RE: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-23 Thread Khosravi, Hormuzd M 
Sam,

I believe if we move 'quickly' in this WG we will be able to meet
interoperability goals to certain extent atleast. The bottom-line is
this technology is already being deployed by different vendors in
academia and enterprises. The question is should IETF get involved in
standardizing this or leave it to the individual vendors. I believe the
IETF should and that standardization will certainly help the community,
if we can move fast enough.

The recent email by Jari Arkko to standardize some of the EAP methods
which are being used and deployed today but no RFCs exist for them, is
certainly a step in the right direction.

My 2 cents,
Hormuzd

-Original Message-
From: Sam Hartman [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 13, 2006 12:43 PM
To: Frank Yeh Jr
Cc: Ted Hardie; [EMAIL PROTECTED]; ietf@ietf.org
Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)

>>>>> "Frank" == Frank Yeh <[EMAIL PROTECTED]> writes:

Frank> Standardized VS vendor-specific attributes is not something
that needs to be
Frank> solved today. Solutions can start with vendor-specific and
migrate toward a
Frank> standard, if one develops, without changing the protocol. The
specification
Frank> should not preclude the addition of standardized attributes.
IE the
Frank> specification is like an alphabet, attributes are like
vocabulary. You can add
Frank> new words without changing the letters.


One of the things coming out of the most recent BOF was a strong
desire for PA-level interoperability.  That can be accomplished
through standardized attributes or vendor-specific attributes that are
sufficiently well documented (and not subject to patents) that third
parties can implement collectors or analysis tools that interoperate
with the vendor tools for the vendor attributes.

Will we be able to meet these interoperability goals?  Why or why not?


___
Nea mailing list
[EMAIL PROTECTED]
https://www1.ietf.org/mailman/listinfo/nea

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

RE: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-19 Thread Stephen Hanna 
Ted Hardie wrote:
> For the charter discussions, I want to know whether it will
> be an aim of the working group to standardize:
>
> * a way of carrying this information
> * the structure of this information (but not its content)
> * a standard representation of the content, so that access to the
vendor database
>   is no longer required

I believe that we'll need to define all three of these.
There may be times when access to an external database
would be useful (if you want to know exactly which viruses
are covered by which AV defs version, for example) but
such access should not be required to use the standard
attributes.

Thanks,

Steve

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-18 Thread Leif Johansson 

>>
>> >
>> Lets not forget that when (not if) NEA/NAP/NAC is deployed the IDSen
>> people have deployed today to
>> solve the lying-client-problem by scanning for common/current
>> vulnerabilities as part of the network admission
>> process will have to interface with PDPs part of a NEA intfrastructure.
>
> Could you rephrase please?  I am afraid I don't understand what you
> are saying.
>
It has been pointed out on this list that the main deliverable from NEA
might well turn out to
be the way host postures are described - the schema if you will. I'm
positive that if someone
deployes NEA/NAP/NAC etc the admin will want to combine data from the
on-client
posture client with information from external IDS (etc) services to a
common Policy Decision
Point. That means that a reason to do NEA is to get this schema
standardized even if some
people who care about lying clients to never use and/or trust client
posture clients.
> Oh, and lying endpoint problem cannot be solved by scanning for common
> vulnerabilities!  In fact, the two have no relation whatsoever.
They have the single relation of both expressing claims about the state
of a host.  

   Cheers Leif



___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-17 Thread Douglas Otis 


On Oct 17, 2006, at 11:22 AM, Eliot Lear wrote:


I would think that five or six values are appropriate:

  1. Vendor name (string)
  2. Vendor engine version (integer)
  3. Vendor virus definitions version (integer)
  4. Enabled? (binary)
  5. Buggered? (binary)
  6. Other gobbledigook the vendor wants to include that might get
 standardized later. (blob)


This still seems like too much.  Information offered for access can  
be contained within one or more certificates.   The information  
within these certificates should be limited to a minimal set of values:


1) creator
2) class
3) user-host
4) time-stamp
5) update resources

The essential information would be the creator/class/user-host/time- 
stamp fields.  When protection is not enabled or is buggered, then a  
newer certificate should not be offered.  The virus definitions or  
patch updates can be deduced from the time-stamp or by extensions  
added to class, i.e. AVX-VISTA-37.  If a vulnerability is reported  
subsequent to the time-stamp regarding the creator/class of service,  
then a new certificate could be required.  This would simplify  
tracking at the access point.  By keeping the information exchanged  
and decisions limited to this minimal information, NEA should provide  
a valuable services in many environments.


Perhaps there should be some consideration given regarding which sets  
of certificates are offered in various environments.  Allowing the  
certificates to be accessed beyond an authentication process seems to  
increase security exposures.  As this information is not trustworthy,  
there would be also little gained sharing this information  
elsewhere.  In fact, sharing this information may increase infection  
rates when this aids malware.


-Doug





___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-17 Thread Ted Hardie 
At 8:22 PM +0200 10/17/06, Eliot Lear wrote:
> would think that five or six values are appropriate:
>
>  1. Vendor name (string)
>  2. Vendor engine version (integer)
>  3. Vendor virus definitions version (integer)
>  4. Enabled? (binary)
>  5. Buggered? (binary)
>  6. Other gobbledigook the vendor wants to include that might get
> standardized later. (blob)
>
>I could envision 3 being a bit of an issue if it is possible to update 
>specific viruses but not others.

Thanks for this.  I was assuming we were talking primarily about a "1 and 3" 
combined
value.  As it stands now, you need access to the vendor's database to know what
viruses are covered by any specific version (your 3).  For the charter 
discussions,
I want to know whether it will be an aim of the working group to standardize:

* a way of carrying this information
* the structure of this information (but not its content)
* a standard representation of the content, so that access to the vendor 
database
   is no longer required

The tasks are substantially different in scope, and the level of interoperabilty
the community can expect from them are similarly different.
regards,
Ted Hardie

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-17 Thread Eliot Lear 

Ted,

Sorry, but doesn't "AV status" above refer to the existing, proprietary 
anti-virus
systems?  How does standardizing an attribute for carrying that help
create a standardized understanding of what it means?Don't I still
have to treat that as, essentially, a vendor attribute, since I have
to know which vendor statuses cover which vulnerabilities?

Or do you mean "there is some anti-virus software here"?



I would think that five or six values are appropriate:

  1. Vendor name (string)
  2. Vendor engine version (integer)
  3. Vendor virus definitions version (integer)
  4. Enabled? (binary)
  5. Buggered? (binary)
  6. Other gobbledigook the vendor wants to include that might get
 standardized later. (blob)

I could envision 3 being a bit of an issue if it is possible to update 
specific viruses but not others.


I would expect the normal enterprise administrator to be able to act on 
the first 5.  The 6th is there as a placeholder.  I'm not sure I'd trust 
5 if it's false.  I'd also suggest we're well into solving the problem 
at this point.


Eliot

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

RE: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-17 Thread Ted Hardie 
At 2:04 AM -0400 10/17/06, Stephen Hanna wrote:
> > Will we be able to meet these interoperability goals?  Why or why not?
>
>Yes, we can. If we define a small set of standardized attributes
>(OS and app version, AV status, etc.) and make them mandatory to
>implement,

Sorry, but doesn't "AV status" above refer to the existing, proprietary 
anti-virus
systems?  How does standardizing an attribute for carrying that help
create a standardized understanding of what it means?Don't I still
have to treat that as, essentially, a vendor attribute, since I have
to know which vendor statuses cover which vulnerabilities?

Or do you mean "there is some anti-virus software here"?

Ted Hardie

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

RE: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-17 Thread Lakshminath Dondeti 

At 12:00 AM 10/17/2006, Khosravi, Hormuzd M wrote:

Sam,

I believe if we move 'quickly' in this WG we will be able to meet
interoperability goals to certain extent atleast. The bottom-line is
this technology is already being deployed by different vendors in
academia and enterprises. The question is should IETF get involved in
standardizing this or leave it to the individual vendors. I believe the
IETF should and that standardization will certainly help the community,
if we can move fast enough.


Whereas interoperability is a noble goal, the IETF also has the good 
habit of clearly specifying what our protocols do and don't do.  Our 
bar is thankfully higher than marketing literature for example.



The recent email by Jari Arkko to standardize some of the EAP methods
which are being used and deployed today but no RFCs exist for them, is
certainly a step in the right direction.


Good example actually: 3748 contains brutal truths about some of the 
legacy EAP methods, for instance on MD5-Challenge -- which no one 
should really be using for access control -- it says:


Auth. mechanism:   Password or pre-shared key.
Ciphersuite negotiation:   No
Mutual authentication: No
Integrity protection:  No
Replay protection: No
Confidentiality:   No
Key derivation:No
Key strength:  N/A
Dictionary attack prot.:   No
Fast reconnect:No
Crypt. binding:N/A
Session independence:  N/A
Fragmentation: No
Channel binding:   No

In other words, someone who uses that protocol gets zilch!  Now of 
course, in the "real" world, a variant of this protocol was used and 
soon after publicly demonstrated to be useless.


best regards,
Lakshminath



My 2 cents,
Hormuzd



___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

RE: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-16 Thread Stephen Hanna 
Vidya Narayanan wrote:
> I am very apprehensive of achieving any meaningful PA-level
> interoperability. I am not sure what minimum set of PA attributes will
> be standardized, but, whatever that set is, I doubt will be sufficient
> to provide any acceptable level of security, even for the endpoints.

This is not surprising, since you have said that you don't see
any security value to NEA.

> Even assuming ongoing standardization of vendor specific attributes,
it
> is not totally realistic to assume that all applications will support
> the appropriate attributes. The rate of standardization is also very
> likely to be much slower than the rate of the growth in the number of
> attributes needed for any continued meaningful protection.  

NEA is not based on applications supporting attributes.
Attributes are supported by Posture Collectors and
Posture Validators, specialized NEA components. An AV
Posture Collector will handle attributes pertaining
to AV, perhaps by interfacing with an existing AV
application. Still, I agree that a given endpoint
will typically only support a small subset of the
universe of possible attributes. Not a problem.
As long as the endpoint supports enough attributes
that the Posture Broker can evaluate its compliance
with the posture policy, that's enough.

Thanks,

Steve

-Original Message-
From: Narayanan, Vidya [mailto:[EMAIL PROTECTED] 
Sent: Monday, October 16, 2006 5:06 PM
To: Sam Hartman; Frank Yeh Jr
Cc: Hardie, Ted; [EMAIL PROTECTED]; ietf@ietf.org
Subject: RE: [Nea] WG Review: Network Endpoint Assessment (nea)

Sam, 

> -Original Message-
> From: Sam Hartman [mailto:[EMAIL PROTECTED] 
> Sent: Friday, October 13, 2006 12:43 PM
> To: Frank Yeh Jr
> Cc: Hardie, Ted; [EMAIL PROTECTED]; ietf@ietf.org
> Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)
> 
> >>>>> "Frank" == Frank Yeh <[EMAIL PROTECTED]> writes:
> 
> Frank> Standardized VS vendor-specific attributes is not 
> something that needs to be
> Frank> solved today. Solutions can start with 
> vendor-specific and migrate toward a
> Frank> standard, if one develops, without changing the 
> protocol. The specification
> Frank> should not preclude the addition of standardized 
> attributes. IE the
> Frank> specification is like an alphabet, attributes are 
> like vocabulary. You can add
> Frank> new words without changing the letters.
> 
> 
> One of the things coming out of the most recent BOF was a 
> strong desire for PA-level interoperability.  That can be 
> accomplished through standardized attributes or 
> vendor-specific attributes that are sufficiently well 
> documented (and not subject to patents) that third parties 
> can implement collectors or analysis tools that interoperate 
> with the vendor tools for the vendor attributes.
> 
> Will we be able to meet these interoperability goals?  Why or why not?
> 

I am very apprehensive of achieving any meaningful PA-level
interoperability. I am not sure what minimum set of PA attributes will
be standardized, but, whatever that set is, I doubt will be sufficient
to provide any acceptable level of security, even for the endpoints.
Even assuming ongoing standardization of vendor specific attributes, it
is not totally realistic to assume that all applications will support
the appropriate attributes. The rate of standardization is also very
likely to be much slower than the rate of the growth in the number of
attributes needed for any continued meaningful protection. 

Regards,
Vidya

___
Nea mailing list
[EMAIL PROTECTED]
https://www1.ietf.org/mailman/listinfo/nea

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

RE: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-16 Thread Stephen Hanna 
Sam Hartman wrote:
> One of the things coming out of the most recent BOF was a 
> strong desire for PA-level interoperability.  That can be 
> accomplished through standardized attributes or 
> vendor-specific attributes that are sufficiently well 
> documented (and not subject to patents) that third parties 
> can implement collectors or analysis tools that interoperate 
> with the vendor tools for the vendor attributes.
> 
> Will we be able to meet these interoperability goals?  Why or why not?

Yes, we can. If we define a small set of standardized attributes
(OS and app version, AV status, etc.) and make them mandatory to
implement, then we will have interoperability with respect to
those attributes. We should allow the definition of attributes
that go beyond this minimal standard mandatory to implement (MTI)
set but the MTI set will provide a baseline of information
available for all endpoints that implement NEA.

Thanks,

Steve

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

RE: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-16 Thread Narayanan, Vidya 
Sam, 

> -Original Message-
> From: Sam Hartman [mailto:[EMAIL PROTECTED] 
> Sent: Friday, October 13, 2006 12:43 PM
> To: Frank Yeh Jr
> Cc: Hardie, Ted; [EMAIL PROTECTED]; ietf@ietf.org
> Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)
> 
> >>>>> "Frank" == Frank Yeh <[EMAIL PROTECTED]> writes:
> 
> Frank> Standardized VS vendor-specific attributes is not 
> something that needs to be
> Frank> solved today. Solutions can start with 
> vendor-specific and migrate toward a
> Frank> standard, if one develops, without changing the 
> protocol. The specification
> Frank> should not preclude the addition of standardized 
> attributes. IE the
> Frank> specification is like an alphabet, attributes are 
> like vocabulary. You can add
> Frank> new words without changing the letters.
> 
> 
> One of the things coming out of the most recent BOF was a 
> strong desire for PA-level interoperability.  That can be 
> accomplished through standardized attributes or 
> vendor-specific attributes that are sufficiently well 
> documented (and not subject to patents) that third parties 
> can implement collectors or analysis tools that interoperate 
> with the vendor tools for the vendor attributes.
> 
> Will we be able to meet these interoperability goals?  Why or why not?
> 

I am very apprehensive of achieving any meaningful PA-level
interoperability. I am not sure what minimum set of PA attributes will
be standardized, but, whatever that set is, I doubt will be sufficient
to provide any acceptable level of security, even for the endpoints.
Even assuming ongoing standardization of vendor specific attributes, it
is not totally realistic to assume that all applications will support
the appropriate attributes. The rate of standardization is also very
likely to be much slower than the rate of the growth in the number of
attributes needed for any continued meaningful protection. 

Regards,
Vidya

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-16 Thread Lakshminath Dondeti 

At 01:46 AM 10/16/2006, Leif Johansson wrote:

Lakshminath Dondeti wrote:
> At 01:42 AM 10/7/2006, Harald Alvestrand wrote:
>>> 
>> Many universities require their students to buy their own laptops,
>> but prohibit certain types of activity from those laptops (like
>> spamming, DDOS-attacks and the like). They would love to have the
>> ability to run some kind of NEA procedure to ensure that laptops are
>> reasonably virus-free and free from known vulnerabilities, and are
>> important enough in their students' lives that they can probably
>> enforce it without a complaint about "violation of privacy".
>>
>> Just pointing out that there's one use case with user-managed
>> endpoints where NEA is not obviously a bad idea.
>
> My email ventures into a bit of non-IETF territory, but we are
> discussing use cases, and so I guess it's on topic.  Universities
> should be the last places to try antics like NEA.  Whereas an
> operational network would be a priority to them, it is also important
> that they allow students to experiment with new applications.  If we
> are believing that general purpose computing will be taken away from
> college students, we are indeed talking about a different world.
>
> In any event, the bottomline is NEA as a solution to "network
> protection" is a leaky bucket at best.
>
> NEA at best *may* raise the bar in attacking a "closed" network where
> endpoints are owned and tightly controlled by the organization that
> owns the network.
>
Lets not forget that when (not if) NEA/NAP/NAC is deployed the IDSen
people have deployed today to
solve the lying-client-problem by scanning for common/current
vulnerabilities as part of the network admission
process will have to interface with PDPs part of a NEA intfrastructure.


Could you rephrase please?  I am afraid I don't understand what you 
are saying.


Oh, and lying endpoint problem cannot be solved by scanning for 
common vulnerabilities!  In fact, the two have no relation whatsoever.


