[Nea] Draft minutes from IETF 67 NEA WG meeting
"Stephen Hanna" <shanna@juniper.net> Fri, 08 December 2006 22:34 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GsoIe-0000A0-QC; Fri, 08 Dec 2006 17:34:36 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GsoId-00009c-He for nea@ietf.org; Fri, 08 Dec 2006 17:34:35 -0500
Received: from kremlin.juniper.net ([207.17.137.120]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GsoIc-0002hb-Rk for nea@ietf.org; Fri, 08 Dec 2006 17:34:35 -0500
Received: from unknown (HELO proton.jnpr.net) ([10.10.2.37]) by kremlin.juniper.net with ESMTP; 08 Dec 2006 14:31:23 -0800
X-IronPort-AV: i="4.09,515,1157353200"; d="scan'208"; a="622074012:sNHT56676080"
X-MIMEOLE: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 08 Dec 2006 17:34:33 -0500
Message-ID: <A6398B0DB62A474C82F61554EE93728701DB40C6@proton.jnpr.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Draft minutes from IETF 67 NEA WG meeting
Thread-index: AccbGQhq2mrdVvFBSTWFV/jn7uI2ow==
From: Stephen Hanna <shanna@juniper.net>
To: nea@ietf.org
X-Spam-Score: 0.9 (/)
X-Scan-Signature: d8921dd2ebcb07edebf7bfaf4808c2ad
Subject: [Nea] Draft minutes from IETF 67 NEA WG meeting
X-BeenThere: nea@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Network Endpoint Assessment discussion list <nea.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/nea>
List-Post: <mailto:nea@ietf.org>
List-Help: <mailto:nea-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=subscribe>
Errors-To: nea-bounces@ietf.org
Here are the draft minutes from the IETF 67 NEA WG meeting.
If you have comments or corrections, please send them to me
or to the NEA list ASAP.
Thanks,
Steve
----------
Minutes from NEA WG Meeting
IETF 67 in San Diego, CA
November 7, 2006, 3:20 PM - 5:20 PM
Chaired by Steve Hanna and Susan Thomson
Notes taken by Kaushik Narayanan, Mauricio Sanchez, and Paul Sangster
These notes do not attempt to duplicate all the material in the
slides. Instead, they provide a brief summary of that material and
focus on comments and discussion (especially consensus checks).
Steve Hanna welcomed people to the first meeting of the Network
Endpoint Assessment Working Group. He reviewed logistical information
about the group (email list, chairs, etc.). Blue sheets were
distributed and minutes scribes found. No Jabber scribes were found.
The following draft agenda was agreed to:
3:20 Circulate Blue Sheets, Identify Jabber & Minutes Scribes
3:25 Agenda Bashing
3:30 NEA Milestones
3:40 Discussion of Requirements I-D
5:10 Next Steps
5:20 Adjourn
*NEA Milestones*
Susan Thomson reviewed the milestones in the NEA charter. The current
milestones are aimed at getting a NEA Requirements document submitted
to the IESG by April 2007. Then we'll request AD approval to add
milestones to standardize PA and PB.
Susan Thomson reviewed roles and responsibilities within the NEA WG.
A NEA Requirements design team will be formed to develop an initial
draft of the NEA Requirements I-D and revise that I-D in response to
WG rough consensus. Volunteers for the design team should contact
Steve and Susan. A request for volunteers will be sent to the NEA
list and we hope to have the design team launched within a couple of
weeks.
The goal for today is to discuss what the requirements I-D should
contain and what use cases that requirements I-D should support.
And we'll solicit volunteers for the design team.
*Discussion of Requirements I-D*
Susan reviewed a draft outline for the Requirements I-D (included in
the slides) and asked if there are any obvious missing areas. There
were no responses.
Susan reviewed some basic terminology: endpoint and posture. An
endpoint is any device that can be connected to a network and get
an IP address. Posture is security-relevant configuration of an
endpoint.
