Re: [proxies] [IETF Proxy] Next Steps

Klaas Wierenga <klaas@wierenga.net> Tue, 06 May 2008 20:48 UTC

Return-Path: <proxies-bounces@ietf.org>
X-Original-To: proxies-archive@ietf.org
Delivered-To: ietfarch-proxies-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3E1533A67E5; Tue, 6 May 2008 13:48:27 -0700 (PDT)
X-Original-To: proxies@core3.amsl.com
Delivered-To: proxies@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C0E803A6844 for <proxies@core3.amsl.com>; Tue, 6 May 2008 13:48:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.227
X-Spam-Level:
X-Spam-Status: No, score=-6.227 tagged_above=-999 required=5 tests=[AWL=0.372, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0GSQZIYmIjeO for <proxies@core3.amsl.com>; Tue, 6 May 2008 13:48:25 -0700 (PDT)
Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by core3.amsl.com (Postfix) with ESMTP id 8FADA3A67E5 for <proxies@ietf.org>; Tue, 6 May 2008 13:48:24 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.27,445,1204498800"; d="scan'208";a="8188856"
Received: from ams-dkim-2.cisco.com ([144.254.224.139]) by ams-iport-1.cisco.com with ESMTP; 06 May 2008 22:48:21 +0200
Received: from ams-core-1.cisco.com (ams-core-1.cisco.com [144.254.224.150]) by ams-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id m46KmL8l000776; Tue, 6 May 2008 22:48:21 +0200
Received: from xbh-ams-332.emea.cisco.com (xbh-ams-332.cisco.com [144.254.231.87]) by ams-core-1.cisco.com (8.13.8/8.13.8) with ESMTP id m46KmKmq004165; Tue, 6 May 2008 20:48:21 GMT
Received: from xfe-ams-331.emea.cisco.com ([144.254.231.72]) by xbh-ams-332.emea.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 6 May 2008 22:48:20 +0200
Received: from klaas-wierengas-macbook-air.local ([10.61.81.87]) by xfe-ams-331.emea.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 6 May 2008 22:48:19 +0200
Message-ID: <4820C413.2000500@wierenga.net>
Date: Tue, 06 May 2008 22:48:19 +0200
From: Klaas Wierenga <klaas@wierenga.net>
User-Agent: Thunderbird 2.0.0.14 (Macintosh/20080421)
MIME-Version: 1.0
To: Stefan Winter <stefan.winter@restena.lu>
References: <7.0.1.0.2.20080416172531.02401228@nist.gov><200804171550.48931.stefan.winter@ restena.lu><057433e024b8d47267adf9fd0379bd6b.squirrel@www.trepanning.net><4820 0024.80801@restena.lu> <48201D8A.5030900@wierenga.net> <A3DA4C2546E1614D8ACC896746CDCF29012D9430@aruba-mx1.arubanetworks.com> <48209E7D.8040000@wierenga.net> <4820B356.4000309@restena.lu>
In-Reply-To: <4820B356.4000309@restena.lu>
X-OriginalArrivalTime: 06 May 2008 20:48:19.0851 (UTC) FILETIME=[844D85B0:01C8AFBA]
Authentication-Results: ams-dkim-2; header.From=klaas@wierenga.net; dkim=neutral
Cc: proxies@ietf.org
Subject: Re: [proxies] [IETF Proxy] Next Steps
X-BeenThere: proxies@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion list for ad hoc group interested in security and proxies <proxies.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/proxies>, <mailto:proxies-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:proxies@ietf.org>
List-Help: <mailto:proxies-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/proxies>, <mailto:proxies-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: proxies-bounces@ietf.org
Errors-To: proxies-bounces@ietf.org

Stefan Winter wrote:
> Hi,
>>>> I guess you could say that the proxy's are a policy enforcement
>>>> point... 
>>>
>>> I suppose you could, but I wish you wouldn't ;-).
>>>
>>> ...
>>
>> ;-)
>>
>> but that is what it does, doesn't it? It either or not forwards 
>> authentication requests based on the forwarding policies that have 
>> been set.... The point I wanted to make is that the proxy in this case 
>> is about policies, not about politics.
> 
> Well concept is correct, but the term of policy enforcement point is a 
> bit problematic these days, because it is used in a different context 
> and with a different meaning already: NEA. In NEA, the PEP has 
> approximately the role of a NAS. While what we are talking about here is 
> not about stuff that happens on a NAS, but on a AAA server behind that 
> NAS. So, if we were to use terms from the NEA world, I would rather say 
> that a policy-driven proxy should be termed Policy Decision Point - 
> after all, forwarding-or-not is a decision, not an enforcement. Anyway, 
> thanks for the pointer in the general NEA direction - a NEA PDP is 
> indeed quite an analogous thing to a AAA policy-motivated proxy IMHO.

I agree that the terminology is a bit awkward, but I DID mean PEP 
instead of PDP, funny enough the AAA server, in the case of a proxy 
RADIUS DOES serve as the PEP (and I guess as well as PDP), and we ARE 
talking here about the stuff that is happening on a NAS: deny or approve 
traffic (in this case authentication requests)....

Klaas
_______________________________________________
Proxies mailing list
Proxies@ietf.org
https://www.ietf.org/mailman/listinfo/proxies