Re: [Nea] Consensus check on EAP-based PT
Paul Sangster <Paul_Sangster@symantec.com> Tue, 09 August 2011 16:03 UTC
Return-Path: <Paul_Sangster@symantec.com>
X-Original-To: nea@ietfa.amsl.com
Delivered-To: nea@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30B7921F8C7F for <nea@ietfa.amsl.com>; Tue, 9 Aug 2011 09:03:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.499
X-Spam-Level:
X-Spam-Status: No, score=-3.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W0eDLvM3s6XJ for <nea@ietfa.amsl.com>; Tue, 9 Aug 2011 09:03:17 -0700 (PDT)
Received: from tus1smtoutpex01.symantec.com (tus1smtoutpex01.symantec.com [216.10.195.241]) by ietfa.amsl.com (Postfix) with ESMTP id 3A48621F8C49 for <nea@ietf.org>; Tue, 9 Aug 2011 09:03:16 -0700 (PDT)
X-AuditID: d80ac3f1-b7c8dae000001039-4c-4e415a60fab2
Received: from tus1smtintpin02.ges.symantec.com (TUS1SMTINTPIN02.ges.symantec.com [192.168.215.102]) by tus1smtoutpex01.symantec.com (Symantec Brightmail Gateway out) with SMTP id CF.3E.04153.06A514E4; Tue, 9 Aug 2011 09:03:44 -0700 (MST)
Received: from [155.64.220.138] (helo=TUS1XCHHUBPIN02.SYMC.SYMANTEC.COM) by tus1smtintpin02.ges.symantec.com with esmtp (Exim 4.72) (envelope-from <Paul_Sangster@symantec.com>) id 1QqomO-0004vQ-5e; Tue, 09 Aug 2011 09:03:44 -0700
Received: from TUS1XCHEVSPIN35.SYMC.SYMANTEC.COM ([155.64.220.150]) by TUS1XCHHUBPIN02.SYMC.SYMANTEC.COM ([155.64.220.138]) with mapi; Tue, 9 Aug 2011 09:03:44 -0700
From: Paul Sangster <Paul_Sangster@symantec.com>
To: Susan Thomson <sethomso@cisco.com>
Date: Tue, 09 Aug 2011 09:03:42 -0700
Thread-Topic: [Nea] Consensus check on EAP-based PT
Thread-Index: AcxWCmFrDQLBgxZmQkmK7nzeXMQe/AAoJ2KQ
Message-ID: <6E79D623502C70419A9EAB18E4D274252A6AF4039A@TUS1XCHEVSPIN35.SYMC.SYMANTEC.COM>
References: <6065F7697E427240893C1B5CF41828967EF7D4@XMB-RCD-111.cisco.com> <84A2340E-CC1F-4226-8C0C-F52FD754A8A7@cisco.com>
In-Reply-To: <84A2340E-CC1F-4226-8C0C-F52FD754A8A7@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprNIsWRmVeSWpSXmKPExsVyYMX1NN2EKEc/gx9bxCw+v62weLpmCpMD k8eU3xtZPZYs+ckUwBTFZZOSmpNZllqkb5fAlbH77zW2ghtqFX0X/rI2MDbLdzFyckgImEh8 enCXHcIWk7hwbz1bFyMXh5DAR0aJbUuuQjmvGSWu7LjFBFIlJLCSUeLyCm4Qm03AQGLnkVNg 3SICahI/PzwGs5kFFCWmty4Fq2cRUJFYPOkxK4gtLGAk8ebvUVaIemOJ++/7mCBsI4lvf58x g9i8AlESHVO6WSB21Urc3noJLM4pYCvR8nkbmM0IdOn3U2uYIHaJS9x6Mp8J4gMBiSV7zjND 2KISLx//Y4WoF5W4076eEaJeR2LB7k9sELa2xLKFr6H2CkqcnPmEZQKj+CwkY2chaZmFpGUW kpYFjCyrGGVKSosNi3NL8ktLClIrDAz1iitzE4ERlqyXnJ+7iREYZTe4Dn/cwXh9qeIhRgEO RiUe3lthjn5CrIllQJWHGCU4mJVEeOeBhHhTEiurUovy44tKc1KLDzFKc7AoifPOfGDkJySQ nliSmp2aWpBaBJNl4uCUamBsNWO9bbVnYvEqpRO2t5a++Ps0Qql98sMqJ+Mv6Sxn5JfsCT8c IX4/xemF5dWdJyu2PT4ZlOik1v/knL/305hNt7TXHLjC+ptD7tuiCRv0uWbomWhcmn3+y6NP 3TvvnyrkcXFesHOupPXni/OsVBVLv+borlyqkRNdLfunby7LMd+jB7z/Fss9UGIpzkg01GIu Kk4EAGfhMIGuAgAA
Cc: "nea@ietf.org" <nea@ietf.org>
Subject: Re: [Nea] Consensus check on EAP-based PT
X-BeenThere: nea@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Network Endpoint Assessment discussion list <nea.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nea>, <mailto:nea-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nea>