Lakshminath



Cheers Leif



___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-16 Thread Leif Johansson 
Lakshminath Dondeti wrote:
> At 01:42 AM 10/7/2006, Harald Alvestrand wrote:
>>> 
>> Many universities require their students to buy their own laptops,
>> but prohibit certain types of activity from those laptops (like
>> spamming, DDOS-attacks and the like). They would love to have the
>> ability to run some kind of NEA procedure to ensure that laptops are
>> reasonably virus-free and free from known vulnerabilities, and are
>> important enough in their students' lives that they can probably
>> enforce it without a complaint about "violation of privacy".
>>
>> Just pointing out that there's one use case with user-managed
>> endpoints where NEA is not obviously a bad idea.
>
> My email ventures into a bit of non-IETF territory, but we are
> discussing use cases, and so I guess it's on topic.  Universities
> should be the last places to try antics like NEA.  Whereas an
> operational network would be a priority to them, it is also important
> that they allow students to experiment with new applications.  If we
> are believing that general purpose computing will be taken away from
> college students, we are indeed talking about a different world.
>
> In any event, the bottomline is NEA as a solution to "network
> protection" is a leaky bucket at best.
>
> NEA at best *may* raise the bar in attacking a "closed" network where
> endpoints are owned and tightly controlled by the organization that
> owns the network.
>
Lets not forget that when (not if) NEA/NAP/NAC is deployed the IDSen
people have deployed today to
solve the lying-client-problem by scanning for common/current
vulnerabilities as part of the network admission
process will have to interface with PDPs part of a NEA intfrastructure.

Cheers Leif

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-13 Thread Sam Hartman 
> "Frank" == Frank Yeh <[EMAIL PROTECTED]> writes:

Frank> Standardized VS vendor-specific attributes is not something that 
needs to be
Frank> solved today. Solutions can start with vendor-specific and migrate 
toward a
Frank> standard, if one develops, without changing the protocol. The 
specification
Frank> should not preclude the addition of standardized attributes. IE the
Frank> specification is like an alphabet, attributes are like vocabulary. 
You can add
Frank> new words without changing the letters.


One of the things coming out of the most recent BOF was a strong
desire for PA-level interoperability.  That can be accomplished
through standardized attributes or vendor-specific attributes that are
sufficiently well documented (and not subject to patents) that third
parties can implement collectors or analysis tools that interoperate
with the vendor tools for the vendor attributes.

Will we be able to meet these interoperability goals?  Why or why not?


___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re:[Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-13 Thread yinhan 34728 

> I have a very basic fear that this working group is getting chartered
> with a bunch of aims added by people who will not take on the
> task of doing the work.  After private discussion with folks
> involved, my sense is that the very core of this work is a 
> perceived 
> need to be able to pass opaque strings between a host and the 
> network 
> prior to the host attaching.  Those opaque strings are, essentially,
> the vendor-specific strings currently associated with posture 
> assessment.The standard protocol carrying these strings would 
> connect on the network
> side to a system that has plug-ins which understand the vendor-
> specificstrings.  
> 
> With a charter that clarified that this was intended to assist the end
> systems with vulnerabilities prior to attachment because the
> network they are attaching to might be filled with danger, I 
> think this work would get done reasonably quickly. (As a control
> mechanism to protect the network, I agree with the point made
> clearly by others that this is not appropriate).
> 
> I am less sure of the task of standardizing attributes.
> 
> I am not sure that the number of attributes which can be standardized
> will ever be high enough to be truly useful, and I am pretty sure
> that all of these will be already covered by vendor-specific 
> attributes.Since there must be an assessor in place on the client 
> for those few
> standardized attributes to be assessed and that assessor will 
> likely already
> have these covered by vendor-specific attributes, in other words,
> we seem to be standardizing redundancy.  On the network attachment
> side, it is possible, of course, that an offer of remediation 
> could be made
> based on just the standard attributes, but it seems far more 
> likely that
> it would be a two step process (assess standard attributes, then pass
> vendor-specific attributes to vendor plug-in).  Again, if the vendor's
> attributes cover the standard attributes, then this is largely 
> redundantand may add measurable latency; it seems far more likely 
> that 
> step one would simply be skipped if there were a vendor-specific 
> stringand an available plug-in. Since there has to be an assessor, 
> the first
> seems very likely to me.  If you don't have a vendor's plug-in, then
> I suppose there is some chance that you will trust and act based 
> on the standard
> attributes, but the chance of getting the right remediation seems
> pretty slight in those circumstances.  Especially when many 
> vulnerabilitiesare a combination of conditions, (Browser version 
> Foo on OS patch level Bar) 
> that you could remediate by upgrading either one, checking for and
> acting on the attributes which could be standardized seems of 
> very, very 
> limited utility.

  I think that most function should  be completed through vendor-specific 
attributes and 
  standard attributes are only basic information.



___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-13 Thread Frank Yeh Jr 

Ted Hardie <[EMAIL PROTECTED]> wrote on 10/08/2006 11:45:37 PM:

> [snip]
> my sense is that the very core of this work is a perceived 
> need to be able to pass opaque strings between a host and the network 
> prior to the host attaching.  

	Yes, that is the essence of this work which is what we need to remember and focus on. It will probably be applied for various purposes.

> Those opaque strings are, essentially,
> the vendor-specific strings currently associated with posture assessment.
> The standard protocol carrying these strings would connect on the network
> side to a system that has plug-ins which understand the vendor-specific
> strings.  
> 
> With a charter that clarified that this was intended to assist the end
> systems with vulnerabilities prior to attachment because the
> network they are attaching to might be filled with danger, I 
> think this work would get done reasonably quickly. (As a control
> mechanism to protect the network, I agree with the point made
> clearly by others that this is not appropriate).
> 

	There seems to be confusion as two why people would want to do this. In one sense we can protect things by not giving compromised endpoints access to network-attached resources, including parts of the network itself. This application has caused significant discussion as to the security of the protocol and solutions using it, which promises to be a subject of debate for the near future.

	Another way of looking at this is that it allows customers to use the network to enforce endpoint compliance to policy and provide a convenient "place" to challenge endpoints, collect data from them, thus providing an audit trail.

> I am less sure of the task of standardizing attributes.
> 
> I am not sure that the number of attributes which can be standardized
> will ever be high enough to be truly useful, and I am pretty sure
> that all of these will be already covered by vendor-specific attributes.
> Since there must be an assessor in place on the client for those few
> standardized attributes to be assessed and that assessor will likely already
> have these covered by vendor-specific attributes, in other words,
> we seem to be standardizing redundancy.  On the network attachment
> side, it is possible, of course, that an offer of remediation could be made
> based on just the standard attributes, but it seems far more likely that
> it would be a two step process (assess standard attributes, then pass
> vendor-specific attributes to vendor plug-in).  Again, if the vendor's
> attributes cover the standard attributes, then this is largely redundant
> and may add measurable latency; it seems far more likely that 
> step one would simply be skipped if there were a vendor-specific string
> and an available plug-in. Since there has to be an assessor, the first
> seems very likely to me.  If you don't have a vendor's plug-in, then
> I suppose there is some chance that you will trust and act based on 
> the standard
> attributes, but the chance of getting the right remediation seems
> pretty slight in those circumstances.  Especially when many vulnerabilities
> are a combination of conditions, (Browser version Foo on OS patch level Bar) 
> that you could remediate by upgrading either one, checking for and
> acting on the attributes which could be standardized seems of very, very 
> limited utility.
>

	Standardized VS vendor-specific attributes is not something that needs to be solved today. Solutions can start with vendor-specific and migrate toward a standard, if one develops, without changing the protocol. The specification should not preclude the addition of standardized attributes. IE the specification is like an alphabet, attributes are like vocabulary. You can add new words without changing the letters.

 
>             Ted Hardie
> 
> ___
> Nea mailing list
> [EMAIL PROTECTED]
> https://www1.ietf.org/mailman/listinfo/nea 

Frank Yeh
___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: Due process [Re: [Nea] WG Review: Network Endpoint Assessment (nea)]

2006-10-12 Thread todd glassey 
Brian - what constitutes 'disrupting the normal conversation of the list' -
disagreeing with the management of the list?.

The issue isn't that I wasn't contributing - it was that the IPR and IP
teams and the IETF process teams WILL NOT LET ME PARTICIPATE because I bring
in non-engineering concerns with their IETF Operation's designs which makes
them look like what they are - engineers instead of what they should be
Operations Research or HR trained people so that they can look at human
dynamics better.

Your problem is that the LIST STRUCTURE of these entities DO NOT WANT ANYONE
ELSE IN THE IETF TO KNOW WHAT THEY ARE DOING... What do you think would
happen if a Broadcast Message was sent to the MEMBERSHIP of the IETF saying
that the IPR WG was changing the LEGAL CONSTRAINTS that controlled their
participation and that when it was done they would need to have their
Sponsor's attorney's look it over to make sure it was 'clean' and
appropopriate for them to continue participating under the new rules.

By the way - if this IETF was audited - every one of my complaints would
have been substantiated.

Todd Glassey


- Original Message - 
From: "Brian E Carpenter" <[EMAIL PROTECTED]>
To: 
Sent: Thursday, October 12, 2006 2:55 AM
Subject: Due process [Re: [Nea] WG Review: Network Endpoint Assessment
(nea)]


> Noel Chiappa wrote:
> > > From: "Steven M. Bellovin" <[EMAIL PROTECTED]>
> >
> > >> it is better that we aren't copied because to do so would be
unfair to
> > >> the complainer(s).
> >
> > > As much as I've sparred with Glassey in the past ... I think he's
right
> > > in this case. In my opinion, any sort of disciplinary action needs
to
> > > be *perceived* as fair. ... I think we do need to follow due
process.
> >
> > I'm going to disagree with you on this. My reasoning is that the
decision of
> > whether or not to suspend should be based almost entirely on the target
> > person's posts, so the identity (and, indeed, the number) of people
> > complaining is basically irrelevant.
>
> I see no failure of due process in the Sergeants At Arms stating that
> they have received a number of complaints about messages which were sent
> to a couple of thousand people. It isn't as if the complainers were
> making an attack on the sender of the messages; they were complaining
> that the messages were disrupting normal discussion on the list. Such
> complaints don't need to be public in order to be valid.
>
> I don't want to substitute my judgement for that of the Sergeants;
> but I think they have done the right thing.
>
>  Brian
>
> ___
> Ietf mailing list
> Ietf@ietf.org
> https://www1.ietf.org/mailman/listinfo/ietf


___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Due process [Re: [Nea] WG Review: Network Endpoint Assessment (nea)]

2006-10-12 Thread Brian E Carpenter 

Noel Chiappa wrote:

> From: "Steven M. Bellovin" <[EMAIL PROTECTED]>

>> it is better that we aren't copied because to do so would be unfair to
>> the complainer(s).

> As much as I've sparred with Glassey in the past ... I think he's right
> in this case. In my opinion, any sort of disciplinary action needs to
> be *perceived* as fair. ... I think we do need to follow due process.

I'm going to disagree with you on this. My reasoning is that the decision of
whether or not to suspend should be based almost entirely on the target
person's posts, so the identity (and, indeed, the number) of people
complaining is basically irrelevant.


I see no failure of due process in the Sergeants At Arms stating that
they have received a number of complaints about messages which were sent
to a couple of thousand people. It isn't as if the complainers were
making an attack on the sender of the messages; they were complaining
that the messages were disrupting normal discussion on the list. Such
complaints don't need to be public in order to be valid.

I don't want to substitute my judgement for that of the Sergeants;
but I think they have done the right thing.

Brian

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

RE: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-11 Thread Gray, Eric 
I completely agree with Noel on every detail of these comments.

And, no, I was not one of the complainers either.  :-)

--
Eric 

--> -Original Message-
--> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
--> Sent: Wednesday, October 11, 2006 11:26 AM
--> To: ietf@ietf.org
--> Cc: [EMAIL PROTECTED]
--> Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)
--> 
--> > From: "Steven M. Bellovin" <[EMAIL PROTECTED]>
--> 
--> >> it is better that we aren't copied because to do so 
--> would be unfair to
--> >> the complainer(s).
--> 
--> > As much as I've sparred with Glassey in the past ... 
--> I think he's right
--> > in this case. In my opinion, any sort of disciplinary 
--> action needs to
--> > be *perceived* as fair. ... I think we do need to 
--> follow due process.
--> 
--> I'm going to disagree with you on this. My reasoning is 
--> that the decision of
--> whether or not to suspend should be based almost entirely 
--> on the target
--> person's posts, so the identity (and, indeed, the number) of people
--> complaining is basically irrelevant.
--> 
--> The whole concept of "facing your accuser" came about 
--> because the accusers
--> usually made factual claims ("I saw Joe steal Frank's 
--> car"). Traditionally,
--> people wanted to be able to weigh the truthfulness of such claims by
--> observing the person making the assertion, and observing 
--> their response to
--> questioning. In addition, the target might know of some 
--> grudge that led the
--> accuser to make a false accusation. In this case, however, there is
--> absolutely no probative value coming from knowing *who* complained.
--> 
--> To put it another way, I would hope if several people 
--> complained about some
--> reasonable post, the SaA(s) would independently review the 
--> post, and if they
--> thought it was reasonable, would take no action, the number 
--> or identity of
--> the complainers notwithstanding. The issue is not who 
--> complained - the issue
--> is the content of the posts - and that's all.
--> 
--> Indeed, any miniscule probative value in knowing who 
--> complained is entire
--> outweighed, IMO, by the possibility that making their 
--> identities public would
--> result in a campaign of harrassment against them.
--> 
--> And no, I was not one of the people who complained privately.
--> 
--> 
--> > I do agree that the Sergeants-at-Arms can act on 
--> their own volition,
--> > but if they do they should say so
--> 
--> I have no probem with the SaA(s) disclosing whether or not 
--> they acted
--> entirely on their own bat, in response to complaints, or 
--> both. In addition, I
--> have no problem with them disclosing the number (if any) of 
--> complainters.
--> 
--> However, I strenuously oppose making the names public, 
--> because the potential
--> harm in that (possibility for harassment, and also the 
--> possibility that
--> less-forthcoming people will sit on their hands rather than 
--> complain, if
--> their names have to be made public) far outweighs any 
--> possible value in in
--> mking them public. Indeed, it turns out that most police 
--> departments actually
--> have anonymous tip lines, for precisely these reasons (and others).
--> 
--> 
--> If the community decides to do elsewise, I offer myself up 
--> as an anonymizing
--> agent for any complaints to the SaA(s); i.e. I will forward 
--> any complaints
--> sent to me, as if they were my own, after removing the 
--> identity of the
--> former. If I can recruit a few other people to do the same, 
--> that will suffice
--> to avoid any issue with one person not being able to 
--> complain more than once.
--> 
--> Noel
--> 
--> ___
--> Ietf mailing list
--> Ietf@ietf.org
--> https://www1.ietf.org/mailman/listinfo/ietf
--> 

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

RE: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-11 Thread Narayanan, Vidya 
Hi Russ, 

> -Original Message-
> From: Russ Housley [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, October 11, 2006 7:19 AM
> To: Narayanan, Vidya
> Cc: [EMAIL PROTECTED]; iesg@ietf.org; ietf@ietf.org
> Subject: RE: [Nea] WG Review: Network Endpoint Assessment (nea) 
> 
> Vidya:
> 
> >I'm not sure that the charter actually needs to get into the 
> modes at 
> >all - I'm guessing what happens after NEA (i.e., what is 
> done with the 
> >results from NEA) has zero impact on any work being done in 
> NEA itself.
> >So, why not simply state something like "Once NEA is conducted on an 
> >endpoint, the results may be used by an organization in 
> accordance with 
> >any policies of the organization itself."?
> 
> Discussions with the IAB and IESG prior to external review 
> lead to the addition of the modes discussion.  The point is 
> that some networks will demand compliance to grant full 
> access, and other networks will simply notify that host that 
> they are not in compliance.  A host my not want to change the 
> configuration to gain compliance.  That is acceptable in the 
> second case, but not the first.
> 

I don't disagree with the above. But, I was mainly wondering what impact
any of these decisions may have on NEA itself? Aren't these just
post-NEA actions? 

In general though, I have far less problems with this text than I do
with the idea of NEA somehow protecting networks or NEA being performed
on endpoints that is not owned by the organization performing NEA. 

Regards,
Vidya

> Russ
> 
> 
> 

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-11 Thread todd glassey 
Russ - I agree that something like a global NEA is necessary - just not that
a new protocol is necessary to implement it. So let me ask...

So then why not pass a new configuration mode model with SNMP - the point is
that while the idea of some agent that could actually collect these separate
logs and service records from the various 'aspects of compliance' built into
the operating models of the system in question, is no new one.

Tripwire's does this already. COPS and FREMONT can be made to with CRON and
their configuration files. SNORT, AIDE, Heck they can even use SysLogNG as
the transport for their log data which might also make sense as an
addition...  Or SCP/SFTP if they wanted to.

The point is that while NEA is a good collective idea at the altitude the
idea was hatched at, there are already things that do the NEA component
functions today, and that can be aggregated together into a homogeneous
utility environment without redesigning the wheel again.

I don't dispute that the end goal of what the Creator's of the NEA idea
wanted to accomplish is not good. It is clearly. But the issue is whether
its necessary to have in the form they have proposed so far when other very
similar and more widely deployed transports exist for the Inter-Nodal
Communications Model that NEA purports to want to create.