Kaushik Narayanan: Isn't it true that posture can be a wide variety of
information as long as it's used in a security policy? That makes it
security relevant.
Susan: Yes.
Susan summarized the NEA problem statement: to assess the posture of
an endpoint and determine whether it's in compliance with a security
policy. Susan reviewed items that our charter says are in scope and
others that are out of scope but must be accommodated.
Susan presented the NEA Reference Model as described in the previously
published problem statement. She suggested a refinement to the model
to change the bottom layer to only perform posture transport since the
PT protocol may be separate from that used in access
control/enforcement.
She asked if there are any comments or questions on this change. There
were none.
Steve Hanna took the mike to discuss use cases. The goal here is not
to identify all possible use cases for NEA. It is to identify a
minimal set of use cases that can be included in the Requirements I-D
and that spans the problem space. We don't need to have a lot of
information here, just enough to drive requirements definition.
Paul Ferguson: How can we discuss requirements before defining the
problem space?
Steve: The problem space is described in the charter and will be
described in more detail in the Requirements I-D.
Steve listed several types of flows:
- Initial assessment - triggered by network connection or service
request
- Re-assessment - triggered by NEA server or client (because of an
event, timer, etc.)
Steve listed and described several types of attributes:
- Endpoint Data (client to server), by value or by reference
- Compliance Policy (server to client)
- Compliance Policy Evaluation Results (client to server)
- Cryptographic Protocols (multiple round trips)
- Compliance Result (server to client)
- Remediation Instructions (server to client)
Eric Rescorla: Is cryptographic protocol information considered an
attribute? It's not helpful to have it defined as an attribute.
Yaron Sheffer: I thought compliance policy was out of scope. How can
you be including it in an attribute then?
Steve: I'm not suggesting that attribute should be standardized.
I'm just saying that's one attribute that can be sent. In fact,
our charter states that the set of attributes to be standardized
will be minimal. I don't expect policy would be in that set.
Mani Mahalingam: Are enforcement points out of scope?
Steve: Yes, our charter says so. Enforcement is out of scope. Other
IETF WGs do enforcement protocols.
Kaushik: Could completion of remediation be a trigger for reassessment?
Steve: Yes, that would fall under the category of client triggered
reassessment.
Steve: I'll present a set of use cases that seem to span the problem
space as I understand it, driving all necessary requirements. See
slides for details of those use cases. Brief summary here:
John Smith - inventory collection of software on JS's endpoint at
network join
No enforcement.
Jane Doe - send patch levels upon service request, upgrade advisory
sent
No enforcement.
Colonel Mustard - constant monitoring while on network. Endpoint detects
a
posture change so triggers re-assessment. Access is
limited since the system isn't in compliance.
Re-assessment occurs after remediation which allows
access to be restored.
Steve: Are there other use cases that must be addressed and which
drive new PA, PB, or PT requirements?
Bob Morgan: If the first use case is triggered by network connection,
you should show the network access elements. And this would drive PT
requirements since the endpoint may not have full network connectivity.
Doug Otis: Most assessments involve a separate assessment server.
Maybe that server should sign some credentials saying that the
assessment has been completed. Then the NEA server can just look at
those credentials.
Steve: Does that drive any new requirements?
Doug: Lots of trust issues are raised. The client needs to decide
whether it trusts the remediation instructions.
Steve: So that relates to the contents of the remediation instructions.
Alan DeKok: I'm concerned about the defined architecture being overly
limited as I can imagine other architectures for solving this problem.
We could have remediation happen inside EAP-TLS, for instance.
Steve: Using EAP to transport a lot of information such as remediation
doesn't work well. EAP is not well suited for bulk data transfer and
most wireless APs will time out after 25-200 round trips.
However the point remains that there are other architectures for
endpoint
assessment. We need to stay within our charter, which talks about NEA
Servers
and NEA Clients. So there are some limitations to what's in scope.
Khaja Ahmed: I wonder if a P2P use case would be helpful. And what
about non-enterprise scenarios where an ISP checks the consumer system
for them?
