Minutes: SALSA NetAuth call
16-Mar-06
*Attendees*
Chris Misra,
U. Massachusetts (chair)
Kevin Amorin, Harvard U.
Rich Cropp,
Penn State U.
Kevin Miller, Duke U.
Lisa Hogeboom, Internet2
Steve Olshansky, Internet2
Charles Yun, Internet2
Katherine
Strojny, Internet2 (scribe)
*Action Items*
New:
[AI] {Chris} will send a note to Lisa prior to April 10 informing her of a NetAuth document for the information table at Security Professionals.
[AI] {Kevin} will write up the challenges of going from theoretical to deployed 802.1X.
[AI] {Group} will re-evaluate the finalized documents to determine where the term "host posture assessment" needs to be included.
[AI] {Kevin} will send a link to the list regarding a BoF at next week's IETF conference.
[AI] {Chris} will make sure the 802.1X session information goes out to the FWNA, NetAuth, and Wireless lists. Revised: [AI] {Anyone} interested in creating a document for the info table at Security Professionals, send a note to the list or to Chris. The document will be needed by 6-Apr-06.
Carry Over:
[AI] {Individuals} are requested to send in case studies for potential use in NetAuth documents.
[AI] {Chris} will clean up the action item list.
[AI] {Kevin} volunteered to do a first draft of the NetAuth FAQ, with the goal of sending it out to the list before the end of March.
[AI] {Charles} will send a summary to the list about the security sessions at the Spring Internet2 Member Meeting, once the sessions are finalized (mid-March).
[AI] {Charles and SteveO} will coordinate to get out an announcement at the end of March regarding rollout of the Internet2 wiki platform.
[AI] {Chris} will send a notice about upcoming meetings with Netauth discussions.
[AI] Once content is more complete and the wiki is in a permanent location, {Chris and Kevin} will get a note out to some of the lists announcing the wiki.
[AI] {Group} is invited to take a look at the NetAuth wiki and add content, toward developing a repository of useful information and understanding the solution space better. In particular, Kevin is seeking input on isolation methods and Frequently Asked Questions.
[AI] {Kevin} will email the list and see if anyone wants to join the case studies project.
[AI] The following individuals volunteered to write case studies,
with a soft deadline of March 30:
- {Chris Misra}: Layer 2 & 3 isolation using NetReg and
a homegrown switching system
- {John Moore}: Lockdown Networks
and VLAN switching
- {Kevin Amorin}: PacketFence (ARP manipulation
and VLANs)
[AI] People are sought who can draft case studies for Cisco Clean Access. If anyone knows of candidates, please contact Chris.
[AI] When the ResNet survey goes live, {Chris} will post a notice to the list in order to encourage participation.
[AI] {Group} will delegate liaisons for TNC and NAC.
[AI] {Kevin Amorin} will send information to the list about EAP (Extensible Authentication Protocol) activity currently underway in IETF.
[AI] {Individuals} who look into the IETF Distributed Security (distsec) mailing list are requested to provide feedback to the group on whether the activities are of interest to this group. To join the list, refer to the following link: https://www.machshav.com/mailman/listinfo.cgi/distsec
[AI] {Chris} and {SteveO} will send a note to the WG via the list soliciting suggestions for the future direction of the WG.
[AI] {Chris} will put together a few slides describing intersection points between SALSA NetAuth and SALSA NetAuth-FWNA.
[AI] {Chris} will send the list of vendor questions developed by the WG during this call to the group via the list. This will move forward in collaboration with the effective practice group at EDUCAUSE.
[AI] {Chris} will arrange vendor discussions for a subsequent call. [AI] {Chris} will post messages to the NetAuth and FWNA lists soliciting volunteers to develop an outline of issues for NetAuth in a federated environment.
[AI] {Chris} will solicit from the WG contributions about NetAuth vendor solutions currently being used.
*Discussion*
Intellectual Property Reminder: The Internet2 intellectual property policy can be found here: http://members.internet2.edu/intellectualproperty.html
Discussion included updates on the FWNA pilot, upcoming events, case study progress, and the NetAuth wiki, and emerging terminology that might impact the finalized documents. The group provisionally approved minutes from the last call and reviewed action items.
Kevin Miller gave an update on the Federated Wireless NetAuth (FWNA) pilot. The servers are in place and the software is being configured. The existing FWNA test bed can be used for trying ideas across enterprise boundaries. The current focus is on implications of local security policy when FWNA is brought into the picture. For instance, how do the local patching or scanning policies apply when a remote institution connects? If anyone has concerns to share, contact Kevin Miller. They are in the process of putting ideas to paper.
In the FWNA pilot, 802.1a (802.1X) is the standard for enabling the roaming. Authentication should go all the way back to home site, which will accept or reject the request and pass the result back to the visiting site. Is isolation possible? It should be theoretically possible, using production or isolation VLANs. [AI] {Kevin Amorin} volunteered to write up the challenges of going from theoretical to deployed 802.1X.
The group is continuing to work toward getting case studies drafted by March 30.
Upcoming events include the following:
- Security Professionals (Denver, April 10-12, 2006) http://www.educause.edu/sec06
- Spring 2006 Internet2 Member Meeting (Arlington, VA, April
24-26) http://events.internet2.edu/2006/spring-mm
Updates on NetAuth-related sessions are being sent to the list as they become available. [AI] {Chris} will make sure the 802.1X session information goes out to the FWNA, NetAuth, and Wireless lists. [AI] {Kevin} will send a link to the list regarding a BoF at the Dallas IETF conference. The group has an interest in following progress of the IETF PANA (Protocol for carrying Authentication for Network Access) working group.
[AI] {Chris} will send a note to Lisa prior to April 10 informing her of a NetAuth document for the information table at Security Professionals.
Kevin Amorin gave an update on the NetAuth wiki. The commercial and open source lists are populated. Kevin is continuing to work on the FAQ. The wiki is listed in Google and has been getting hits.
Chris introduced emerging IETF terminology that may impact the finalized documents. Currently, registration consists of host identification and host integrity checking. An additional task of "posture assessment" may need to be elucidated as part of registration. [AI] {The group} will re-evaluate the finalized documents to determine where the term "host posture assessment" should be included.
The next conference call will take place in two weeks on 30-Mar-06. Agenda and bridge will go out to the list in advance of the call.