Again - SNMP and Syslog/SysLogNG can do allot of this already. Why not just
add an Node-Integrity Reporting Process to either of  them. From an Audit
Perspective this would be a powerful addition to the SysLog protocols since
it would better anchor them

Just my 35c.

Todd Glassey

- Original Message - 
From: "Russ Housley" <[EMAIL PROTECTED]>
To: "Narayanan, Vidya" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; ; 
Sent: Wednesday, October 11, 2006 7:18 AM
Subject: RE: [Nea] WG Review: Network Endpoint Assessment (nea)


> Vidya:
>
> >I'm not sure that the charter actually needs to get into the modes at
> >all - I'm guessing what happens after NEA (i.e., what is done with the
> >results from NEA) has zero impact on any work being done in NEA itself.
> >So, why not simply state something like "Once NEA is conducted on an
> >endpoint, the results may be used by an organization in accordance with
> >any policies of the organization itself."?
>
> Discussions with the IAB and IESG prior to external review lead to
> the addition of the modes discussion.  The point is that some
> networks will demand compliance to grant full access, and other
> networks will simply notify that host that they are not in
> compliance.  A host my not want to change the configuration to gain
> compliance.  That is acceptable in the second case, but not the first.
>
> Russ
>
>
>
> ___
> Ietf mailing list
> Ietf@ietf.org
> https://www1.ietf.org/mailman/listinfo/ietf


___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-11 Thread todd glassey 

- Original Message - 
From: "Steven M. Bellovin" <[EMAIL PROTECTED]>
To: "Fleischman, Eric" <[EMAIL PROTECTED]>
Cc: "todd glassey" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;

Sent: Wednesday, October 11, 2006 7:09 AM
Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)


> On Tue, 10 Oct 2006 17:10:50 -0700, "Fleischman, Eric"
> <[EMAIL PROTECTED]> wrote:
>
> > I'm sorry to enter this fray, but I'd like to point out that while I
> > respect Todd's request to know who is accusing him and why, the rest of
> > us don't need to be copied that information. In fact, it is better that
> > we aren't copied because to do so would be unfair to the complainer(s).

Eric - then talk to the SOA's - they posted the commentary as public
notice - I just responded to it.

> >
> > Discipline is a difficult task to do fairly and because of this there
> > are many advantages in respectfully permitting the protagonists to have
> > privacy during key parts of the process.
> >
> As much as I've sparred with Glassey in the past (I suspended him from a
> WG mailing list, and was the target of an appeal to the IESG by him), I
> think he's right in this case.

Scary thought that eh?

> In my opinion, any sort of disciplinary
> action needs to be *perceived* as fair.  That may not be as much of an
> issue here -- the public record of Todd's postings is appallingly clear --
> but I think we do need to follow due process.
>
> I do agree that the Sergeants-at-Arms can act on their own volition,

Cool - when was this capability specifically placed into the IETF's Charter
or the Job Description of the SOA? Who is accountable for that SOA's actions
(including the party that appoints them?) And can they create policy to 'fit
the moment' and if so how?

> but
> if they do they should say so; that gives the community grounds to judge
> their behavior.

And it also provides specific recourse in Courts against the IETF and that
individual and their Sponser.

>
> --Steven M. Bellovin, http://www.cs.columbia.edu/~smb


___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-11 Thread Noel Chiappa 
> From: "Steven M. Bellovin" <[EMAIL PROTECTED]>

>> it is better that we aren't copied because to do so would be unfair to
>> the complainer(s).

> As much as I've sparred with Glassey in the past ... I think he's right
> in this case. In my opinion, any sort of disciplinary action needs to
> be *perceived* as fair. ... I think we do need to follow due process.

I'm going to disagree with you on this. My reasoning is that the decision of
whether or not to suspend should be based almost entirely on the target
person's posts, so the identity (and, indeed, the number) of people
complaining is basically irrelevant.

The whole concept of "facing your accuser" came about because the accusers
usually made factual claims ("I saw Joe steal Frank's car"). Traditionally,
people wanted to be able to weigh the truthfulness of such claims by
observing the person making the assertion, and observing their response to
questioning. In addition, the target might know of some grudge that led the
accuser to make a false accusation. In this case, however, there is
absolutely no probative value coming from knowing *who* complained.

To put it another way, I would hope if several people complained about some
reasonable post, the SaA(s) would independently review the post, and if they
thought it was reasonable, would take no action, the number or identity of
the complainers notwithstanding. The issue is not who complained - the issue
is the content of the posts - and that's all.

Indeed, any miniscule probative value in knowing who complained is entire
outweighed, IMO, by the possibility that making their identities public would
result in a campaign of harrassment against them.

And no, I was not one of the people who complained privately.


> I do agree that the Sergeants-at-Arms can act on their own volition,
> but if they do they should say so

I have no probem with the SaA(s) disclosing whether or not they acted
entirely on their own bat, in response to complaints, or both. In addition, I
have no problem with them disclosing the number (if any) of complainters.

However, I strenuously oppose making the names public, because the potential
harm in that (possibility for harassment, and also the possibility that
less-forthcoming people will sit on their hands rather than complain, if
their names have to be made public) far outweighs any possible value in in
mking them public. Indeed, it turns out that most police departments actually
have anonymous tip lines, for precisely these reasons (and others).


If the community decides to do elsewise, I offer myself up as an anonymizing
agent for any complaints to the SaA(s); i.e. I will forward any complaints
sent to me, as if they were my own, after removing the identity of the
former. If I can recruit a few other people to do the same, that will suffice
to avoid any issue with one person not being able to complain more than once.

Noel

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: Complaints and complainers (Re: [Nea] WG Review: Network Endpoint Assessment (nea))

2006-10-11 Thread Ned Freed 

Just FTR (and changing the subject, since this is not about NEA at all):



I agree with the principle that the sergeants-at-arms are obliged to
make up their own minds about whether or not a posting is inappropriate,
and that they are responsible for their own decisions.



Complaints are a means of calling their attention to a situation,
nothing more.
An IETF participant should not have to suffer rants and threats from a
suspended person in his private email inbox just because he commented to
a sergeant-at-arms that he found the person's postings offensive.



I think the sergeants-at-arms have made the right call.


I agree with everything Harald says here. Analogies to court situations and the
notion of "facing your accuser" are IMO entirely inappropriate. A better
analogy is to the many mechansisms that exist in various other contexts for
providing tips, suggestions, recommendations and compliants. In many of these
cases anonymity is not only allowed, it is required.

I don't think this is a case where anonymity is absolutely required, but 
it is definitely beneficial.


Ned

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

RE: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-11 Thread Russ Housley 

Vidya:


I'm not sure that the charter actually needs to get into the modes at
all - I'm guessing what happens after NEA (i.e., what is done with the
results from NEA) has zero impact on any work being done in NEA itself.
So, why not simply state something like "Once NEA is conducted on an
endpoint, the results may be used by an organization in accordance with
any policies of the organization itself."?


Discussions with the IAB and IESG prior to external review lead to 
the addition of the modes discussion.  The point is that some 
networks will demand compliance to grant full access, and other 
networks will simply notify that host that they are not in 
compliance.  A host my not want to change the configuration to gain 
compliance.  That is acceptable in the second case, but not the first.


Russ



___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-11 Thread Steven M. Bellovin 
On Tue, 10 Oct 2006 17:10:50 -0700, "Fleischman, Eric"
<[EMAIL PROTECTED]> wrote:

> I'm sorry to enter this fray, but I'd like to point out that while I
> respect Todd's request to know who is accusing him and why, the rest of
> us don't need to be copied that information. In fact, it is better that
> we aren't copied because to do so would be unfair to the complainer(s).
> 
> Discipline is a difficult task to do fairly and because of this there
> are many advantages in respectfully permitting the protagonists to have
> privacy during key parts of the process.
> 
As much as I've sparred with Glassey in the past (I suspended him from a
WG mailing list, and was the target of an appeal to the IESG by him), I
think he's right in this case.  In my opinion, any sort of disciplinary
action needs to be *perceived* as fair.  That may not be as much of an
issue here -- the public record of Todd's postings is appallingly clear --
but I think we do need to follow due process.

I do agree that the Sergeants-at-Arms can act on their own volition, but
if they do they should say so; that gives the community grounds to judge
their behavior.

--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

The Delete button [Re: [Nea] WG Review: Network Endpoint Assessment (nea)]

2006-10-11 Thread Brian E Carpenter 

Theodore Tso wrote:

On Tue, Oct 10, 2006 at 07:45:48PM -0500, JORDI PALET MARTINEZ wrote:


Hi Eric,

I don't really agree with that. I've first the obligation to keep the
privacy about any email received in private. Of course, I can always suggest
that the people which complained in private speak up in the list, but I
don't think that noise will help anyone.

If there is a need to review my decision, the body in charge of that
"appeal" will have the information about those complains, of course.



Note that while we may use complaints from the community about whether
or not postings are inappropriate, in the end it is up to the
Sergeant-at-Arms about whether or not postings are appropriate and
form a pattern of abuse.  And the postings from the accused are
publically available on mailing list archives, and can be judged on
their own (dis-)merits.  For that reason, I don't believe that there
is any need to reveal private communications about complaints, since
the in the end, the final determination is and can be made by the
postings in isolation.

That being said, we do periodically check in with the IETF Chair, who
appointed us and has the power to dismiss us, whether or not in his
opinion, we are using the appropriate trigger levels for enforcing
violations of RFC 3005.


And the Chair's opinion is that the Sergeants are using a light touch
and are generally tolerant of a wide range of discourse.

I would however repeat once again that the easiest way to deal with
irrelevant mail is the Delete button. It's quicker than the Reply
button and has fewer unintended side effects.

Brian

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Complaints and complainers (Re: [Nea] WG Review: Network Endpoint Assessment (nea))

2006-10-11 Thread Harald Alvestrand 

Just FTR (and changing the subject, since this is not about NEA at all):

I agree with the principle that the sergeants-at-arms are obliged to 
make up their own minds about whether or not a posting is inappropriate, 
and that they are responsible for their own decisions.


Complaints are a means of calling their attention to a situation, 
nothing more.
An IETF participant should not have to suffer rants and threats from a 
suspended person in his private email inbox just because he commented to 
a sergeant-at-arms that he found the person's postings offensive.


I think the sergeants-at-arms have made the right call.

   Harald, who gets the rants anyway

Theodore Tso wrote:

On Tue, Oct 10, 2006 at 07:45:48PM -0500, JORDI PALET MARTINEZ wrote:
  

Hi Eric,

I don't really agree with that. I've first the obligation to keep the
privacy about any email received in private. Of course, I can always suggest
that the people which complained in private speak up in the list, but I
don't think that noise will help anyone.

If there is a need to review my decision, the body in charge of that
"appeal" will have the information about those complains, of course.



Note that while we may use complaints from the community about whether
or not postings are inappropriate, in the end it is up to the
Sergeant-at-Arms about whether or not postings are appropriate and
form a pattern of abuse.  And the postings from the accused are
publically available on mailing list archives, and can be judged on
their own (dis-)merits.  For that reason, I don't believe that there
is any need to reveal private communications about complaints, since
the in the end, the final determination is and can be made by the
postings in isolation.

That being said, we do periodically check in with the IETF Chair, who
appointed us and has the power to dismiss us, whether or not in his
opinion, we are using the appropriate trigger levels for enforcing
violations of RFC 3005.

Regards,

- Ted

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

  



___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-10 Thread Theodore Tso 
On Tue, Oct 10, 2006 at 07:45:48PM -0500, JORDI PALET MARTINEZ wrote:
> Hi Eric,
> 
> I don't really agree with that. I've first the obligation to keep the
> privacy about any email received in private. Of course, I can always suggest
> that the people which complained in private speak up in the list, but I
> don't think that noise will help anyone.
> 
> If there is a need to review my decision, the body in charge of that
> "appeal" will have the information about those complains, of course.

Note that while we may use complaints from the community about whether
or not postings are inappropriate, in the end it is up to the
Sergeant-at-Arms about whether or not postings are appropriate and
form a pattern of abuse.  And the postings from the accused are
publically available on mailing list archives, and can be judged on
their own (dis-)merits.  For that reason, I don't believe that there
is any need to reveal private communications about complaints, since
the in the end, the final determination is and can be made by the
postings in isolation.

That being said, we do periodically check in with the IETF Chair, who
appointed us and has the power to dismiss us, whether or not in his
opinion, we are using the appropriate trigger levels for enforcing
violations of RFC 3005.

Regards,

- Ted

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-10 Thread JORDI PALET MARTINEZ 
Hi Eric,

I don't really agree with that. I've first the obligation to keep the
privacy about any email received in private. Of course, I can always suggest
that the people which complained in private speak up in the list, but I
don't think that noise will help anyone.

If there is a need to review my decision, the body in charge of that
"appeal" will have the information about those complains, of course.

If we as a community, feel that this should work in a different way, we
probably need to document/update the process used by the sergeant-at-arms.

Regards,
Jordi




> De: "Fleischman, Eric" <[EMAIL PROTECTED]>
> Responder a: <[EMAIL PROTECTED]>
> Fecha: Tue, 10 Oct 2006 17:10:50 -0700
> Para: todd glassey <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>,
> 
> Conversación: [Nea] WG Review: Network Endpoint Assessment (nea)
> Asunto: RE: [Nea] WG Review: Network Endpoint Assessment (nea)
> 
> I'm sorry to enter this fray, but I'd like to point out that while I
> respect Todd's request to know who is accusing him and why, the rest of
> us don't need to be copied that information. In fact, it is better that
> we aren't copied because to do so would be unfair to the complainer(s).
> 
> Discipline is a difficult task to do fairly and because of this there
> are many advantages in respectfully permitting the protagonists to have
> privacy during key parts of the process.
> 
> -Original Message-
> From: todd glassey [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, October 10, 2006 4:51 PM
> To: [EMAIL PROTECTED]; ietf@ietf.org
> Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)
> 
> 
> Yes actually you do -how does anyone complained against know who is
> complaining or why? - if the complaints are not public then the
> oversight is not real - its a paper fiction - a lie in print.
> 
> Speaking of lies in print this is why IETF complaints are addressed and
> penalties for them assessed before the appeal can be resolved - because
> the IETF's oversight policy and practice model is ineffective and setup
> to allow the IETF to exact whatever penalties it wants from individuals
> without the benefit of the appeal or the appeal process.
> 
> So YES I want to know specifically who complained.
> 
> Todd Glassey
> 
> - Original Message -
> From: "JORDI PALET MARTINEZ" <[EMAIL PROTECTED]>
> To: "todd glassey" <[EMAIL PROTECTED]>; 
> Sent: Tuesday, October 10, 2006 2:11 PM
> Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)
> 
> 
>> Todd,
>> 
>> People got very irritated with this type of messages and actually even
> 
>> complain why I'm not more strict. I got at the time being already 3
>> new complains after this message and obviouly I don't need to justify
>> to you
> who
>> is complaining.
>> 
>> Clearly you crossed the line once more, and it took you only a few
>> seconds after getting my warning, so just instructed the secretariat
>> to ban you
> for
>> two weeks from now.
>> 
>> And please, understand that I don't have anything personal, just
> fulfilling
>> my mission.
>> 
>> Regards,
>> Jordi, acting as IETF Sergeant-at-arms
>> 
>> 
>> 
>> 
>>> De: todd glassey <[EMAIL PROTECTED]>
>>> Responder a: <[EMAIL PROTECTED]>
>>> Fecha: Tue, 10 Oct 2006 12:42:30 -0700
>>> Para: <[EMAIL PROTECTED]>, , "Contreras,
>>> Jorge" <[EMAIL PROTECTED]>
>>> Asunto: Re: [Nea] WG Review: Network Endpoint Assessment (nea)
>>> 
>>> Who filed the complaints? if you are accusing me of something I have
> 
>>> the right to know of what  I am accused and by whom.
>>> 
>>> Todd Glassey
>>> 
>>> - Original Message -
>>> From: "JORDI PALET MARTINEZ" <[EMAIL PROTECTED]>
>>> To: "todd glassey" <[EMAIL PROTECTED]>; <>
>>> Cc: <[EMAIL PROTECTED]>
>>> Sent: Tuesday, October 10, 2006 12:34 PM
>>> Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)
>>> 
>>> 
>>>> Todd,
>>>> 
>>>> I've received several complains from people that think that you are
>>> crossing
>>>> the limit again and being off-topic with this thread and I
>>>> seriously
> agree
>>>> with them.
>>>> 
>>>> Consequently I warn you. If you keep going on this, I will apply a
>>>> new
> ban
>>>> (two weeks, as it will be your se

RE: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-10 Thread Fleischman, Eric 
I'm sorry to enter this fray, but I'd like to point out that while I
respect Todd's request to know who is accusing him and why, the rest of
us don't need to be copied that information. In fact, it is better that
we aren't copied because to do so would be unfair to the complainer(s).