Steve: I think that may violate an applicability limitation in our
charter.
Khaja: Am I right that PA might involve multiple round trips?
Steve: Yes. There are use cases where that's required.
Khaja: That could cause lots of latency due to many collectors causing
lots of round trips. There must be a better way.
Khaja: Compliance policy attributes (where the server tells the client
what the policy is) doesn't sound like a good model.
Steve: Any other comments? About any of this? None. So we'll take it
to the list.
Steve: I'm surprised at how quickly this has gone. We've come to the
end of the slides that Susan and I had prepared. Fortunately, Paul
Sangster has a presentation on the requirements I-D that was prepared
last spring when we were a NEA BOF. Of course, these are somewhat
dated and don't reflect the discussions around our chartering. But
it's probably useful to discuss them, given that we have the time.
Kapil Sood: We need a set of security requirements not just the
functional requirements discussed so far.
Steve: Yes, absolutely. We're going to have to do a complete security
analysis of the entire system. We can derive security requirements
from that.
*Review of Previous Requirements I-D*
Paul Sangster presented an overview of the old NEA BOF requirements I-D:
draft-khosravi-nea-requirements-01.txt. See Paul's slides for details.
Paul reviewed the outline and contributors for the spec. Then he
described terminology: component, message, session, and dialog.
Next, he summarized Common Requirements (common to PA, PB, and PT).
1. Capable of multi-message dialog
Khaja: This shouldn't be a requirement. Requirements should be higher
level, as they might be articulated by an IT administrator. This is
more design. And I don't think this is a good idea.
After further discussion, it was agreed that this should be discussed
more later.
2. Allow server requests prior and after network access
3. Possible for client to initiate a posture re-evaluation request
4. Protection against active/passive attacks by intermediaries
5. PA and PB transport agnostic interfaces
6. Selection process prefer reuse of existing open standards
7. Scalable (many collectors and validators on multiple servers)
Kaushik Narayanan: Requirements currently specify horizontal protocols
between NEA client and NEA server, how about the vertical protocols on
the client or server side?
Paul: Vertical protocols are currently out-of-scope in the charter.
Then Paul reviewed PA requirements:
1. Transport core attributes (vendor, version, operational status, ...)
2. Transport of vendor defined attributes
3. Validator request of particular client component's posture
4. Allow for multiple requests for posture information
5. Carry validator results and remediation instructions
6. Selection process prefer re-use of existing open standards for
transport and attribute representation
Bob Morgan: Whenever you get into schema (attribute formats, etc.),
lots of issues come up. The client and server may need to agree on
which attributes are supported by each.
Doug Otis: We don't need any vendor-unique attributes if instead the
server just asks for certificates proving the client has passed
certain compliance checks. Vendor-specific attributes will cause lots
of compatibility problems.
Paul: Well, it would be nice to avoid those problems. Let's discuss
your idea more.
7. SHOULD support expression of prior remediation state (e.g. time,
server used.)
8. Capable of authentication, integrity and confidentiality of
attributes, results and remediation instructions
Yaron Sheffer: Those properties can be provided by PB or PT.
Paul: Actually, this requirement is specifically on PA. There are some
use cases that drive that requirement. For instance, a validator that
wants to know the collector is valid. Or a validatror and collector
that want to keep their messages confidential from other components in
the system (like the Posture Broker). We may not want to address
those use cases but we should consider them.
Yaron: PA should define the core attributes not just transport them.
Steve: This requirements I-D is old and pre-dates IETF 66 where the
group did agree to define the attributes. That's in our charter now
and it will be done.
Dave Nelson: When you say authentication of attributes, you really
mean authentication of the component that sent the attributes, right?
Paul: Right. The collector or validator.
Khaja: Does this mean all collectors and validators must be able to
protect their messages?
Paul: No. This means that the protocol must support such protection.
But the collector doesn't have to implement that feature.