List-Post: <mailto:nea@ietf.org>
List-Help: <mailto:nea-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Aug 2011 16:03:18 -0000
My vote is for PT-EAP.
It's my current view that both proposals are very close functionally and I don't see a compelling reason to select a TLV based approach. I believe we should follow RFC 5209 which discusses the selection criteria for NEA protocols. Again both approaches meet most of the requirements, however PT-EAP is already fully documented in a public standards based spec. If that's not enough, we have a lot of implementation experience with PT-EAP with 9 independent implementations, many plugfests, clarification updates to the original spec (factoring in implementer feedback) and even compliance tests using a test suite specifically designed to test implementations. Also, I think we should consider the Tao of the IETF in this particularly:
"One of the "founding beliefs" is embodied in an early quote about the IETF from David Clark: "We reject kings,
presidents and voting. We believe in rough consensus and running code".
On the implementation side, we actually have the OpenSEA Alliance supplicant which supports EAP-TNC carrying PB-TNC and PA-TNC, so we know the stack works well together and the implementers have reported no significant or unusual issues during the development (not even to the EAP engine).
It sounds like the discussion about protection of the inner method (or TLVs) carrying the posture could be addressed by adding security to either proposal. I've not been convinced this is a serious problem that we can solve with words in a specification, since the root cause seems to be administrator misconfiguration/use of a product potentially resulting in weak security. Administrator errors are hard to solve in standards specs unless we preclude any compliant product from ever being configured to potentially be not secure. This is difficult and doesn't allow for deployments where they have addressed the security threats via other countermeasures (e.g. link encryption, proxied EAP over an encrypted link, physical isolation, ...). I do think we should require implementation of core security features, but requiring their use in all situations is something we would need to discuss more.
>
>
>
> On Aug 2, 2011, at 2:04 PM, Susan Thomson (sethomso) wrote:
>
> > At IETF81 and several prior IETF meetings, as well as on the mailing
> > list, the WG has evaluated the pros and cons of 2 architectural
> > approaches to carrying posture within an EAP tunnel method:
> >
> > - EAP method
> > http://www.ietf.org/internet-drafts/draft-hanna-nea-pt-eap-01.txt
> >
> > - EAP TLV.
> > http://www.ietf.org/internet-drafts/draft-cam-winget-eap-tlv-03.txt
> >
> > So far, there has been no WG consensus to adopt one architecture
> versus
> > the other. (At the recent F2F meeting in Quebec City, the consensus
> > check at the meeting showed an equal number in favor of each
> approach.)
> >
> > This email is a final call to determine WG consensus on the L2 PT
> > approach.