Discipline is a difficult task to do fairly and because of this there
are many advantages in respectfully permitting the protagonists to have
privacy during key parts of the process.

-Original Message-
From: todd glassey [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, October 10, 2006 4:51 PM
To: [EMAIL PROTECTED]; ietf@ietf.org
Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)


Yes actually you do -how does anyone complained against know who is
complaining or why? - if the complaints are not public then the
oversight is not real - its a paper fiction - a lie in print.

Speaking of lies in print this is why IETF complaints are addressed and
penalties for them assessed before the appeal can be resolved - because
the IETF's oversight policy and practice model is ineffective and setup
to allow the IETF to exact whatever penalties it wants from individuals
without the benefit of the appeal or the appeal process.

So YES I want to know specifically who complained.

Todd Glassey

- Original Message - 
From: "JORDI PALET MARTINEZ" <[EMAIL PROTECTED]>
To: "todd glassey" <[EMAIL PROTECTED]>; 
Sent: Tuesday, October 10, 2006 2:11 PM
Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)


> Todd,
>
> People got very irritated with this type of messages and actually even

> complain why I'm not more strict. I got at the time being already 3 
> new complains after this message and obviouly I don't need to justify 
> to you
who
> is complaining.
>
> Clearly you crossed the line once more, and it took you only a few 
> seconds after getting my warning, so just instructed the secretariat 
> to ban you
for
> two weeks from now.
>
> And please, understand that I don't have anything personal, just
fulfilling
> my mission.
>
> Regards,
> Jordi, acting as IETF Sergeant-at-arms
>
>
>
>
> > De: todd glassey <[EMAIL PROTECTED]>
> > Responder a: <[EMAIL PROTECTED]>
> > Fecha: Tue, 10 Oct 2006 12:42:30 -0700
> > Para: <[EMAIL PROTECTED]>, , "Contreras, 
> > Jorge" <[EMAIL PROTECTED]>
> > Asunto: Re: [Nea] WG Review: Network Endpoint Assessment (nea)
> >
> > Who filed the complaints? if you are accusing me of something I have

> > the right to know of what  I am accused and by whom.
> >
> > Todd Glassey
> >
> > - Original Message -
> > From: "JORDI PALET MARTINEZ" <[EMAIL PROTECTED]>
> > To: "todd glassey" <[EMAIL PROTECTED]>; <>
> > Cc: <[EMAIL PROTECTED]>
> > Sent: Tuesday, October 10, 2006 12:34 PM
> > Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)
> >
> >
> >> Todd,
> >>
> >> I've received several complains from people that think that you are
> > crossing
> >> the limit again and being off-topic with this thread and I 
> >> seriously
agree
> >> with them.
> >>
> >> Consequently I warn you. If you keep going on this, I will apply a 
> >> new
ban
> >> (two weeks, as it will be your second one in a very short period of
time).
> >>
> >> Regards,
> >> Jordi, acting as IETF Sergeant-at-arms
> >>
> >>
> >>
> >>
> >>> De: todd glassey <[EMAIL PROTECTED]>
> >>> Responder a: <[EMAIL PROTECTED]>
> >>> Fecha: Tue, 10 Oct 2006 11:37:49 -0700
> >>> Para: Theodore Tso <[EMAIL PROTECTED]>
> >>> CC: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>, 
> >>> Asunto: Re: [Nea] WG Review: Network Endpoint Assessment (nea)
> >>>
> >>> Hey Ted - the more I thought about this post of yours the more it
> > annoyed
> >>> me. You see - when a WG chair doesn't want someone saying 
> >>> something in
> > their
> >>> WG and they control the number of players in that WG, they will 
> >>> always control the consensus such as it is.
> >>>
> >>> The point is that there is no where to permanently register a
dissenting
> >>> opinion in an effort or IETF program now that you claim that the
charter
> > for
> >>> the IETF@IETF.ORG mailing list is restricted.
> >>>
> >>> The IETF needs IMHO one general list for everything that doesn't 
> >>> fall
>

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-10 Thread todd glassey 
Yes actually you do -how does anyone complained against know who is
complaining or why? - if the complaints are not public then the oversight is
not real - its a paper fiction - a lie in print.

Speaking of lies in print this is why IETF complaints are addressed and
penalties for them assessed before the appeal can be resolved - because the
IETF's oversight policy and practice model is ineffective and setup to allow
the IETF to exact whatever penalties it wants from individuals without the
benefit of the appeal or the appeal process.

So YES I want to know specifically who complained.

Todd Glassey

- Original Message - 
From: "JORDI PALET MARTINEZ" <[EMAIL PROTECTED]>
To: "todd glassey" <[EMAIL PROTECTED]>; 
Sent: Tuesday, October 10, 2006 2:11 PM
Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)


> Todd,
>
> People got very irritated with this type of messages and actually even
> complain why I'm not more strict. I got at the time being already 3 new
> complains after this message and obviouly I don't need to justify to you
who
> is complaining.
>
> Clearly you crossed the line once more, and it took you only a few seconds
> after getting my warning, so just instructed the secretariat to ban you
for
> two weeks from now.
>
> And please, understand that I don't have anything personal, just
fulfilling
> my mission.
>
> Regards,
> Jordi, acting as IETF Sergeant-at-arms
>
>
>
>
> > De: todd glassey <[EMAIL PROTECTED]>
> > Responder a: <[EMAIL PROTECTED]>
> > Fecha: Tue, 10 Oct 2006 12:42:30 -0700
> > Para: <[EMAIL PROTECTED]>, , "Contreras, Jorge"
> > <[EMAIL PROTECTED]>
> > Asunto: Re: [Nea] WG Review: Network Endpoint Assessment (nea)
> >
> > Who filed the complaints? if you are accusing me of something I have the
> > right to know of what  I am accused and by whom.
> >
> > Todd Glassey
> >
> > ----- Original Message -
> > From: "JORDI PALET MARTINEZ" <[EMAIL PROTECTED]>
> > To: "todd glassey" <[EMAIL PROTECTED]>; <>
> > Cc: <[EMAIL PROTECTED]>
> > Sent: Tuesday, October 10, 2006 12:34 PM
> > Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)
> >
> >
> >> Todd,
> >>
> >> I've received several complains from people that think that you are
> > crossing
> >> the limit again and being off-topic with this thread and I seriously
agree
> >> with them.
> >>
> >> Consequently I warn you. If you keep going on this, I will apply a new
ban
> >> (two weeks, as it will be your second one in a very short period of
time).
> >>
> >> Regards,
> >> Jordi, acting as IETF Sergeant-at-arms
> >>
> >>
> >>
> >>
> >>> De: todd glassey <[EMAIL PROTECTED]>
> >>> Responder a: <[EMAIL PROTECTED]>
> >>> Fecha: Tue, 10 Oct 2006 11:37:49 -0700
> >>> Para: Theodore Tso <[EMAIL PROTECTED]>
> >>> CC: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>, 
> >>> Asunto: Re: [Nea] WG Review: Network Endpoint Assessment (nea)
> >>>
> >>> Hey Ted - the more I thought about this post of yours the more it
> > annoyed
> >>> me. You see - when a WG chair doesn't want someone saying something in
> > their
> >>> WG and they control the number of players in that WG, they will always
> >>> control the consensus such as it is.
> >>>
> >>> The point is that there is no where to permanently register a
dissenting
> >>> opinion in an effort or IETF program now that you claim that the
charter
> > for
> >>> the IETF@IETF.ORG mailing list is restricted.
> >>>
> >>> The IETF needs IMHO one general list for everything that doesn't fall
> > under
> >>> the rubric/charter/umbrella of some WG and their list, and personally
> > after
> >>> NETWORK was shutdown I thought that this was it.
> >>>
> >>> Todd Glassey
> >>>
> >>>
> >>>
> >>> - Original Message -
> >>> From: "Theodore Tso" <[EMAIL PROTECTED]>
> >>> To: "todd glassey" <[EMAIL PROTECTED]>
> >>> Cc: <[EMAIL PROTECTED]>; 
> >>> Sent: Monday, October 09, 2006 3:16 PM
> >>> Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)
> >>>
> >>>
> >>>> On Mon, Oct 09, 2006 at 02:39:46PM -0700, todd glassey wrote:
> >>

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-10 Thread JORDI PALET MARTINEZ 
Todd,

People got very irritated with this type of messages and actually even
complain why I'm not more strict. I got at the time being already 3 new
complains after this message and obviouly I don't need to justify to you who
is complaining.

Clearly you crossed the line once more, and it took you only a few seconds
after getting my warning, so just instructed the secretariat to ban you for
two weeks from now.

And please, understand that I don't have anything personal, just fulfilling
my mission.

Regards,
Jordi, acting as IETF Sergeant-at-arms




> De: todd glassey <[EMAIL PROTECTED]>
> Responder a: <[EMAIL PROTECTED]>
> Fecha: Tue, 10 Oct 2006 12:42:30 -0700
> Para: <[EMAIL PROTECTED]>, , "Contreras, Jorge"
> <[EMAIL PROTECTED]>
> Asunto: Re: [Nea] WG Review: Network Endpoint Assessment (nea)
> 
> Who filed the complaints? if you are accusing me of something I have the
> right to know of what  I am accused and by whom.
> 
> Todd Glassey
> 
> - Original Message -
> From: "JORDI PALET MARTINEZ" <[EMAIL PROTECTED]>
> To: "todd glassey" <[EMAIL PROTECTED]>; <>
> Cc: <[EMAIL PROTECTED]>
> Sent: Tuesday, October 10, 2006 12:34 PM
> Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)
> 
> 
>> Todd,
>> 
>> I've received several complains from people that think that you are
> crossing
>> the limit again and being off-topic with this thread and I seriously agree
>> with them.
>> 
>> Consequently I warn you. If you keep going on this, I will apply a new ban
>> (two weeks, as it will be your second one in a very short period of time).
>> 
>> Regards,
>> Jordi, acting as IETF Sergeant-at-arms
>> 
>> 
>> 
>> 
>>> De: todd glassey <[EMAIL PROTECTED]>
>>> Responder a: <[EMAIL PROTECTED]>
>>> Fecha: Tue, 10 Oct 2006 11:37:49 -0700
>>> Para: Theodore Tso <[EMAIL PROTECTED]>
>>> CC: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>, 
>>> Asunto: Re: [Nea] WG Review: Network Endpoint Assessment (nea)
>>> 
>>> Hey Ted - the more I thought about this post of yours the more it
> annoyed
>>> me. You see - when a WG chair doesn't want someone saying something in
> their
>>> WG and they control the number of players in that WG, they will always
>>> control the consensus such as it is.
>>> 
>>> The point is that there is no where to permanently register a dissenting
>>> opinion in an effort or IETF program now that you claim that the charter
> for
>>> the IETF@IETF.ORG mailing list is restricted.
>>> 
>>> The IETF needs IMHO one general list for everything that doesn't fall
> under
>>> the rubric/charter/umbrella of some WG and their list, and personally
> after
>>> NETWORK was shutdown I thought that this was it.
>>> 
>>> Todd Glassey
>>> 
>>> 
>>> 
>>> - Original Message -
>>> From: "Theodore Tso" <[EMAIL PROTECTED]>
>>> To: "todd glassey" <[EMAIL PROTECTED]>
>>> Cc: <[EMAIL PROTECTED]>; 
>>> Sent: Monday, October 09, 2006 3:16 PM
>>> Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)
>>> 
>>> 
>>>> On Mon, Oct 09, 2006 at 02:39:46PM -0700, todd glassey wrote:
>>>>> So then Ted are you formally saying that it is inappropriate to
> discuss
>>> IETF
>>>>> operations or its processes on the IETF@IETF.ORG mailing list?
>>>> 
>>>> If you have a specific and actionable suggestion regarding IETF
>>>> direction, policy, meetings, and procedures, where there is not a more
>>>> appropriate e-mail venue (such as the IPR wg list), then it is
>>>> certainly, appropriate for the IETF list.
>>>> 
>>>> Your recent postings, alas, have not met this test.
>>>> 
>>>>> The problem with the IPR working group is simply that Harald kicks
>>> people
>>>>> off for disagreeing with him or his very limited charter. He doesn't
>>> want to
>>>>> hear about expanding the charter or how these other issues fit into
> the
>>> IPR
>>>>> Working Group and in doing so he is violating my and others
>>> participatory
>>>>> rights as well as our First Amendment rights I believe too.
>>>> 
>>>> First Amendment rights only apply when the US Government restricts
>>>> speech.  It does not apply anywhere else.  I

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-10 Thread todd glassey 
Who filed the complaints? if you are accusing me of something I have the
right to know of what  I am accused and by whom.

Todd Glassey

- Original Message - 
From: "JORDI PALET MARTINEZ" <[EMAIL PROTECTED]>
To: "todd glassey" <[EMAIL PROTECTED]>; <>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, October 10, 2006 12:34 PM
Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)


> Todd,
>
> I've received several complains from people that think that you are
crossing
> the limit again and being off-topic with this thread and I seriously agree
> with them.
>
> Consequently I warn you. If you keep going on this, I will apply a new ban
> (two weeks, as it will be your second one in a very short period of time).
>
> Regards,
> Jordi, acting as IETF Sergeant-at-arms
>
>
>
>
> > De: todd glassey <[EMAIL PROTECTED]>
> > Responder a: <[EMAIL PROTECTED]>
> > Fecha: Tue, 10 Oct 2006 11:37:49 -0700
> > Para: Theodore Tso <[EMAIL PROTECTED]>
> > CC: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>, 
> > Asunto: Re: [Nea] WG Review: Network Endpoint Assessment (nea)
> >
> > Hey Ted - the more I thought about this post of yours the more it
annoyed
> > me. You see - when a WG chair doesn't want someone saying something in
their
> > WG and they control the number of players in that WG, they will always
> > control the consensus such as it is.
> >
> > The point is that there is no where to permanently register a dissenting
> > opinion in an effort or IETF program now that you claim that the charter
for
> > the IETF@IETF.ORG mailing list is restricted.
> >
> > The IETF needs IMHO one general list for everything that doesn't fall
under
> > the rubric/charter/umbrella of some WG and their list, and personally
after
> > NETWORK was shutdown I thought that this was it.
> >
> > Todd Glassey
> >
> >
> >
> > - Original Message -
> > From: "Theodore Tso" <[EMAIL PROTECTED]>
> > To: "todd glassey" <[EMAIL PROTECTED]>
> > Cc: <[EMAIL PROTECTED]>; 
> > Sent: Monday, October 09, 2006 3:16 PM
> > Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)
> >
> >
> >> On Mon, Oct 09, 2006 at 02:39:46PM -0700, todd glassey wrote:
> >>> So then Ted are you formally saying that it is inappropriate to
discuss
> > IETF
> >>> operations or its processes on the IETF@IETF.ORG mailing list?
> >>
> >> If you have a specific and actionable suggestion regarding IETF
> >> direction, policy, meetings, and procedures, where there is not a more
> >> appropriate e-mail venue (such as the IPR wg list), then it is
> >> certainly, appropriate for the IETF list.
> >>
> >> Your recent postings, alas, have not met this test.
> >>
> >>> The problem with the IPR working group is simply that Harald kicks
> > people
> >>> off for disagreeing with him or his very limited charter. He doesn't
> > want to
> >>> hear about expanding the charter or how these other issues fit into
the
> > IPR
> >>> Working Group and in doing so he is violating my and others
> > participatory
> >>> rights as well as our First Amendment rights I believe too.
> >>
> >> First Amendment rights only apply when the US Government restricts
> >> speech.  It does not apply anywhere else.  In general, you have been
> >> making various legal claims without being a lawyer, and fairly wild
> >> ones which make it very clear that you don't know what you are talking
> >> about.  For what it's worth, be advised that I know of know legally
> >> enforceable "right" that you might have towards participating in any
> >> IETF forum, and certainly if you persist in sounding like someone who
> >> does not know what they are talking about, no one is required to
> >> listen to you, either --- and more and more people may in fact decide
> >> that it is wise for them to exercise their right to ignore you.
> >>
> >> Regards,
> >>
> >> - Ted
> >
> >
> > ___
> > Ietf mailing list
> > Ietf@ietf.org
> > https://www1.ietf.org/mailman/listinfo/ietf
>
>
>
>
> **
> The IPv6 Portal: http://www.ipv6tf.org
>
> Bye 6Bone. Hi, IPv6 !
> http://www.ipv6day.org
>
> This electronic message contains information which may be privileged or
confidential. The information is intended to be for the use of the
individual(s) named above. If you are not the intended recipient be aware
that any disclosure, copying, distribution or use of the contents of this
information, including attached files, is prohibited.
>
>
>


___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-10 Thread JORDI PALET MARTINEZ 
Todd,

I've received several complains from people that think that you are crossing
the limit again and being off-topic with this thread and I seriously agree
with them.

Consequently I warn you. If you keep going on this, I will apply a new ban
(two weeks, as it will be your second one in a very short period of time).