9. SHOULD optimize transport of messages and minimize PB RTs
PB Requirements
1. Capable of carrying the decision and (if present) remediation
instructions
2. Carry naming for collectors and validators (used for message
delivery)
Naming should allow for dynamic registration
3. Multiplex message dialogs between multiple collectors and validators
4. Capable of authentication, integrity and confidentiality of
messages, decision and remediation instructions
5. SHOULD support grouping of attributes to optimize messages/RTs
Kaushik Narayanan: The requirements I-D being presented just seems to
cover use cases with raw attributes. It does not capture requirements
for where rules are being transferred.
Paul: Yes. We need to include those requirements as part of the design
process.
PT Requirements
1. SHOULD incur low overhead for low bandwidth links
Kaushik: The low overhead requirement for PT has a cascading
requirement on PA and PB protocol requirements.
Paul: Yes. There are PA and PB efficiency requirements also.
Kaushik: And data needs to be compact.
2. SHOULD be capable of using a half duplex link
3. MUST NOT interpret the contents of PB messages
4. Capable of protecting the integrity and confidentiality of the PB
messages
Yaron: Will PT requirements cover everything all the way down to the
IP layer?
Paul: No, we'll primarily capture the requirements of the transport
and not all layers below the PT.
Yaron: The Requirements I-D talks about EAP as the transport.
Steve: That's an historical artifact.
Kapil: The requirement for PT to protect PB messages and the
requirement for PT not to interpret PB messages seem to be in
conflict. If PT protects PB messages, we can't keep it from
interpreting them. And how would you test compliance with those
requirements, anyway?
Paul: These are requirements on the PT protocol. We wouldn't pick a PT
that requires poking around in PB messages.
5. Reliable delivery of PB messages (detect dups, fragmentation)
6. Capable of mutual authentication (possibly leveraging an
authentication inside the protected tunnel)
7. Establish a restricted session between NAR and NAA prior to
allowing general access
8. Allow for NAR/NAA session to be initiated from either party when
both have assigned network addresses
Steve discussed next steps:
1) Solicit Design Team Members (through Nov. 16)
2) Start Design Team Weekly Concalls (probably week of Nov. 27)
3) First Requirements I-D Posted
Meeting adjourned at 5:17pm
_______________________________________________
Nea mailing list
Nea@ietf.org
https://www1.ietf.org/mailman/listinfo/nea
- [Nea] Draft minutes from IETF 67 NEA WG meeting Stephen Hanna
- [Nea] use of a design team to develop requirements Keith Moore
- RE: [Nea] use of a design team to develop require… Khaja Ahmed
- RE: [Nea] use of a design team to develop require… Stephen Hanna
- [Nea] Re: use of a design team to develop require… Sam Hartman
- [Nea] Re: use of a design team to develop require… Keith Moore
- Re: [Nea] Re: use of a design team to develop req… Alan DeKok
- Fwd: [Nea] Re: use of a design team to develop re… Mike Fratto
- Re: Fwd: [Nea] Re: use of a design team to develo… Alan DeKok
- Re: Fwd: [Nea] Re: use of a design team to develo… Mike Fratto
- Re: Fwd: [Nea] Re: use of a design team to develo… Keith Moore
- Re: Fwd: [Nea] Re: use of a design team to develo… Keith Moore
