Minutes: Salsa NetAuth call 15-Sep-05
*Attendees*
Chris Misra, University of Massachusetts (chair)
Kevin Miller, Duke University
Rich Cropp, Penn State University
Randy Hegarty, Penn State U.
Kevin Amorin, Harvard University
Eric Gauthier, Boston University
Renee Frost, Internet2
Steve Olshansky, Internet2
Katherine Strojny, Internet2 (scribe)
*Action Items*
Carryover
[AI] {SteveO} and {Eric} will work together on revising draft four of
the Architecture document to ensure its adherence to I2 document
guidelines. [AI] {Kevin, Eric and Chris} will add text to the
Architecture document and republish the document as draft 4, ensuring
conformance with the newly released Internet2 document guidelines. [AI]
{Chris} and {SteveO} will send a note to the WG via the list soliciting
suggestions for the future direction of the WG. [AI] {Chris} will put
together a few slides describing intersection points between SALSA
NetAuth and SALSA NetAuth-FWNA. [AI] {Chris} will send the list of
vendor questions developed by the WG during this call to the group via
the list. [AI] {Chris} will arrange vendor discussions for a subsequent
call. [AI] {Chris} will contact Bob Morgan to discuss whether there may
be IETF activities that would be open to or in alignment with NetAuth
efforts. [AI] {Chris} will post message to the NetAuth and FWNA lists
soliciting volunteers to develop an outline of issues for NetAuth in a
federated environment. [AI] {Chris} will solicit from the WG
contributions about NetAuth vendor solutions currently being used. [AI]
{Individuals} will send in case studies for potential use in the
Strategies document.
*Discussion*
The agenda for the call included discussion of action items, upcoming
events, beginning of semester NetAuth performance, and a review of the
draft Components document.
Send any comments on minutes from last time to Chris Misra or SteveO
due to change in scribe.
Review Old Action Items:
The draft of the Components document was sent to the list and will be
posted to the web. Chris sent a note to the group via the list about
sessions of interest at the Fall Internet2 Member Meeting. There has
been progress on action items relating to the Fall Member Meeting (such
as the slides). Remaining action items have been tabled until after the
Member Meeting.
Upcoming Meetings:
The group discussed details of the Fall Internet2 Member meeting.
NetAuth System Performance:
How did NetAuth systems perform during the beginning of the semester,
for those who have implemented it? Kevin Miller reported there were not
many changes to the system and there were no major problems. Chris said
things were quieter than in the past three years, at U. Mass; a few
vulnerable systems but in general a lack of penetration, especially on
Win2K systems.
Review Components Document:
What is the approach used in the Components document? Kevin is
attempting to position the document with existing network admission
control technologies, such as Cisco Network Admission Control (NAC),
Trusted Network Connect (TNC), and IEEE 802.1X. The document includes
three components that are widely used in existing technologies: Policy
Decision Point (PDP), Policy Enforcement Point (PEP), and Access
Requester (AR). Additional components were added to extend the
framework and make it more flexible: Policy Repository (PR) and Network
Detection Point (NDP). RFC 3198 (Terminology for Policy-Based
Management) was used as a basis.
The group reviewed the component view of admission control, which
covers the five different types of components. The access requester
(AR) is the device requesting admission to the network (e.g., laptops,
also headless units like Xboxes). The Policy Enforcement Point (PEP) is
any kind of router, switch, etc. that enforces policy upon the AR. The
Policy Decision Point (PDP) is any kind of server that makes policy
decisions regarding Authentication/Authorization/Accounting
(AAA) and/or policy. Examples are Cisco's access control server (ACS)
or the TNC server in TNC. In some cases, PDPs communicate with a
backend policy server that may enforce antivirus policies, for instance
a McAfee server. The Policy Repository (PR) is a database containing
usernames or passwords. LDAP is an example. The Network Detection Point
(NDP) detects access and events and can send a request for isolation to
someone based on an event trigger.
The group also reviewed the communication process used by the
components. The question was raised of whether the term "administrative
domain" could be revised to something like "federated domain", which
has different connotations. Some clarifications may also be useful to
distinguish between policy lookup and the authentication process, as in
the case where the backend antivirus policy server is used. Discussion
throughout the review touched on clarifying the roles of the
components, and on how to classify the components of existing
technologies within this framework.
The next call will take place in two weeks on 29-Sep-05.