Regards,
Jordi, acting as IETF Sergeant-at-arms




> De: todd glassey <[EMAIL PROTECTED]>
> Responder a: <[EMAIL PROTECTED]>
> Fecha: Tue, 10 Oct 2006 11:37:49 -0700
> Para: Theodore Tso <[EMAIL PROTECTED]>
> CC: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>, 
> Asunto: Re: [Nea] WG Review: Network Endpoint Assessment (nea)
> 
> Hey Ted - the more I thought about this post of yours the more it annoyed
> me. You see - when a WG chair doesn't want someone saying something in their
> WG and they control the number of players in that WG, they will always
> control the consensus such as it is.
> 
> The point is that there is no where to permanently register a dissenting
> opinion in an effort or IETF program now that you claim that the charter for
> the IETF@IETF.ORG mailing list is restricted.
> 
> The IETF needs IMHO one general list for everything that doesn't fall under
> the rubric/charter/umbrella of some WG and their list, and personally after
> NETWORK was shutdown I thought that this was it.
> 
> Todd Glassey
> 
> 
> 
> - Original Message -
> From: "Theodore Tso" <[EMAIL PROTECTED]>
> To: "todd glassey" <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>; 
> Sent: Monday, October 09, 2006 3:16 PM
> Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)
> 
> 
>> On Mon, Oct 09, 2006 at 02:39:46PM -0700, todd glassey wrote:
>>> So then Ted are you formally saying that it is inappropriate to discuss
> IETF
>>> operations or its processes on the IETF@IETF.ORG mailing list?
>> 
>> If you have a specific and actionable suggestion regarding IETF
>> direction, policy, meetings, and procedures, where there is not a more
>> appropriate e-mail venue (such as the IPR wg list), then it is
>> certainly, appropriate for the IETF list.
>> 
>> Your recent postings, alas, have not met this test.
>> 
>>> The problem with the IPR working group is simply that Harald kicks
> people
>>> off for disagreeing with him or his very limited charter. He doesn't
> want to
>>> hear about expanding the charter or how these other issues fit into the
> IPR
>>> Working Group and in doing so he is violating my and others
> participatory
>>> rights as well as our First Amendment rights I believe too.
>> 
>> First Amendment rights only apply when the US Government restricts
>> speech.  It does not apply anywhere else.  In general, you have been
>> making various legal claims without being a lawyer, and fairly wild
>> ones which make it very clear that you don't know what you are talking
>> about.  For what it's worth, be advised that I know of know legally
>> enforceable "right" that you might have towards participating in any
>> IETF forum, and certainly if you persist in sounding like someone who
>> does not know what they are talking about, no one is required to
>> listen to you, either --- and more and more people may in fact decide
>> that it is wise for them to exercise their right to ignore you.
>> 
>> Regards,
>> 
>> - Ted
> 
> 
> ___
> Ietf mailing list
> Ietf@ietf.org
> https://www1.ietf.org/mailman/listinfo/ietf




**
The IPv6 Portal: http://www.ipv6tf.org

Bye 6Bone. Hi, IPv6 !
http://www.ipv6day.org

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the use of the 
individual(s) named above. If you are not the intended recipient be aware that 
any disclosure, copying, distribution or use of the contents of this 
information, including attached files, is prohibited.




___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-10 Thread todd glassey 
Hey Ted - the more I thought about this post of yours the more it annoyed
me. You see - when a WG chair doesn't want someone saying something in their
WG and they control the number of players in that WG, they will always
control the consensus such as it is.

The point is that there is no where to permanently register a dissenting
opinion in an effort or IETF program now that you claim that the charter for
the IETF@IETF.ORG mailing list is restricted.

The IETF needs IMHO one general list for everything that doesn't fall under
the rubric/charter/umbrella of some WG and their list, and personally after
NETWORK was shutdown I thought that this was it.

Todd Glassey



- Original Message - 
From: "Theodore Tso" <[EMAIL PROTECTED]>
To: "todd glassey" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; 
Sent: Monday, October 09, 2006 3:16 PM
Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)


> On Mon, Oct 09, 2006 at 02:39:46PM -0700, todd glassey wrote:
> > So then Ted are you formally saying that it is inappropriate to discuss
IETF
> > operations or its processes on the IETF@IETF.ORG mailing list?
>
> If you have a specific and actionable suggestion regarding IETF
> direction, policy, meetings, and procedures, where there is not a more
> appropriate e-mail venue (such as the IPR wg list), then it is
> certainly, appropriate for the IETF list.
>
> Your recent postings, alas, have not met this test.
>
> > The problem with the IPR working group is simply that Harald kicks
people
> > off for disagreeing with him or his very limited charter. He doesn't
want to
> > hear about expanding the charter or how these other issues fit into the
IPR
> > Working Group and in doing so he is violating my and others
participatory
> > rights as well as our First Amendment rights I believe too.
>
> First Amendment rights only apply when the US Government restricts
> speech.  It does not apply anywhere else.  In general, you have been
> making various legal claims without being a lawyer, and fairly wild
> ones which make it very clear that you don't know what you are talking
> about.  For what it's worth, be advised that I know of know legally
> enforceable "right" that you might have towards participating in any
> IETF forum, and certainly if you persist in sounding like someone who
> does not know what they are talking about, no one is required to
> listen to you, either --- and more and more people may in fact decide
> that it is wise for them to exercise their right to ignore you.
>
> Regards,
>
> - Ted


___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-09 Thread todd glassey 
You know Ted you crack me up.

Todd Glassey

- Original Message - 
From: "Theodore Tso" <[EMAIL PROTECTED]>
To: "todd glassey" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; 
Sent: Monday, October 09, 2006 3:16 PM
Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)


> On Mon, Oct 09, 2006 at 02:39:46PM -0700, todd glassey wrote:
> > So then Ted are you formally saying that it is inappropriate to discuss
IETF
> > operations or its processes on the IETF@IETF.ORG mailing list?
>
> If you have a specific and actionable suggestion regarding IETF
> direction, policy, meetings, and procedures, where there is not a more
> appropriate e-mail venue (such as the IPR wg list), then it is
> certainly, appropriate for the IETF list.
>
> Your recent postings, alas, have not met this test.
>
> > The problem with the IPR working group is simply that Harald kicks
people
> > off for disagreeing with him or his very limited charter. He doesn't
want to
> > hear about expanding the charter or how these other issues fit into the
IPR
> > Working Group and in doing so he is violating my and others
participatory
> > rights as well as our First Amendment rights I believe too.
>
> First Amendment rights only apply when the US Government restricts
> speech.  It does not apply anywhere else.  In general, you have been
> making various legal claims without being a lawyer, and fairly wild
> ones which make it very clear that you don't know what you are talking
> about.  For what it's worth, be advised that I know of know legally
> enforceable "right" that you might have towards participating in any
> IETF forum, and certainly if you persist in sounding like someone who
> does not know what they are talking about, no one is required to
> listen to you, either --- and more and more people may in fact decide
> that it is wise for them to exercise their right to ignore you.
>
> Regards,
>
> - Ted


___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-09 Thread Theodore Tso 
On Mon, Oct 09, 2006 at 02:39:46PM -0700, todd glassey wrote:
> So then Ted are you formally saying that it is inappropriate to discuss IETF
> operations or its processes on the IETF@IETF.ORG mailing list?

If you have a specific and actionable suggestion regarding IETF
direction, policy, meetings, and procedures, where there is not a more
appropriate e-mail venue (such as the IPR wg list), then it is
certainly, appropriate for the IETF list.

Your recent postings, alas, have not met this test.

> The problem with the IPR working group is simply that Harald kicks people
> off for disagreeing with him or his very limited charter. He doesn't want to
> hear about expanding the charter or how these other issues fit into the IPR
> Working Group and in doing so he is violating my and others participatory
> rights as well as our First Amendment rights I believe too.

First Amendment rights only apply when the US Government restricts
speech.  It does not apply anywhere else.  In general, you have been
making various legal claims without being a lawyer, and fairly wild
ones which make it very clear that you don't know what you are talking
about.  For what it's worth, be advised that I know of know legally
enforceable "right" that you might have towards participating in any
IETF forum, and certainly if you persist in sounding like someone who
does not know what they are talking about, no one is required to
listen to you, either --- and more and more people may in fact decide
that it is wise for them to exercise their right to ignore you.

Regards,

- Ted

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-09 Thread todd glassey 
So then Ted are you formally saying that it is inappropriate to discuss IETF
operations or its processes on the IETF@IETF.ORG mailing list?


The problem with the IPR working group is simply that Harald kicks people
off for disagreeing with him or his very limited charter. He doesn't want to
hear about expanding the charter or how these other issues fit into the IPR
Working Group and in doing so he is violating my and others participatory
rights as well as our First Amendment rights I believe too.

Todd Glassey.

- Original Message - 
From: "Theodore Tso" <[EMAIL PROTECTED]>
To: "todd glassey" <[EMAIL PROTECTED]>
Cc: "Brian E Carpenter" <[EMAIL PROTECTED]>; ;
<[EMAIL PROTECTED]>
Sent: Monday, October 09, 2006 2:25 PM
Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)


> On Mon, Oct 09, 2006 at 01:54:51PM -0700, todd glassey wrote:
> > No you are wrong Ted, and its pretty funny too.  As it happens you are
> > incorrect for saying that this is inappropriate for the IETF's lists.
> >
> > You need to dig farther into the WIPO Site and find all the State
Signatures
> > to the Treaties - its them that the IETF is bound by whether it likes it
or
> > not.  Since the countries through with the IETF's actions operate
including
> > the meetings, are all signatories to the WIPO Treaties you are exactly
stuck
> > with them.
>
> I said it was inappropraite for the IETF list.  If you have specific
> ideas as they relate to the ipr working group, feel free to be
> specific about specific WIPO treaties that have resulted in national
> legislation, and specific changes to be made to IETF's IPR policies,
> feel free to make them on that list, but not on the main IETF list,
> please.
>
> Thanks,
>
> - Ted


___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-09 Thread todd glassey 
Jeff -
- Original Message - 
From: "Jeffrey Hutzelman" <[EMAIL PROTECTED]>
To: "todd glassey" <[EMAIL PROTECTED]>; "Narayanan, Vidya"
<[EMAIL PROTECTED]>; ; 
Cc: <[EMAIL PROTECTED]>; "Jeffrey Hutzelman" <[EMAIL PROTECTED]>
Sent: Monday, October 09, 2006 1:48 PM
Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)


> >
> > Ah two new terms of Art - "Posture" and "Devices".
>
> I only see one.  I believe "device" is a fairly well-understood term,
> though perhaps "node" would have been more appropriate in this context.
>
> However, I completely agree that this proposed charter uses the term
> "posture" far too often not to define it.  I fail to see how whether my
> computer is sitting upright or lying on its side is relevant to whether it
> should be allowed access to the network.
>
> -- Jeff

OK Devices is really well defined in both a technical and legal sense per
the Device based Frauds Act - the little brother of the CFAA. But in this
instance I wanted to bring out the use of the misnomer "Posture" relative to
a Device.

The Device is what it is. The Posture is clearly a term for Operating Policy
which includes change management, security/integrity proofing, and the
general state-response policies that make up the controls and processes for
the Entity in question.

The problem we both saw was the indiscriminant use of the term Posture to
define a group of policies which were specific to a number of things that
the Charter was trying to lay claim to.

I don't necessarily think the NEA is a bad idea - but its about auditing and
so it needs to be crafted as an audit tool and use audit speak in the
process IMHO.

Todd Glassey


___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-09 Thread Theodore Tso 
On Mon, Oct 09, 2006 at 01:54:51PM -0700, todd glassey wrote:
> No you are wrong Ted, and its pretty funny too.  As it happens you are
> incorrect for saying that this is inappropriate for the IETF's lists.
> 
> You need to dig farther into the WIPO Site and find all the State Signatures
> to the Treaties - its them that the IETF is bound by whether it likes it or
> not.  Since the countries through with the IETF's actions operate including
> the meetings, are all signatories to the WIPO Treaties you are exactly stuck
> with them.

I said it was inappropraite for the IETF list.  If you have specific
ideas as they relate to the ipr working group, feel free to be
specific about specific WIPO treaties that have resulted in national
legislation, and specific changes to be made to IETF's IPR policies,
feel free to make them on that list, but not on the main IETF list,
please.

Thanks,

- Ted

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

RE: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-09 Thread Darryl \(Dassa\) Lynch 
Harald Alvestrand wrote:

>> Posture checking is certainly a leaky bucket. It doesn't
>> protect all kinds of endpoint, it doesn't protect the
>> endpoints against all kinds of threats, and it doesn't
>> protect much of anything against a smart, resourceful
>> attacker who is deeply familiar with the NEA system in use
>> and is interested in investing considerable resources in
>> attacking or circumventing it.

NEA itself may not offer any protection, it is more an informational tool
from my perspective.  How that information may be used could lead to some
protection but that would vary with each deployment.

>> But (to recycle a very old simile) the fact that I can open
>> the locks of most doors with a crowbar doesn't mean that locks are
>> not useful. Organizations that have deployed products that do
>> something like what NEA is talking about have reported that their
>> TCO is reduced. 

In these days of information overload I still maintain, the more information
available the better it is.

Darryl (Dassa) Lynch



___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-09 Thread todd glassey 
No you are wrong Ted, and its pretty funny too.  As it happens you are
incorrect for saying that this is inappropriate for the IETF's lists.

You need to dig farther into the WIPO Site and find all the State Signatures
to the Treaties - its them that the IETF is bound by whether it likes it or
not.  Since the countries through with the IETF's actions operate including
the meetings, are all signatories to the WIPO Treaties you are exactly stuck
with them.


Todd Glassey


- Original Message - 
From: "Theodore Tso" <[EMAIL PROTECTED]>
To: "todd glassey" <[EMAIL PROTECTED]>
Cc: "Brian E Carpenter" <[EMAIL PROTECTED]>; ;
<[EMAIL PROTECTED]>
Sent: Monday, October 09, 2006 12:09 PM
Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)


> On Mon, Oct 09, 2006 at 09:08:42AM -0700, todd glassey wrote:
> > No it wasn't Brian - the WIPO IP Framework calls for a set of
protections
> > for Industrial Designs which ALL of the work that happens here is
controlled
> > by right? Otherwise, do you formally want to make a declaration as the
> > IETF's Chair that the IETF and the ISOC are immune from Global IP Law
and
> > can pretty much do anything they want.
>
> Todd,
>
> According to the WIPO web site:
>
> "The World Intellectual Property Organization (WIPO) is a
> specialized agency of the United Nations. It is dedicated to
> developing a balanced and accessible international intellectual
> property (IP) system, which rewards creativity, stimulates innovation
> and contributes to economic development while safeguarding the public
> interest."
>
> What the WIPO might or might not call for might perhaps be of interest
> to various national legislative bodies, but it is completely out of
> scope for the IETF list.
>
> Regards,
>
> - Ted
> IETF Sergeant-at-Arms
>


___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-09 Thread Jeffrey Hutzelman 



On Wednesday, October 04, 2006 02:31:36 PM -0700 todd glassey 
<[EMAIL PROTECTED]> wrote:



Vidya  good commentary, maybe I can add some more. The NEA, per the
charter-need's justification statement says:



Network Endpoint Assessment (NEA) architectures have been implemented
in the industry to assess the "posture" of endpoint devices


Ah two new terms of Art - "Posture" and "Devices".


I only see one.  I believe "device" is a fairly well-understood term, 
though perhaps "node" would have been more appropriate in this context.


However, I completely agree that this proposed charter uses the term 
"posture" far too often not to define it.  I fail to see how whether my 
computer is sitting upright or lying on its side is relevant to whether it 
should be allowed access to the network.


-- Jeff

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-09 Thread Theodore Tso 
On Mon, Oct 09, 2006 at 09:08:42AM -0700, todd glassey wrote:
> No it wasn't Brian - the WIPO IP Framework calls for a set of protections
> for Industrial Designs which ALL of the work that happens here is controlled
> by right? Otherwise, do you formally want to make a declaration as the
> IETF's Chair that the IETF and the ISOC are immune from Global IP Law and
> can pretty much do anything they want.

Todd,

According to the WIPO web site:

"The World Intellectual Property Organization (WIPO) is a
specialized agency of the United Nations. It is dedicated to
developing a balanced and accessible international intellectual
property (IP) system, which rewards creativity, stimulates innovation
and contributes to economic development while safeguarding the public
interest."

What the WIPO might or might not call for might perhaps be of interest
to various national legislative bodies, but it is completely out of
scope for the IETF list.

