrective actions to address these known > > vulnerabilities before a host is exposed to potential attack. > > > Is it fair to then say that NEA is attempting to protect the > endhost and > not necessarily the network? Yes, this is the focus. > That is not immediately clear in the > charter. Obviously, the network must deal with all kinds of known and > unknown threats and a process like NEA is inadequate to protect it at > any acceptable level. That is why we employ a number of other > mechanisms > like firewalls, access control, packet filters, IDS/IPS, etc. in any > combination to appropriately protect the networks. > > So, stating that NEA is not attempting to protect the network at large > would bring a lot of clarity to the charter. > Since we have been around the block a few times on this section, could you suggest precise text that you would like to see to make this clearer? > > > Two deployment scenarios will be supported: advisory mode and > > mandatory mode. > > In advisory mode, an endpoint may be advised of the result of > > posture assessment and any recommended remediation actions, > > but is provided normal network access regardless of the > > result. In mandatory mode, a non-compliant endpoint is given > > restricted access to the network sufficient for remediation > > purposes and any essential services or denied access completely. > > > > It is unclear how the advisory vs mandatory model relates to the NEA > procedures itself. NEA is attempting to provide a vehicle to perform > some compliance tests on acceptable "postures". What the > network decides > to do with that information seems entirely dependent on the policy of > the network and the extent of non-compliance, etc. What does > it mean to > say that NEA *allows* an advisory and/or a mandatory model? > > Yes, it is a matter of policy. We have had other input as well that indicates this text is causing confusion. We added this text in consultation with our AD to re-inforce the notion that NEA did not necessarily imply enforcement, and that things like emergency services could be made available regardless of the outcome of posture assessment. The intention is not to be prescriptive about an organization's policy in any way. Bearing the original motivation in mind, would the following work better? "An organization may make a range of policy decisions based on the posture of an endpoint. NEA is not intended to be prescriptive in this regard. For example, potential deployment scenarios may include,but are not limited to, providing normal access regardless of compliance
Re: [Nea] WG Review: Network Endpoint Assessment (nea)
Vidya good commentary, maybe I can add some more. The NEA, per the charter-need's justification statement says: > > Network Endpoint Assessment (NEA) architectures have been implemented > in the industry to assess the "posture" of endpoint devices Ah two new terms of Art - "Posture" and "Devices". > for the > purposes of monitoring compliance to an organization's posture policy here again we have Posturing... but now its a policy. The policy of dancing or what? so is this posture relative to the Security Policy? or how about the Operations Integrity Policy? And is the Posture erect or is it rolling on the floor laughing ones ... > and optionally restricting access until the endpoint has been updated This is a statement of effect rather than describing the thing itself. This comment is specific to what the design of the NEA would do and not what the NEA is but what the hey... So then this 'thingee', the 'Posture manager', is something that is an agent that lives in the computer to make sure its doing what its supposed to and has all of the stuff its supposed to be, right? So the NEA seems to be an integrity management and compliance agent right? Which means you want to go to blows with Tripwire and the Change Management Integrity of Operations people too? Nice... Tripwire and Aide seem to be things that do that - Fremont and COPS too. The configuration management is Titan and YASSP or other hardening scripts. The logging and setup for managing the logging is already in place too. So where does this 'compliance assurance thingee' live in that array? > to satisfy the posture requirements. Again - I gotta mention that you are doing alot of posturing there... So guys - here we go again - which posture is it this time??? bent over backwards or what? > An endpoint that does not comply > with posture policy may be vulnerable to a number of known threats > that may exist on the network. And here we have the justification for the service proposed in the charter statement... come on guys... > The intent of NEA is to facilitate > corrective actions to address these known vulnerabilities before a > host is exposed to potential attack. Ahhh... Inline and continuous hardening and reporting. So then is this the creation of the IETF's version of an embedded Titan or YASSP? Does that real make sense. If it does, why not just run Titan and YASSP through SNMP, or buy Tripwire, or use Aide and SNORT, or ... you get my point I hope. Try this: "The NEA is a process and methodology to integrate ongoing integrity and process refinement into the operations of network services. The principal goal of the NEA is a higher set of reporting models to support those required by today's network operators for their IT Infrastructure Integrity Programs" And the process statement: "To facilitate this goal, the NEA provides Audit and Systemic Integrity/Change Management as integrated features and provides proper evidentiary models to support this under whatever level of scrutiny is required. Scrutiny including as formal evidence with Chain of Custody issues to address as well" and finally: "To accomplish these ends, the NEA may use pieces of other services or technologies in creating this Open Framework for operating integrity and its evidentiary documentation." Todd Glassey - Original Message - From: "Narayanan, Vidya" <[EMAIL PROTECTED]> To: ; Cc: <[EMAIL PROTECTED]> Sent: Wednesday, October 04, 2006 9:58 AM Subject: RE: [Nea] WG Review: Network Endpoint Assessment (nea) All, Comments on the charter inline below. > -Original Message- > From: IESG Secretary [mailto:[EMAIL PROTECTED] > Sent: Monday, October 02, 2006 7:30 AM > To: ietf-announce@ietf.org > Cc: [EMAIL PROTECTED] > Subject: [Nea] WG Review: Network Endpoint Assessment (nea) > > A new IETF working group has been proposed in the Security Area. > The IESG has not made any determination as yet. The following draft > charter was submitted, and is provided for informational purposes > only. > Please send your comments to the IESG mailing list > (iesg@ietf.org) by October 9. > > +++ > > Network Endpoint Assessment (nea) > == > > Current Status: Proposed Working Group > > Chair(s): > TBD > > Security Area Director(s): > Russ Housley <[EMAIL PROTECTED]> > Sam Hartman <[EMAIL PROTECTED]> > > Security Area Advisor: > Russ Housley <[EMAIL PROTECTED]> > > Mailing List: [EMAIL PROTECTED] > > Description of Working Group: > > Network Endpoint Assessment (NEA) architectures have been implemented > in the industry to assess the "posture" of endpoint devices for the > purposes of monitoring com
RE: [Nea] WG Review: Network Endpoint Assessment (nea)
All, Comments on the charter inline below. > -Original Message- > From: IESG Secretary [mailto:[EMAIL PROTECTED] > Sent: Monday, October 02, 2006 7:30 AM > To: ietf-announce@ietf.org > Cc: [EMAIL PROTECTED] > Subject: [Nea] WG Review: Network Endpoint Assessment (nea) > > A new IETF working group has been proposed in the Security Area. > The IESG has not made any determination as yet. The following draft > charter was submitted, and is provided for informational purposes > only. > Please send your comments to the IESG mailing list > (iesg@ietf.org) by October 9. > > +++ > > Network Endpoint Assessment (nea) > == > > Current Status: Proposed Working Group > > Chair(s): > TBD > > Security Area Director(s): > Russ Housley <[EMAIL PROTECTED]> > Sam Hartman <[EMAIL PROTECTED]> > > Security Area Advisor: > Russ Housley <[EMAIL PROTECTED]> > > Mailing List: [EMAIL PROTECTED] > > Description of Working Group: > > Network Endpoint Assessment (NEA) architectures have been implemented > in the industry to assess the "posture" of endpoint devices for the > purposes of monitoring compliance to an organization's posture policy > and optionally restricting access until the endpoint has been updated > to satisfy the posture requirements. An endpoint that does not comply > with posture policy may be vulnerable to a number of known threats > that may exist on the network. The intent of NEA is to facilitate > corrective actions to address these known vulnerabilities before a > host is exposed to potential attack. Is it fair to then say that NEA is attempting to protect the endhost and not necessarily the network? That is not immediately clear in the charter. Obviously, the network must deal with all kinds of known and unknown threats and a process like NEA is inadequate to protect it at any acceptable level. That is why we employ a number of other mechanisms like firewalls, access control, packet filters, IDS/IPS, etc. in any combination to appropriately protect the networks. So, stating that NEA is not attempting to protect the network at large would bring a lot of clarity to the charter. > Two deployment scenarios will be supported: advisory mode and > mandatory mode. > In advisory mode, an endpoint may be advised of the result of posture > assessment and any recommended remediation actions, but is provided > normal network access regardless of the result. In mandatory mode, a > non-compliant endpoint is given restricted access to the network > sufficient for remediation purposes and any essential services or > denied access completely. > It is unclear how the advisory vs mandatory model relates to the NEA procedures itself. NEA is attempting to provide a vehicle to perform some compliance tests on acceptable "postures". What the network decides to do with that information seems entirely dependent on the policy of the network and the extent of non-compliance, etc. What does it mean to say that NEA *allows* an advisory and/or a mandatory model? > Posture refers to the hardware or software configuration of an > endpoint as it pertains to an organization's security policy. Posture > may include knowledge that software installed to protect the machine > (e.g. patch management software, anti-virus software, host firewall > software, host intrusion protection software or any custom software) > is enabled and up-to-date. > On network access and while connected, an endpoint supporting NEA > protocols can be queried for such posture information in either > advisory or mandatory modes. > Again, what does it mean to be queried in a particular mode? > Since NEA involves many different components from different vendors, > interoperation s/interoperation/interoperability > is highly desirable. The priority of > the NEA working group is to standardize protocols at the higher layers > in the architectures: > the Posture Attribute protocol (PA) and the Posture Broker protocol > (PB). > PA and PB will be designed to support a variety of lower layer > protocols. > When used with standards for lower layers, these new protocols will > allow interoperability between an NEA Client from one vendor and an > NEA Server from another. > This seems like an optimistic goal. Given that only a subset of attributes are envisioned to be standardized and given that the kind of attributes are likely to be ever increasing, considering that posture refers to hardware/software configuration of an endpoint, I fail to see how we would practically get NEA clients and NEA servers from different vendors to perform any meaningful NEA procedures. In theory, I can see how this can be slated to be a goal - but, I have to believe that reality would be different. > Since there are already several non-standard protocols at > these higher layers, the NEA working group will consider > these existing protocols as candidates for standardization. A > requirements