- Re: Fwd: [Nea] Re: use of a design team to develo… Alan DeKok
- Re: Fwd: [Nea] Re: use of a design team to develo… Mike Fratto
- Re: Fwd: [Nea] Re: use of a design team to develo… Keith Moore
- Re: Fwd: [Nea] Re: use of a design team to develo… Mike Fratto
- Re: Fwd: [Nea] Re: use of a design team to develo… Keith Moore
- Re: Fwd: [Nea] Re: use of a design team to develo… Keith Moore
- RE: Fwd: [Nea] Re: use of a design team to develo… Khaja Ahmed
- Re: Fwd: [Nea] Re: use of a design team to develo… Alan DeKok
- Re: Fwd: [Nea] Re: use of a design team to develo… Keith Moore
- Re: Fwd: [Nea] Re: use of a design team to develo… Alan DeKok
- Re: Fwd: [Nea] Re: use of a design team to develo… Keith Moore
- Re: Fwd: [Nea] Re: use of a design team to develo… Mike Fratto
- RE: Fwd: [Nea] Re: use of a design team to develo… Khaja Ahmed
- Re: Fwd: [Nea] Re: use of a design team to develo… Alan DeKok
- Re: Fwd: [Nea] Re: use of a design team to develo… Mike Fratto
- RE: Fwd: [Nea] Re: use of a design team to develo… Khaja Ahmed
- Re: Fwd: [Nea] Re: use of a design team to develo… Mike Fratto
- Re: Fwd: [Nea] Re: use of a design team to develo… Alan DeKok
- Re: Fwd: [Nea] Re: use of a design team to develo… Alan DeKok
- Re: Fwd: [Nea] Re: use of a design team to develo… Mike Fratto
- Re: Fwd: [Nea] Re: use of a design team to develo… Keith Moore
- Re: Fwd: [Nea] Re: use of a design team to develo… Mike Fratto
- Re: Fwd: [Nea] Re: use of a design team to develo… Keith Moore
- Re: Fwd: [Nea] Re: use of a design team to develo… Alan DeKok
- Re: Fwd: [Nea] Re: use of a design team to develo… Keith Moore
- Re: Fwd: [Nea] Re: use of a design team to develo… Alan DeKok
- Re: Fwd: [Nea] Re: use of a design team to develo… Alan DeKok
- Re: [Nea] Re: use of a design team to develop req… John Vollbrecht
- NEA requirements (was Re: Fwd: [Nea] Re: use of a… Alan DeKok
- NEA requirements (was Re: [Nea] Re: use of a desi… Alan DeKok
- Fwd: NEA requirements (was Re: Fwd: [Nea] Re: use… Mike Fratto
- Re: Fwd: NEA requirements (was Re: Fwd: [Nea] Re:… Keith Moore
- Re: Fwd: NEA requirements (was Re: Fwd: [Nea] Re:… Alan DeKok
- Re: Fwd: NEA requirements (was Re: Fwd: [Nea] Re:… Mike Fratto
- Re: Fwd: NEA requirements (was Re: Fwd: [Nea] Re:… Mike Fratto
- Re: Fwd: NEA requirements (was Re: Fwd: [Nea] Re:… Alan DeKok
- Re: Fwd: NEA requirements (was Re: Fwd: [Nea] Re:… Keith Moore
- Re: Fwd: NEA requirements (was Re: Fwd: [Nea] Re:… Alan DeKok
- Re: Fwd: NEA requirements (was Re: Fwd: [Nea] Re:… Keith Moore
- Re: Fwd: NEA requirements (was Re: Fwd: [Nea] Re:… Alan DeKok
- Re: Fwd: NEA requirements (was Re: Fwd: [Nea] Re:… Keith Moore
- Re: Fwd: NEA requirements (was Re: Fwd: [Nea] Re:… Alan DeKok
- Re: Fwd: NEA requirements (was Re: Fwd: [Nea] Re:… Keith Moore
- Re: NEA requirements (was Re: Fwd: [Nea] Re: use … Douglas Otis
- Re: NEA requirements (was Re: Fwd: [Nea] Re: use … Alan DeKok
- Re: NEA requirements (was Re: Fwd: [Nea] Re: use … Douglas Otis
- Re: NEA requirements (was Re: Fwd: [Nea] Re: use … Alan DeKok
- Re: NEA requirements (was Re: Fwd: [Nea] Re: use … Douglas Otis
- Re: NEA requirements (was Re: Fwd: [Nea] Re: use … Alan DeKok
- Re: NEA requirements (was Re: Fwd: [Nea] Re: use … Douglas Otis
- Re: NEA requirements (was Re: Fwd: [Nea] Re: use … Alan DeKok
- Re: NEA requirements (was Re: Fwd: [Nea] Re: use … Douglas Otis