Regards,

- Ted
IETF Sergeant-at-Arms


___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

RE: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-09 Thread Narayanan, Vidya 
Hi Susan, 

> -Original Message-
> From: Susan Thomson (sethomso) [mailto:[EMAIL PROTECTED] 
> Sent: Sunday, October 08, 2006 3:27 PM
> To: Narayanan, Vidya
> Cc: [EMAIL PROTECTED]; iesg@ietf.org; ietf@ietf.org
> Subject: RE: [Nea] WG Review: Network Endpoint Assessment (nea) 
> 
> 
> Hi Vidya
> 
> Inline ...
> 
> 
> > 
> > How about adding this text - "It should be noted that the 
> networks at 
> > large are exposed to attacks from lying endpoints and external 
> > entities attaching to the networks as well as any problems arising 
> > from unknown vulnerabilities on NEA compliant endpoints. Hence, NEA 
> > must not be considered a protection mechanism for networks. 
> Further, 
> > mechanisms needed to protect the network from all kinds of 
> > vulnerabilities are expected to be a superset of any 
> protection that 
> > may be achieved by employing NEA"?
> > 
> 
> It seems to me that this better belongs in a security 
> considerations section of the NEA spec, especially given 
> where we are in the review cycle and the amount of time spent 
> on this specific section already.
> 

No, this text definitely needs to be on the charter. From the number of
discussions even at this stage, it is clear that the charter lacks the
clarity in this space. This is not text about a particular draft in NEA
- it is about the scope of the WG. 




> > That is not necessarily putting any requirements in the 
> choice of the 
> > mandatory to implement protocol itself, as I see it. I believe that 
> > stating something like "The mandatory to implement PT 
> protocol must be 
> > generic enough to allow the execution of the NEA procedure without 
> > forcing the need to re-execute network access procedures".
> > 
> 
> I think protocol requirements belong in the requirements I-D.
> 

The charter text elsewhere does get into performing NEA procedures at
network access. Perhaps that could be removed from the charter too? If
the charter only specified that the PT protocol was out of scope and
left out any text about the timing of execution of the PT protcol w.r.t.
network access, that would be fine. 

> 
> > Not only do I not see anything in the charter or milestones that 
> > indicates that the WG is going to spend time exploring this, I 
> > strongly believe this WG should not be spending any time looking at 
> > this. The trust models for the cases where the devices are 
> not owned 
> > by the organization performing NEA are hugely different and 
> can take 
> > up its own WG to actually find something that applies there, if at 
> > all. For one, this could be considered a violation of 
> privacy by the 
> > user of the device. Secondly, the end user's perspective of attacks 
> > may be entirely different from the organization's 
> perspective in this 
> > case. Third, I simply can't see what the organization's interests 
> > would be in protecting a device that doesn't even belong to 
> it. Last 
> > but not the least, this requires the endpoint to be running an NEA 
> > client (that is interoperable with the NEA server of the 
> organization) 
> > - which in itself is often an unrealistic requirement.
> > 
> > Organizations that provide services in their networks to 
> end users are 
> > worried about protecting their resources (i.e., networks, servers, 
> > etc.). As we have agreed, NEA does not protect such 
> resources anyway.
> > Plus, there is absolutely no reason such organizations 
> should believe 
> > that devices they don't own are in fact, truthful endpoints.
> > 
> > So, thinking that this WG must be looking into resolving this seems 
> > flawed at several levels. In the interest of having a 
> focused WG that 
> > can get something useful accomplished, this does not make sense.
> > 
> No argument with your gist here.  The point I was trying to 
> make is that I think applicability may not be quite as "black 
> and white" as your original text suggests, and it would be 
> better if the applicability and security considerations 
> associated with NEA be addressed in the WG and specified in 
> the appropriate NEA documents.
> 

This again is not necessarily a document-specific issue. It applies in
general to anything that will be produced by this WG. 

> The charter could express itself  better in this regard. If 
> the last sentence was replaced with something like: "NEA can 
> be limited in its applicability when the endpoint and the 
> organization providing network access are owned by different 
> parties. NEA applicability and security consider

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-09 Thread David W. Hankins 
On Mon, Oct 09, 2006 at 09:08:42AM -0700, todd glassey wrote:
> No it wasn't Brian - the WIPO IP Framework calls for a set of protections
> for Industrial Designs which ALL of the work that happens here is controlled
> by right?

I suppose you might consider ALL IETF work as protected or threatened by
WIPO Inustrial Designs [1] treaties if you first accept that "ALL" IETF
work is ornamental.

But of course, the joke isn't funny if you have to explain it.


[1] http://www.wipo.int/designs/en/designs.html

-- 
ISC Training!  October 16-20, 2006, in the San Francisco Bay Area,
covering topics from DNS to DDNS & DHCP.  Email [EMAIL PROTECTED]
-- 
David W. Hankins"If you don't do it right the first time,
Software Engineer   you'll just have to do it again."
Internet Systems Consortium, Inc.   -- Jack T. Hankins


pgpDD8XpWGVLf.pgp
Description: PGP signature
___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

RE: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-09 Thread Narayanan, Vidya 
Hi Darrly, 



> >> 
> >> It appears that the NEA charter is completely misleading to some 
> >> people from what is stated in this email. As the NEA 
> charter alludes 
> >> to, NEA does nothing to protect against compromised 
> devices. Also, as 
> >> has been agreed, NEA is not a protection mechanism for the 
> network - 
> >> it is meant to be a protection mechanism for compliant, 
> truthful and 
> >> as yet uncompromised end hosts against known vulnerabilities.
> 
> True the NEA doesn't "do" anything to protect against 
> compromised devices but it does assist in limiting the known 
> compromises on endpoint devices by being a mechanism for the 
> checking and reporting on compliance to what ever network 
> policy is in place including virus and patch levels.  

I'm not sure what you mean by "known compromises" - did you mean known
vulnerabilities? If so, yes - I was not questioning the role of NEA in
dealing with known vulnerabilities on truthful endpoints. 

The discussion was about using NEA as a protection mechanism for the
network and that doesn't make sense to me and as I understand from
Susan, that is not the intention of the charter either. 

> As a 
> network administrator I already deploy mechanisms for doing 
> just this, but at a higher level than the NEA charter 
> indicates.  To me the difference is between being reactive or 
> proactive.  Compliance testing I already run occurs after an 
> end node has joined the network, with NEA the possibility is 
> for compliance checking before being allowed onto the network 
> so isolation and immediate remediation is possible.
> 
> >> Any network, in its own best interests, must assume that 
> it has lying 
> >> and compromised endpoints connecting to it and that there 
> are unknown 
> >> vulnerabilities on any NEA-compliant devices connecting to it. Any 
> >> kind of protection that addresses these general threats that the 
> >> network may be exposed to at any time will simply obviate the need 
> >> for NEA from the network perspective.
> 
> Reliance on one protection or reporting mechanism is not 
> enough.  We need a lot of varied tools to cover all the bases 
> and minimise risk.
> 

This is repitition at this point - but, when a network has mechanisms to
protect itself against lying endpoints and unknown vulnerabilites, that
should cover protection against truthful ones with known
vulnerabilities. Otherwise, the network is obviously not adequately
protected against the broader set of threats. So, one would employ NEA
in their networks to protect the end hosts attaching to the network, not
the network itself. 

> >> A network operator that thinks the network is getting any 
> protection 
> >> by employing NEA is clearly ignoring the obvious real threats that 
> >> the network is exposed to at any time.
> 
> No, NEA would just be one more tool used to improve overall 
> security and minimise risk.  It would be at a different level 
> to the tools some of already deploy.
> 
> >> This is what I meant when I said that the charter is 
> unclear and it 
> >> must explicitly state that NEA is not meant as a 
> protection mechanism 
> >> of any sort for the network.
> 
> I don't believe the Charter needs to delve into this at all.  
> If some people see it as part of their protection mechanisms, 
> so be it.
> 

That is a terrible approach to take, given how misleading the charter
obviously has been to many. The charter must be clear about what the WG
is doing and what is out of scope. 

Vidya

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-09 Thread todd glassey 
Fritz this is a much bigger issue than ANYONE thinks at this time and its
based on the idea that the WIPO standard says that the IETF MUST be doing
Industrial Design IP Models, and it only does Copyright which is a violation
of the WIPO IP protection framework  and the treaties ALL of the Member
States have signed.

Interesting eh?

Todd Glassey



- Original Message - 
From: "Fritz F. Saad" <[EMAIL PROTECTED]>
To: "todd glassey" <[EMAIL PROTECTED]>; "Brian E Carpenter"
<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; 
Sent: Monday, October 09, 2006 6:58 AM
Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)


> Tood,
>
>
>
> Agreed, we should work to fix that.
>
>
>
> Fritz.
>
>
>
> - Original Message - 
> From: "todd glassey" <[EMAIL PROTECTED]>
> To: "Brian E Carpenter" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>; 
> Sent: Monday, October 09, 2006 7:17 AM
> Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)
>
>
> The IETF has an obligation to WIPO and to the DMCA and well - so far its
> failed those pretty well I think.
>
> Todd Glassey
>
> ----- Original Message - 
> From: "Brian E Carpenter" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>; 
> Sent: Monday, October 09, 2006 2:07 AM
> Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)
>
>
> >
> > >>>This is what I meant when I said that the charter is unclear
> > >>>and it must explicitly state that NEA is not meant as a
> > >>>protection mechanism of any sort for the network.
> > >
> > >
> > > I don't believe the Charter needs to delve into this at all.  If some
> people
> > > see it as part of their protection mechanisms, so be it.
> > >
> > > Darryl (Dassa) Lynch
> >
> > The IETF has an obligation to "truth in advertising" so IMHO we should
not
> > claim protection that doesn't exist, even implicitly.
> >
> > Brian
> >
> > ___
> > Ietf mailing list
> > Ietf@ietf.org
> > https://www1.ietf.org/mailman/listinfo/ietf
>
>
> ___
> Ietf mailing list
> Ietf@ietf.org
> https://www1.ietf.org/mailman/listinfo/ietf
>


___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-09 Thread todd glassey 
No it wasn't Brian - the WIPO IP Framework calls for a set of protections
for Industrial Designs which ALL of the work that happens here is controlled
by right? Otherwise, do you formally want to make a declaration as the
IETF's Chair that the IETF and the ISOC are immune from Global IP Law and
can pretty much do anything they want.

Todd Glassey

- Original Message - 
From: "Brian E Carpenter" <[EMAIL PROTECTED]>
To: 
Cc: <[EMAIL PROTECTED]>
Sent: Monday, October 09, 2006 7:31 AM
Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)


> > Agreed, we should work to fix that.
> ...
> > The IETF has an obligation to WIPO and to the DMCA
> ...
>
> I can only assume this was intended as some form of joke.
>
> Brian
>
> ___
> Ietf mailing list
> Ietf@ietf.org
> https://www1.ietf.org/mailman/listinfo/ietf


___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-09 Thread Keith Moore 
The IETF has an obligation to WIPO and to the DMCA 

...

I can only assume this was intended as some form of joke.


regardless of intent, it should be treated as such.

Keith


___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-09 Thread Brian E Carpenter 

Agreed, we should work to fix that.

...
The IETF has an obligation to WIPO and to the DMCA 

...

I can only assume this was intended as some form of joke.

   Brian

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-09 Thread Fritz F. Saad 
Tood,



Agreed, we should work to fix that.



Fritz.



- Original Message - 
From: "todd glassey" <[EMAIL PROTECTED]>
To: "Brian E Carpenter" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; 
Sent: Monday, October 09, 2006 7:17 AM
Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)


The IETF has an obligation to WIPO and to the DMCA and well - so far its
failed those pretty well I think.

Todd Glassey

- Original Message - 
From: "Brian E Carpenter" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; 
Sent: Monday, October 09, 2006 2:07 AM
Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)


>
> >>>This is what I meant when I said that the charter is unclear
> >>>and it must explicitly state that NEA is not meant as a
> >>>protection mechanism of any sort for the network.
> >
> >
> > I don't believe the Charter needs to delve into this at all.  If some
people
> > see it as part of their protection mechanisms, so be it.
> >
> > Darryl (Dassa) Lynch
>
> The IETF has an obligation to "truth in advertising" so IMHO we should not
> claim protection that doesn't exist, even implicitly.
>
> Brian
>
> ___
> Ietf mailing list
> Ietf@ietf.org
> https://www1.ietf.org/mailman/listinfo/ietf


___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf


___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-09 Thread todd glassey 
The IETF has an obligation to WIPO and to the DMCA and well - so far its
failed those pretty well I think.

Todd Glassey

- Original Message - 
From: "Brian E Carpenter" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; 
Sent: Monday, October 09, 2006 2:07 AM
Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)


>
> >>>This is what I meant when I said that the charter is unclear
> >>>and it must explicitly state that NEA is not meant as a
> >>>protection mechanism of any sort for the network.
> >
> >
> > I don't believe the Charter needs to delve into this at all.  If some
people
> > see it as part of their protection mechanisms, so be it.
> >
> > Darryl (Dassa) Lynch
>
> The IETF has an obligation to "truth in advertising" so IMHO we should not
> claim protection that doesn't exist, even implicitly.
>
> Brian
>
> ___
> Ietf mailing list
> Ietf@ietf.org
> https://www1.ietf.org/mailman/listinfo/ietf


___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-09 Thread Brian E Carpenter 



This is what I meant when I said that the charter is unclear
and it must explicitly state that NEA is not meant as a
protection mechanism of any sort for the network.



I don't believe the Charter needs to delve into this at all.  If some people
see it as part of their protection mechanisms, so be it.

Darryl (Dassa) Lynch 


The IETF has an obligation to "truth in advertising" so IMHO we should not
claim protection that doesn't exist, even implicitly.

   Brian

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

RE: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-08 Thread Susan Thomson \(sethomso\) 

Hi Vidya

Inline ...


> 
> How about adding this text - "It should be noted that the networks at
> large are exposed to attacks from lying endpoints and 
> external entities
> attaching to the networks as well as any problems arising from unknown
> vulnerabilities on NEA compliant endpoints. Hence, NEA must not be
> considered a protection mechanism for networks. Further, mechanisms
> needed to protect the network from all kinds of vulnerabilities are
> expected to be a superset of any protection that may be achieved by
> employing NEA"? 
> 

It seems to me that this better belongs in a security considerations
section of the NEA spec, especially given where we are in the review
cycle and the amount of time spent on this specific section already.


> > 
> > Bearing the original motivation in mind, would the following 
> > work better?
> > "An organization may make a range of policy decisions based 
> > on the posture of an endpoint. NEA is not intended to be 
> > prescriptive in this regard. For example, potential 
> > deployment scenarios may include,but are not  limited to, 
> > providing normal access regardless of compliance with 
> > recommendations for remediation ("advisory mode"), as well as 
> > providing restricted access sufficient for remediation 
> > purposes and any essential services until an endpoint is in 
> > compliance ("mandatory mode"). 
> > 
> 
> I'm not sure that the charter actually needs to get into the modes at
> all - I'm guessing what happens after NEA (i.e., what is done with the
> results from NEA) has zero impact on any work being done in 
> NEA itself.
> So, why not simply state something like "Once NEA is conducted on an
> endpoint, the results may be used by an organization in 
> accordance with
> any policies of the organization itself."? 
> 

Again, the text was added at the request of the security AD. I have no
problem with Sam Hartman's modification to the text I proposed, your
text above, or none at all.


> That is not necessarily putting any requirements in the choice of the
> mandatory to implement protocol itself, as I see it. I believe that
> stating something like "The mandatory to implement PT protocol must be
> generic enough to allow the execution of the NEA procedure without
> forcing the need to re-execute network access procedures". 
> 

I think protocol requirements belong in the requirements I-D.


> Not only do I not see anything in the charter or milestones that
> indicates that the WG is going to spend time exploring this, 
> I strongly
> believe this WG should not be spending any time looking at this. The
> trust models for the cases where the devices are not owned by the
> organization performing NEA are hugely different and can take 
> up its own
> WG to actually find something that applies there, if at all. For one,
> this could be considered a violation of privacy by the user of the
> device. Secondly, the end user's perspective of attacks may 
> be entirely
> different from the organization's perspective in this case. Third, I
> simply can't see what the organization's interests would be in
> protecting a device that doesn't even belong to it. Last but not the
> least, this requires the endpoint to be running an NEA client (that is
> interoperable with the NEA server of the organization) - 
> which in itself
> is often an unrealistic requirement. 
> 
> Organizations that provide services in their networks to end users are
> worried about protecting their resources (i.e., networks, servers,
> etc.). As we have agreed, NEA does not protect such resources anyway.
> Plus, there is absolutely no reason such organizations should believe
> that devices they don't own are in fact, truthful endpoints. 
> 
> So, thinking that this WG must be looking into resolving this seems
> flawed at several levels. In the interest of having a focused WG that
> can get something useful accomplished, this does not make sense. 
> 
No argument with your gist here.  The point I was trying to make is that
I think applicability may not be quite as "black and white" as your
original text suggests, and it would be better if the applicability and
security considerations associated with NEA be addressed in the WG and
specified in the appropriate NEA documents.

The charter could express itself  better in this regard. If the last
sentence was replaced with something like: "NEA can be limited in its
applicability when the endpoint and the organization providing network
access are owned by different parties. NEA applicability and security
considerations will be described in the appropriate NEA documents."
Would this work? 