> >
> > The consensus check is to choose one of the following 3 options:
> > 1) PT-EAP approach
> > 2) NEA-TLV approach
> > 3) Neither (please state the reason if you choose this option)
> >
> > Please respond to the above question by Tues Aug 16 at 5pm PT. Please
> do
> > so even if you have already expressed your opinion, either at a WG
> > meeting or on the mailing list. The answer can be as brief as
> selecting
> > option 1), 2) or 3). If you would like to add your reasons for your
> > choice, that would be appreciated too, especially if you choose
> option
> > 3).
> >
> > If we have consensus on the mailing list, we will adopt the selected
> > approach.
> >
> > If we still do not have consensus, the WG chairs and AD (Stephen
> > Farrell) have agreed that the AD will make a decision. The proponents
> of
> > both approaches have agreed to abide by this decision. This
> resolution
> > plan was discussed at the F2F meeting at IETF81. This plan was also
> > communicated to the list in an email on Jun 30, 2011. No objections
> have
> > been received.
> >
> > In either case, the individual submission corresponding to the
> selected
> > approach will be adopted as a -00 NEA WG I-D, and we will proceed
> with
> > the normal process of editing the document within the WG.
> >
> > Thanks
> > Susan
> >
> > ------------------
> > References:
> > IETF81 audio session (start at approx 44 mins into session):
> > http://www.ietf.org/audio/ietf81/ietf81-2103-20110727-1256-pm.mp3
> >
> > IETF81 draft meeting minutes:
> > http://tools.ietf.org/wg/nea/minutes
> >
> > _______________________________________________
> > Nea mailing list
> > Nea@ietf.org
> > https://www.ietf.org/mailman/listinfo/nea
>
> _______________________________________________
> Nea mailing list
> Nea@ietf.org
> https://www.ietf.org/mailman/listinfo/nea
- [Nea] Consensus check on EAP-based PT Susan Thomson (sethomso)
- Re: [Nea] Consensus check on EAP-based PT Ira McDonald
- Re: [Nea] Consensus check on EAP-based PT Stephen Hanna
- Re: [Nea] Consensus check on EAP-based PT Sanchez, Mauricio (HP Networking)
- Re: [Nea] Consensus check on EAP-based PT Hao Zhou
- Re: [Nea] Consensus check on EAP-based PT Frank Yeh Jr
- Re: [Nea] Consensus check on EAP-based PT Alan DeKok
- Re: [Nea] Consensus check on EAP-based PT Andreas Steffen
- Re: [Nea] Consensus check on EAP-based PT Joe Salowey
- Re: [Nea] Consensus check on EAP-based PT Klaas Wierenga
- Re: [Nea] Consensus check on EAP-based PT Lisa Lorenzin
- Re: [Nea] Consensus check on EAP-based PT Marc Linsner
- [Nea] Protecting L2 PT when proxying Stephen Hanna
- Re: [Nea] Consensus check on EAP-based PT Mike Fratto
- Re: [Nea] Consensus check on EAP-based PT john.willis
- Re: [Nea] Protecting L2 PT when proxying Joe Salowey
- Re: [Nea] Consensus check on EAP-based PT Joe Salowey
- Re: [Nea] Consensus check on EAP-based PT Jouni Malinen
- Re: [Nea] Protecting L2 PT when proxying Stephen Hanna
- Re: [Nea] Consensus check on EAP-based PT Nancy Cam-Winget
- Re: [Nea] Protecting L2 PT when proxying Joe Salowey
- Re: [Nea] Consensus check on EAP-based PT latze@angry-red-pla.net
- Re: [Nea] Protecting L2 PT when proxying Stephen Hanna
- Re: [Nea] Protecting L2 PT when proxying Mike Fratto
- Re: [Nea] Protecting L2 PT when proxying Joe Salowey
- Re: [Nea] Consensus check on EAP-based PT kaushik narayan
- Re: [Nea] Consensus check on EAP-based PT Paul Sangster
- Re: [Nea] Consensus check on EAP-based PT Stephen McCann