Thanks
Susan

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

RE: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-08 Thread Darryl \(Dassa\) Lynch 
Hi Vidya

Narayanan, Vidya wrote:
>>> -Original Message-
>>> From: Susmit Panjwani [mailto:[EMAIL PROTECTED]
>>> Sent: Saturday, October 07, 2006 5:04 PM
>>> To: Harald Alvestrand
>>> Cc: Narayanan, Vidya; [EMAIL PROTECTED]; iesg@ietf.org; ietf@ietf.org
>>> Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)
>>> 
>>>>> Third, I simply can't see what the organization's interests would be
in
>>>>> protecting a device that doesn't even belong to it.
>>> 
>>>> An organization might not be interested in protecting a device that
>>>> does not belong to it but would definitely be interested in
>>>> preventing the attacks originating from such device (if
>>>> compromised) when it joins the organization network.
>> 
>> It appears that the NEA charter is completely misleading to
>> some people from what is stated in this email. As the NEA
>> charter alludes to, NEA does nothing to protect against
>> compromised devices. Also, as has been agreed, NEA is not a
>> protection mechanism for the network - it is meant to be a
>> protection mechanism for compliant, truthful and as yet
>> uncompromised end hosts against known vulnerabilities.

True the NEA doesn't "do" anything to protect against compromised devices
but it does assist in limiting the known compromises on endpoint devices by
being a mechanism for the checking and reporting on compliance to what ever
network policy is in place including virus and patch levels.  As a network
administrator I already deploy mechanisms for doing just this, but at a
higher level than the NEA charter indicates.  To me the difference is
between being reactive or proactive.  Compliance testing I already run
occurs after an end node has joined the network, with NEA the possibility is
for compliance checking before being allowed onto the network so isolation
and immediate remediation is possible.

>> Any network, in its own best interests, must assume that it
>> has lying and compromised endpoints connecting to it and
>> that there are unknown vulnerabilities on any NEA-compliant
>> devices connecting to it. Any kind of protection that
>> addresses these general threats that the network may be
>> exposed to at any time will simply obviate the need for NEA from the
>> network perspective. 

Reliance on one protection or reporting mechanism is not enough.  We need a
lot of varied tools to cover all the bases and minimise risk.

>> A network operator that thinks the network is getting any
>> protection by employing NEA is clearly ignoring the obvious
>> real threats that the network is exposed to at any time.

No, NEA would just be one more tool used to improve overall security and
minimise risk.  It would be at a different level to the tools some of
already deploy.

>> This is what I meant when I said that the charter is unclear
>> and it must explicitly state that NEA is not meant as a
>> protection mechanism of any sort for the network.

I don't believe the Charter needs to delve into this at all.  If some people
see it as part of their protection mechanisms, so be it.

Darryl (Dassa) Lynch 


___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-08 Thread Harald Alvestrand 

Lakshminath Dondeti wrote:

At 01:42 AM 10/7/2006, Harald Alvestrand wrote:


Many universities require their students to buy their own laptops, 
but prohibit certain types of activity from those laptops (like 
spamming, DDOS-attacks and the like). They would love to have the 
ability to run some kind of NEA procedure to ensure that laptops are 
reasonably virus-free and free from known vulnerabilities, and are 
important enough in their students' lives that they can probably 
enforce it without a complaint about "violation of privacy".


Just pointing out that there's one use case with user-managed 
endpoints where NEA is not obviously a bad idea.


My email ventures into a bit of non-IETF territory, but we are 
discussing use cases, and so I guess it's on topic.  Universities 
should be the last places to try antics like NEA.  Whereas an 
operational network would be a priority to them, it is also important 
that they allow students to experiment with new applications.  If we 
are believing that general purpose computing will be taken away from 
college students, we are indeed talking about a different world.


In any event, the bottomline is NEA as a solution to "network 
protection" is a leaky bucket at best.


NEA at best *may* raise the bar in attacking a "closed" network where 
endpoints are owned and tightly controlled by the organization that 
owns the network. 
Posture checking is certainly a leaky bucket. It doesn't protect all 
kinds of endpoint, it doesn't protect the endpoints against all kinds of 
threats, and it doesn't protect much of anything against a smart, 
resourceful attacker who is deeply familiar with the NEA system in use 
and is interested in investing considerable resources in attacking or 
circumventing it.


But (to recycle a very old simile) the fact that I can open the locks of 
most doors with a crowbar doesn't mean that locks are not useful. 
Organizations that have deployed products that do something like what 
NEA is talking about have reported that their TCO is reduced.


   Harald


___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

RE: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-08 Thread Narayanan, Vidya 
 

> -Original Message-
> From: Lakshminath Dondeti [mailto:[EMAIL PROTECTED] 
> Sent: Saturday, October 07, 2006 10:43 AM
> To: Harald Alvestrand; Narayanan, Vidya
> Cc: [EMAIL PROTECTED]; iesg@ietf.org; ietf@ietf.org
> Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)
> 
> At 01:42 AM 10/7/2006, Harald Alvestrand wrote:
> >>
> >Many universities require their students to buy their own 
> laptops, but 
> >prohibit certain types of activity from those laptops (like 
> spamming, 
> >DDOS-attacks and the like). They would love to have the 
> ability to run 
> >some kind of NEA procedure to ensure that laptops are reasonably 
> >virus-free and free from known vulnerabilities, and are important 
> >enough in their students' lives that they can probably enforce it 
> >without a complaint about "violation of privacy".
> >
> >Just pointing out that there's one use case with 
> user-managed endpoints 
> >where NEA is not obviously a bad idea.
> 
> My email ventures into a bit of non-IETF territory, but we 
> are discussing use cases, and so I guess it's on topic.  
> Universities should be the last places to try antics like 
> NEA.  Whereas an operational network would be a priority to 
> them, it is also important that they allow students to 
> experiment with new applications.  If we are believing that 
> general purpose computing will be taken away from college 
> students, we are indeed talking about a different world.
> 

I agree. Even in a controlled environment, there is bound to be
software/hardware that does not quite support NEA or specific posture
attributes. In a university environment, while some basic posture
reporting is feasible, there is bound to be a lot of software/hardware
that does not support any NEA parameters. The protection that even the
endhost may be getting from NEA is quite limited. 


> In any event, the bottomline is NEA as a solution to "network 
> protection" is a leaky bucket at best.
> 

The charter must be clarified to dispel this myth about NEA protecting
the network from anything.  

Vidya


> NEA at best *may* raise the bar in attacking a "closed" 
> network where endpoints are owned and tightly controlled by 
> the organization that owns the network.
> 
> Lakshminath
> 
> 
> >Harald
> >
> >
> >___
> >Ietf mailing list
> >Ietf@ietf.org
> >https://www1.ietf.org/mailman/listinfo/ietf
> 
> 

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

RE: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-08 Thread Narayanan, Vidya 
 

> -Original Message-
> From: Susmit Panjwani [mailto:[EMAIL PROTECTED] 
> Sent: Saturday, October 07, 2006 5:04 PM
> To: Harald Alvestrand
> Cc: Narayanan, Vidya; [EMAIL PROTECTED]; iesg@ietf.org; ietf@ietf.org
> Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)
> 
> Third, I > > simply can't see what the organization's 
> interests would be in
> > > protecting a device that doesn't even belong to it.
> 
> An organization might not be interested in protecting a 
> device that does not belong to it but would definitely be 
> interested in preventing the attacks originating from such 
> device (if compromised) when it joins the organization 
> network.  

It appears that the NEA charter is completely misleading to some people
from what is stated in this email. As the NEA charter alludes to, NEA
does nothing to protect against compromised devices. Also, as has been
agreed, NEA is not a protection mechanism for the network - it is meant
to be a protection mechanism for compliant, truthful and as yet
uncompromised end hosts against known vulnerabilities. 

Any network, in its own best interests, must assume that it has lying
and compromised endpoints connecting to it and that there are unknown
vulnerabilities on any NEA-compliant devices connecting to it. Any kind
of protection that addresses these general threats that the network may
be exposed to at any time will simply obviate the need for NEA from the
network perspective. 

A network operator that thinks the network is getting any protection by
employing NEA is clearly ignoring the obvious real threats that the
network is exposed to at any time. 

This is what I meant when I said that the charter is unclear and it must
explicitly state that NEA is not meant as a protection mechanism of any
sort for the network. 

Vidya

> To cite a study that we performed at
> UMD: we did a cost-benefit analysis based on the captured 
> attacks from within the organization, and it turns out that 
> the organization would benefit significantly if they  
> implement any trusted network access technology.
> 
> I do realize that there would be issues in terms of user 
> privacy and interoperability(which this charter is trying to 
> tackle) but just wanted to mention that there would be 
> significant benefits if they can implement it. This is 
> especially true for university environment.  As a matter of 
> fact I am aware of some universities/departments that were 
> planning to implement a home grown solution for this.
> 
> Susmit
> 
> --
> Susmit Panjwani
> 
> PhD Candidate,
> Center for Risk and Reliability,
> University of Maryland
> Cell: 240-460-9782
> 
> 
> On 10/7/06, Harald Alvestrand <[EMAIL PROTECTED]> wrote:
> > >
> > > The reason we left it open is to allow the working group to spend 
> > > more
> > > > time exploring the range of use cases in this area to better 
> > > > determine requirements and applicability. For example, 
> it may be 
> > > > useful to classify endpoints as network-managed versus 
> > > > user-managed versus 3rd-party managed. A user-managed 
> endpoint may 
> > > > want the choice to opt in or opt out, say.
> > > >
> > >
> > >
> > > Not only do I not see anything in the charter or milestones that 
> > > indicates that the WG is going to spend time exploring this, I 
> > > strongly believe this WG should not be spending any time 
> looking at 
> > > this. The trust models for the cases where the devices 
> are not owned 
> > > by the organization performing NEA are hugely different 
> and can take 
> > > up its own WG to actually find something that applies 
> there, if at 
> > > all. For one, this could be considered a violation of 
> privacy by the 
> > > user of the device. Secondly, the end user's perspective 
> of attacks 
> > > may be entirely different from the organization's perspective in 
> > > this case. Third, I simply can't see what the organization's 
> > > interests would be in protecting a device that doesn't 
> even belong 
> > > to it. Last but not the least, this requires the endpoint to be 
> > > running an NEA client (that is interoperable with the NEA 
> server of 
> > > the organization) - which in itself is often an 
> unrealistic requirement.
> > Many universities require their students to buy their own 
> laptops, but 
> > prohibit certain types of activity from those laptops (like 
> spamming, 
> > DDOS-attacks and the like). They would love to have the 
> ability to run 
> > some kind of NEA procedure to

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-07 Thread Douglas Otis 


On Oct 7, 2006, at 10:42 AM, Lakshminath Dondeti wrote:


At 01:42 AM 10/7/2006, Harald Alvestrand wrote:


Many universities require their students to buy their own laptops,  
but prohibit certain types of activity from those laptops (like  
spamming, DDOS-attacks and the like). They would love to have the  
ability to run some kind of NEA procedure to ensure that laptops  
are reasonably virus-free and free from known vulnerabilities, and  
are important enough in their students' lives that they can  
probably enforce it without a complaint about "violation of privacy".


Just pointing out that there's one use case with user-managed  
endpoints where NEA is not obviously a bad idea.


My email ventures into a bit of non-IETF territory, but we are  
discussing use cases, and so I guess it's on topic.  Universities  
should be the last places to try antics like NEA.  Whereas an  
operational network would be a priority to them, it is also  
important that they allow students to experiment with new  
applications.  If we are believing that general purpose computing  
will be taken away from college students, we are indeed talking  
about a different world.


In any event, the bottomline is NEA as a solution to "network  
protection" is a leaky bucket at best.


NEA at best *may* raise the bar in attacking a "closed" network  
where endpoints are owned and tightly controlled by the  
organization that owns the network.


Services are currently offered that detect abnormal traffic, where  
users are directed to scrubbing services suitable for ISPs or  
universities.  This is done through walled garden techniques.  Once  
remediation is completed, restrictions are removed.  This does not  
depend upon specific conformance standardization, but rather  
specialized utilities loaded with a browser where restrictions are  
also applied.  When the system in question is not using a browser,  
other methods of notification of a need for remediation are needed.


A standardize signaling of asserted conformance and a need for  
remediation might be where this effort is best focused.


-Doug 


___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-07 Thread Lakshminath Dondeti 

At 01:42 AM 10/7/2006, Harald Alvestrand wrote:


Many universities require their students to buy their own laptops, 
but prohibit certain types of activity from those laptops (like 
spamming, DDOS-attacks and the like). They would love to have the 
ability to run some kind of NEA procedure to ensure that laptops are 
reasonably virus-free and free from known vulnerabilities, and are 
important enough in their students' lives that they can probably 
enforce it without a complaint about "violation of privacy".


Just pointing out that there's one use case with user-managed 
endpoints where NEA is not obviously a bad idea.


My email ventures into a bit of non-IETF territory, but we are 
discussing use cases, and so I guess it's on topic.  Universities 
should be the last places to try antics like NEA.  Whereas an 
operational network would be a priority to them, it is also important 
that they allow students to experiment with new applications.  If we 
are believing that general purpose computing will be taken away from 
college students, we are indeed talking about a different world.


In any event, the bottomline is NEA as a solution to "network 
protection" is a leaky bucket at best.


NEA at best *may* raise the bar in attacking a "closed" network where 
endpoints are owned and tightly controlled by the organization that 
owns the network.


Lakshminath



   Harald


___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf



___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-07 Thread todd glassey 
Harald - get Microsoft to buy into this idea and its done.

Todd Glassey
- Original Message - 
From: "Harald Alvestrand" <[EMAIL PROTECTED]>
To: "Narayanan, Vidya" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; ; 
Sent: Saturday, October 07, 2006 1:42 AM
Subject: Re: [Nea] WG Review: Network Endpoint Assessment (nea)



> >
> > Not only do I not see anything in the charter or milestones that
> > indicates that the WG is going to spend time exploring this, I strongly
> > believe this WG should not be spending any time looking at this. The
> > trust models for the cases where the devices are not owned by the
> > organization performing NEA are hugely different and can take up its own
> > WG to actually find something that applies there, if at all. For one,
> > this could be considered a violation of privacy by the user of the
> > device. Secondly, the end user's perspective of attacks may be entirely
> > different from the organization's perspective in this case. Third, I
> > simply can't see what the organization's interests would be in
> > protecting a device that doesn't even belong to it. Last but not the
> > least, this requires the endpoint to be running an NEA client (that is
> > interoperable with the NEA server of the organization) - which in itself
> > is often an unrealistic requirement.
>
> Many universities require their students to buy their own laptops, but
> prohibit certain types of activity from those laptops (like spamming,
> DDOS-attacks and the like). They would love to have the ability to run
> some kind of NEA procedure to ensure that laptops are reasonably
> virus-free and free from known vulnerabilities, and are important enough
> in their students' lives that they can probably enforce it without a
> complaint about "violation of privacy".
>
> Just pointing out that there's one use case with user-managed endpoints
> where NEA is not obviously a bad idea.
>
> Harald
>
>
> ___
> Ietf mailing list
> Ietf@ietf.org
> https://www1.ietf.org/mailman/listinfo/ietf


___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-07 Thread Harald Alvestrand 


The reason we left it open is to allow the working group to spend more
> time exploring the range of use cases in this area to better determine
> requirements and applicability. For example, it may be useful to
> classify endpoints as network-managed versus user-managed versus
> 3rd-party managed. A user-managed endpoint may want the 
> choice to opt in

> or opt out, say.
> 
  


Not only do I not see anything in the charter or milestones that
indicates that the WG is going to spend time exploring this, I strongly
believe this WG should not be spending any time looking at this. The
trust models for the cases where the devices are not owned by the
organization performing NEA are hugely different and can take up its own
WG to actually find something that applies there, if at all. For one,
this could be considered a violation of privacy by the user of the
device. Secondly, the end user's perspective of attacks may be entirely
different from the organization's perspective in this case. Third, I
simply can't see what the organization's interests would be in
protecting a device that doesn't even belong to it. Last but not the
least, this requires the endpoint to be running an NEA client (that is
interoperable with the NEA server of the organization) - which in itself
is often an unrealistic requirement. 
Many universities require their students to buy their own laptops, but 
prohibit certain types of activity from those laptops (like spamming, 
DDOS-attacks and the like). They would love to have the ability to run 
some kind of NEA procedure to ensure that laptops are reasonably 
virus-free and free from known vulnerabilities, and are important enough 
in their students' lives that they can probably enforce it without a 
complaint about "violation of privacy".


Just pointing out that there's one use case with user-managed endpoints 
where NEA is not obviously a bad idea.


   Harald


___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

RE: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-06 Thread Narayanan, Vidya 
Hi Susan,
Please see inline.  

> -Original Message-
> From: Susan Thomson (sethomso) [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, October 05, 2006 12:22 PM
> To: Narayanan, Vidya
> Cc: [EMAIL PROTECTED]; iesg@ietf.org; ietf@ietf.org
> Subject: RE: [Nea] WG Review: Network Endpoint Assessment (nea) 
> 
> Hi Vidya
> 
> Thanks for your comments.
> 
> Inline ...
> 
> > -Original Message-
> > From: Narayanan, Vidya [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, October 04, 2006 12:48 PM
> > To: iesg@ietf.org
> > Cc: [EMAIL PROTECTED]
> > Subject: RE: [Nea] WG Review: Network Endpoint Assessment (nea)
> > 
> > 
> > All,
> > Comments on the charter inline below.  
> > 
> > > -Original Message-
> > > From: IESG Secretary [mailto:[EMAIL PROTECTED]
> > > Sent: Monday, October 02, 2006 7:30 AM
> > > To: ietf-announce@ietf.org
> > > Cc: [EMAIL PROTECTED]
> > > Subject: [Nea] WG Review: Network Endpoint Assessment (nea)
> > > 
> > > A new IETF working group has been proposed in the Security Area.  
> > > The IESG has not made any determination as yet. The 
> following draft 
> > > charter was submitted, and is provided for informational purposes 
> > > only.
> > > Please send your comments to the IESG mailing list
> > > (iesg@ietf.org) by October 9.
> > > 
> > > +++
> > > 
> > > Network Endpoint Assessment (nea)
> > > ==
> > > 
> > > Current Status: Proposed Working Group
> > > 
> > > Chair(s): 
> > > TBD
> > > 
> > > Security Area Director(s):
> > > Russ Housley <[EMAIL PROTECTED]>
> > > Sam Hartman <[EMAIL PROTECTED]>
> > > 
> > > Security Area Advisor:
> > > Russ Housley <[EMAIL PROTECTED]>
> > > 
> > > Mailing List: [EMAIL PROTECTED]
> > > 
> > > Description of Working Group:
> > > 
> > > Network Endpoint Assessment (NEA) architectures have been 
> > > implemented in the industry to assess the "posture" of endpoint 
> > > devices for the purposes of monitoring compliance to an 
> > > organization's posture policy and optionally restricting access 
> > > until the endpoint has been updated to satisfy the posture 
> > > requirements. An endpoint that does not comply with 
> posture policy 
> > > may be vulnerable to a number of known threats that may 
> exist on the 
> > > network. The intent of NEA is to facilitate corrective actions to 
> > > address these known vulnerabilities before a host is exposed to 
> > > potential attack.
> > 
> > 
> > Is it fair to then say that NEA is attempting to protect 
> the endhost 
> > and not necessarily the network?
> 
> Yes, this is the focus. 
> 
> > That is not immediately clear in the
> > charter. Obviously, the network must deal with all kinds of 
> known and 
> > unknown threats and a process like NEA is inadequate to 
> protect it at 
> > any acceptable level. That is why we employ a number of other 
> > mechanisms like firewalls, access control, packet filters, IDS/IPS, 
> > etc. in any combination to appropriately protect the networks.
> > 
> > So, stating that NEA is not attempting to protect the 
> network at large 
> > would bring a lot of clarity to the charter.
> > 
> 
> Since we have been around the block  a few times on this 
> section, could you suggest precise text that you would like 
> to see to make this clearer?  
> 

How about adding this text - "It should be noted that the networks at
large are exposed to attacks from lying endpoints and external entities
attaching to the networks as well as any problems arising from unknown
vulnerabilities on NEA compliant endpoints. Hence, NEA must not be
considered a protection mechanism for networks. Further, mechanisms
needed to protect the network from all kinds of vulnerabilities are
expected to be a superset of any protection that may be achieved by
employing NEA"? 


> > 
> > > Two deployment scenarios will be supported: advisory mode and 
> > > mandatory mode.
> > > In advisory mode, an endpoint may be advised of the result of 
> > > posture assessment and any recommended remediation 
> actions, but is 
> > > provided normal network access regardless of the result. In 
> > > mandatory mode, a non-compliant endpoint is given 
> restricted access 
> > > to the network sufficient for remediation purposes and 
&g

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-05 Thread Sam Hartman 
> "Susan" == Susan Thomson (sethomso) <[EMAIL PROTECTED]> writes:

Susan> regard. For example, potential deployment scenarios may
Susan> include,but are not limited to, providing normal access

Drop the may include.  You want to have at least one or two
deployments that you commit to solving to check your requirements
against.
You can have include but are not limited if you like.

Susan> 
Susan> regardless of compliance with recommendations for
Susan> remediation ("advisory mode"), as well as providing
Susan> restricted access sufficient for remediation purposes and
Susan> any essential services until an endpoint is in compliance
Susan> ("mandatory mode").


I express no preference on whether or not the new or old text is
better.  I just want to commit to at least one deployment.


___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

RE: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-05 Thread Susan Thomson \(sethomso\) 
Hi Vidya

Thanks for your comments.

Inline ...

> -Original Message-
> From: Narayanan, Vidya [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, October 04, 2006 12:48 PM
> To: iesg@ietf.org
> Cc: [EMAIL PROTECTED]
> Subject: RE: [Nea] WG Review: Network Endpoint Assessment (nea) 
> 
> 
> All,
> Comments on the charter inline below.  
> 
> > -Original Message-
> > From: IESG Secretary [mailto:[EMAIL PROTECTED] 
> > Sent: Monday, October 02, 2006 7:30 AM
> > To: ietf-announce@ietf.org
> > Cc: [EMAIL PROTECTED]
> > Subject: [Nea] WG Review: Network Endpoint Assessment (nea) 
> > 
> > A new IETF working group has been proposed in the Security Area.  
> > The IESG has not made any determination as yet. The following 
> > draft charter was submitted, and is provided for 
> > informational purposes only.
> > Please send your comments to the IESG mailing list 
> > (iesg@ietf.org) by October 9.
> > 
> > +++
> > 
> > Network Endpoint Assessment (nea)
> > ==
> > 
> > Current Status: Proposed Working Group
> > 
> > Chair(s): 
> > TBD
> > 
> > Security Area Director(s):
> > Russ Housley <[EMAIL PROTECTED]>
> > Sam Hartman <[EMAIL PROTECTED]>
> > 
> > Security Area Advisor:
> > Russ Housley <[EMAIL PROTECTED]>
> > 
> > Mailing List: [EMAIL PROTECTED]
> > 
> > Description of Working Group:
> > 
> > Network Endpoint Assessment (NEA) architectures have been 
> > implemented in the industry to assess the "posture" of 
> > endpoint devices for the purposes of monitoring compliance to 
> > an organization's posture policy and optionally restricting 
> > access until the endpoint has been updated to satisfy the 
> > posture requirements. An endpoint that does not comply with 
> > posture policy may be vulnerable to a number of known threats 
> > that may exist on the network. The intent of NEA is to 
> > facilitate corrective actions to address these known 
> > vulnerabilities before a host is exposed to potential attack.
> 
> 
> Is it fair to then say that NEA is attempting to protect the 
> endhost and
> not necessarily the network? 

Yes, this is the focus. 

> That is not immediately clear in the
> charter. Obviously, the network must deal with all kinds of known and
> unknown threats and a process like NEA is inadequate to protect it at
> any acceptable level. That is why we employ a number of other 
> mechanisms
> like firewalls, access control, packet filters, IDS/IPS, etc. in any
> combination to appropriately protect the networks. 
> 
> So, stating that NEA is not attempting to protect the network at large
> would bring a lot of clarity to the charter. 
> 

Since we have been around the block  a few times on this section, could
you suggest precise text that you would like to see to make this
clearer?  

> 
> > Two deployment scenarios will be supported: advisory mode and 
> > mandatory mode.
> > In advisory mode, an endpoint may be advised of the result of 
> > posture assessment and any recommended remediation actions, 
> > but is provided normal network access regardless of the 
> > result. In mandatory mode, a non-compliant endpoint is given 
> > restricted access to the network sufficient for remediation 
> > purposes and any essential services or denied access completely.
> > 
> 
> It is unclear how the advisory vs mandatory model relates to the NEA
> procedures itself. NEA is attempting to provide a vehicle to perform
> some compliance tests on acceptable "postures". What the 
> network decides
> to do with that information seems entirely dependent on the policy of
> the network and the extent of non-compliance, etc. What does 
> it mean to
> say that NEA *allows* an advisory and/or a mandatory model? 
> 
> 
Yes, it is a matter of policy. We have had other input as well that
indicates this text is causing confusion.  We added this text in
consultation with our AD to re-inforce the notion that NEA did not
necessarily imply enforcement, and that things like
emergency services could be made available regardless of the outcome of
posture assessment.

The intention is not to be prescriptive about an organization's policy
in any way.

Bearing the original motivation in mind, would the following work
better?
"An organization may make a range of policy decisions based on the
posture of an endpoint. NEA is not intended to be prescriptive in this
regard. For example, 
potential deployment scenarios may include,but are not  limited to, 
providing normal access regardless of compliance

Re: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-04 Thread todd glassey 
Vidya  good commentary, maybe I can add some more. The NEA, per the
charter-need's justification statement says:

>
> Network Endpoint Assessment (NEA) architectures have been implemented
> in the industry to assess the "posture" of endpoint devices

Ah two new terms of Art - "Posture" and "Devices".

> for the
> purposes of monitoring compliance to an organization's posture policy

here again we have Posturing... but now its a policy. The policy of dancing
or what?  so is this posture relative to the Security Policy? or how about
the Operations Integrity Policy? And is the Posture erect or is it rolling
on the floor laughing ones ...

> and optionally restricting access until the endpoint has been updated

This is a statement of effect rather than describing the thing itself. This
comment is specific to what the design of the NEA would do and not what the
NEA is but what the hey...


So then this 'thingee', the 'Posture manager', is something that is an
agent that lives in the computer to make sure its doing what its supposed to
and has all of the stuff its supposed to be, right? So the NEA seems to be
an integrity management and compliance agent right? Which means you want to
go to blows with Tripwire and the Change Management Integrity of Operations
people too? Nice...


Tripwire and Aide seem to be things that do that - Fremont and COPS too. The
configuration management is Titan and YASSP or other hardening scripts. The
logging and setup for managing the logging is already in place too. So where
does this 'compliance assurance thingee' live in that array?


> to satisfy the posture requirements.

Again - I gotta mention that you are doing alot of posturing there... So
guys - here we go again - which posture is it this time???  bent over
backwards or what?

> An endpoint that does not comply
> with posture policy may be vulnerable to a number of known threats
> that may exist on the network.

And here we have the justification for the service proposed in the charter
statement... come on guys...

> The intent of NEA is to facilitate
> corrective actions to address these known vulnerabilities before a
> host is exposed to potential attack.

Ahhh... Inline and continuous hardening and reporting.  So then is this the
creation of the IETF's version of an embedded Titan or YASSP? Does that real
make sense. If it does, why not  just run Titan and YASSP through SNMP,
or buy Tripwire, or use Aide and SNORT, or ... you get my point I hope.

Try this:

"The NEA is a process and methodology to integrate ongoing integrity and
process refinement into the operations of network services. The principal
goal of the NEA is a higher set of reporting models to support those
required by today's network operators for their IT Infrastructure Integrity
Programs"

And the process statement:

"To facilitate this goal, the NEA provides Audit and Systemic
Integrity/Change Management as integrated features and provides proper
evidentiary models to support this under whatever level of scrutiny is
required. Scrutiny including as formal evidence with Chain of Custody issues
to address as well"

and finally:

"To accomplish these ends, the NEA may use pieces of other services or
technologies in creating this Open Framework for operating integrity and its
evidentiary documentation."


Todd Glassey

- Original Message - 
From: "Narayanan, Vidya" <[EMAIL PROTECTED]>
To: ; 
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, October 04, 2006 9:58 AM
Subject: RE: [Nea] WG Review: Network Endpoint Assessment (nea)



All,
Comments on the charter inline below.

> -Original Message-
> From: IESG Secretary [mailto:[EMAIL PROTECTED]
> Sent: Monday, October 02, 2006 7:30 AM
> To: ietf-announce@ietf.org
> Cc: [EMAIL PROTECTED]
> Subject: [Nea] WG Review: Network Endpoint Assessment (nea)
>
> A new IETF working group has been proposed in the Security Area.
> The IESG has not made any determination as yet. The following draft
> charter was submitted, and is provided for informational purposes
> only.
> Please send your comments to the IESG mailing list
> (iesg@ietf.org) by October 9.
>
> +++
>
> Network Endpoint Assessment (nea)
> ==
>
> Current Status: Proposed Working Group
>
> Chair(s):
> TBD
>
> Security Area Director(s):
> Russ Housley <[EMAIL PROTECTED]>
> Sam Hartman <[EMAIL PROTECTED]>
>
> Security Area Advisor:
> Russ Housley <[EMAIL PROTECTED]>
>
> Mailing List: [EMAIL PROTECTED]
>
> Description of Working Group:
>
> Network Endpoint Assessment (NEA) architectures have been implemented
> in the industry to assess the "posture" of endpoint devices for the
> purposes of monitoring com

RE: [Nea] WG Review: Network Endpoint Assessment (nea)

2006-10-04 Thread Narayanan, Vidya 
 
All,
Comments on the charter inline below.  

> -Original Message-
> From: IESG Secretary [mailto:[EMAIL PROTECTED]
> Sent: Monday, October 02, 2006 7:30 AM
> To: ietf-announce@ietf.org
> Cc: [EMAIL PROTECTED]
> Subject: [Nea] WG Review: Network Endpoint Assessment (nea)
> 
> A new IETF working group has been proposed in the Security Area.  
> The IESG has not made any determination as yet. The following draft 
> charter was submitted, and is provided for informational purposes 
> only.
> Please send your comments to the IESG mailing list
> (iesg@ietf.org) by October 9.
> 
> +++
> 
> Network Endpoint Assessment (nea)
> ==
> 
> Current Status: Proposed Working Group
> 
> Chair(s): 
> TBD
> 
> Security Area Director(s):
> Russ Housley <[EMAIL PROTECTED]>
> Sam Hartman <[EMAIL PROTECTED]>
> 
> Security Area Advisor:
> Russ Housley <[EMAIL PROTECTED]>
> 
> Mailing List: [EMAIL PROTECTED]
> 
> Description of Working Group:
> 
> Network Endpoint Assessment (NEA) architectures have been implemented 
> in the industry to assess the "posture" of endpoint devices for the 
> purposes of monitoring compliance to an organization's posture policy 
> and optionally restricting access until the endpoint has been updated 
> to satisfy the posture requirements. An endpoint that does not comply 
> with posture policy may be vulnerable to a number of known threats 
> that may exist on the network. The intent of NEA is to facilitate 
> corrective actions to address these known vulnerabilities before a 
> host is exposed to potential attack.


Is it fair to then say that NEA is attempting to protect the endhost and
not necessarily the network? That is not immediately clear in the
charter. Obviously, the network must deal with all kinds of known and
unknown threats and a process like NEA is inadequate to protect it at
any acceptable level. That is why we employ a number of other mechanisms
like firewalls, access control, packet filters, IDS/IPS, etc. in any
combination to appropriately protect the networks. 

So, stating that NEA is not attempting to protect the network at large
would bring a lot of clarity to the charter. 


> Two deployment scenarios will be supported: advisory mode and 
> mandatory mode.
> In advisory mode, an endpoint may be advised of the result of posture 
> assessment and any recommended remediation actions, but is provided 
> normal network access regardless of the result. In mandatory mode, a 
> non-compliant endpoint is given restricted access to the network 
> sufficient for remediation purposes and any essential services or 
> denied access completely.
> 

It is unclear how the advisory vs mandatory model relates to the NEA
procedures itself. NEA is attempting to provide a vehicle to perform
some compliance tests on acceptable "postures". What the network decides
to do with that information seems entirely dependent on the policy of
the network and the extent of non-compliance, etc. What does it mean to
say that NEA *allows* an advisory and/or a mandatory model? 


> Posture refers to the hardware or software configuration of an 
> endpoint as it pertains to an organization's security policy. Posture 
> may include knowledge that software installed to protect the machine 
> (e.g. patch management software, anti-virus software, host firewall 
> software, host intrusion protection software or any custom software) 
> is enabled and up-to-date.
> On network access and while connected, an endpoint supporting NEA 
> protocols can be queried for such posture information in either 
> advisory or mandatory modes.
> 

Again, what does it mean to be queried in a particular mode? 

> Since NEA involves many different components from different vendors, 
> interoperation

s/interoperation/interoperability

> is highly desirable. The priority of
> the NEA working group is to standardize protocols at the higher layers

> in the architectures:
> the Posture Attribute protocol (PA) and the Posture Broker protocol 
> (PB).
> PA and PB will be designed to support a variety of lower layer 
> protocols.
> When used with standards for lower layers, these new protocols will 
> allow interoperability between an NEA Client from one vendor and an 
> NEA Server from another.
> 

This seems like an optimistic goal. Given that only a subset of
attributes are envisioned to be standardized and given that the kind of
attributes are likely to be ever increasing, considering that posture
refers to hardware/software configuration of an endpoint, I fail to see
how we would practically get NEA clients and NEA servers from different
vendors to perform any meaningful NEA procedures. In theory, I can see
how this can be slated to be a goal - but, I have to believe that
reality would be different. 


> Since there are already several non-standard protocols at 
> these higher layers, the NEA working group will consider 
> these existing protocols as candidates for standardization. A 
> requirements