1 / 34

TNC Proposals for NEA Protocols

TNC Proposals for NEA Protocols. Presentation by Steve Hanna to NEA WG meeting at IETF 71 March 11, 2008. PB-TNC. PB-TNC Purpose & Requirements. PB Purpose Carry PA messages between PBC & PBS Carry global assessment decision from PBS to PBC Carry other messages between PBC & PBS

thomas-mclaughlin
Download Presentation

TNC Proposals for NEA Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TNC Proposals forNEA Protocols Presentation by Steve Hanna to NEA WG meeting at IETF 71 March 11, 2008

  2. PB-TNC TNC Proposals for NEA Protocols

  3. PB-TNC Purpose & Requirements • PB Purpose • Carry PA messages between PBC & PBS • Carry global assessment decision from PBS to PBC • Carry other messages between PBC & PBS • PB Challenging Requirements • MUST support half-duplex PT • MUST support grouping attributes to minimize RTs • MUST operate efficiently over low-bandwidth links • MUST carry PA message routing identifiers • SHOULD allow PBC or PBS to start assessment • MUST support adapting to user language preference • MAY include security measures or depend on PT security TNC Proposals for NEA Protocols

  4. PB-TNC Design Features • Simple round-robin state machine • PBS or PBC can start by sending a batch • PBS & PBC take turns sending batches • End with PBS sending result or early close • Compact batch & message format (Binary TLV) • Designed for extensibility • No short fields, several reserved fields, versioning support • IANA process for standard extensions • Vendor IDs for non-standard extensions (cannot be required) • PA message routing by PA message type • Optional delivery by PC/PV ID • No PB-TNC security, depends on PT TNC Proposals for NEA Protocols

  5. PB-TNC State Machine +---------+ CRETRY +---------+ CDATA | Server |<---------| Decided | CLOSE +----------->| Working |--------->| |-------+ | +---------+ RESULT +---------+ | | ^ | | v | | | +---------------------->======= ======== | | CLOSE " End " " Init " CDATA or| |SDATA or ======= ======== CRETRY| |SRETRY ^ ^ | | | v | | | | SDATA +---------+ CLOSE | | | +-------->| Client |----------------------+ | | | Working | | | +---------+ | | CLOSE | +--------------------------------------------------+ TNC Proposals for NEA Protocols

  6. PB-TNC Encapsulation PT PB-TNC Header PB-TNC Message (Type=PB-Batch-Type, Batch-Type=CDATA) PB-TNC Message (Type=PB-PA) PA Message PB-TNC Message (Type=PB-PA) PA Message TNC Proposals for NEA Protocols

  7. PB-TNC Header 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Batch Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ TNC Proposals for NEA Protocols

  8. PB-TNC Message 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Flags | PB-TNC Vendor ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PB-TNC Message Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PB-TNC Message Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PB-TNC Message Value (Variable Length) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ TNC Proposals for NEA Protocols

  9. IETF StandardPB-TNC Message Types Message Type Definition ------------ ---------- 0 PB-Experimental - reserved for experimental use 1 PB-Batch-Type - indicates the type of the PB-TNC batch that contains this message 2 PB-PA - contains a PA message 3 PB-Access-Recommendation - includes Posture Broker Server access recommendation (also known as global assessment decision) 4 PB-Remediation-Parameters - includes Posture Broker Server remediation parameters 5 PB-Error - error indicator 6 PB-Language-Preference - sender's preferred language(s) for human-readable strings 7 PB-Reason-String - string explaining reason for Posture Broker Server access recommendation TNC Proposals for NEA Protocols

  10. PB-TNC Batch-Type Message 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Flags | PB-TNC Vendor ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PB-TNC Message Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PB-TNC Message Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |D| Reserved | Batch Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ TNC Proposals for NEA Protocols

  11. PB-TNC Batch Types Number Name ------ ---- 1 CDATA 2 SDATA 3 RESULT 4 CRETRY 5 SRETRY TNC Proposals for NEA Protocols

  12. PB-PA Message 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Flags | PB-TNC Vendor ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PB-TNC Message Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PB-TNC Message Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Flags | PA Message Vendor ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PA Subtype | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Posture Collector Identifier | Posture Validator Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PA Message Body (Variable Length) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ TNC Proposals for NEA Protocols

  13. Questions about PB-TNC? TNC Proposals for NEA Protocols

  14. PA-TNC TNC Proposals for NEA Protocols

  15. PA-TNC Purpose & Requirements • PA Purpose • Carry attributes between PCs & PVs • PA Challenging Requirements • MUST support extensible set of standard attributes • MUST support extensible set of vendor-specific attributes • MUST support Posture Request attributes • MUST support half-duplex PT • MUST support grouping attributes to minimize RTs • MUST operate efficiently over low-bandwidth links • SHOULD provide security TNC Proposals for NEA Protocols

  16. PA-TNC Design Features • Use message routing (PA Subtype) to ID component • Anti-Virus, Firewall, HIPS, OS, VPN, etc. • Realize that most attributes apply across all components • Manufacturer, product ID, version, operational status, attribute request • So provide a standard way to describe these attributes, but allow extensions • Use compact message format (Binary TLV) • Design for extensibility • No short fields, several reserved fields • IANA process for standard extensions • Vendor IDs for non-standard extensions (cannot be required) • Separate PA-TNC security since WG was uncertain TNC Proposals for NEA Protocols

  17. PA-TNC Within PB-TNC PT PB-TNC Header PB-TNC Message (Type=PB-Batch-Type, Batch-Type=CDATA) PB-TNC Message (Type=PB-PA, PA Vendor ID=0, PA Subtype= OS) PA-TNC Message PA-TNC Attribute (Type=Product Info, Product ID=Windows XP) PA-TNC Attribute (Type=Numeric Version, Major=5, Minor=3, ...) TNC Proposals for NEA Protocols

  18. IETF StandardPA Subtypes Number Name ------ ---- 0 Testing 1 Operating System 2 Anti-Virus 3 Anti-Spyware 4 Anti-Malware 5 Firewall 6 IDPS 7 VPN TNC Proposals for NEA Protocols

  19. PA-TNC Message Header 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Version | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Message Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ TNC Proposals for NEA Protocols

  20. PA-TNC Attribute 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Flags | PA-TNC Attribute Vendor ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PA-TNC Attribute Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PA-TNC Attribute Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Correlation ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attribute Value (Variable Length) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ TNC Proposals for NEA Protocols

  21. IETF StandardPA-TNC Attribute Types Number Name ------ ---- 0 Testing 1 Attribute Request 2 Product Information 3 Numeric Version 4 String Version 5 Operational Status 6 Port Filter 7 Installed Packages 8 PA-TNC Error TNC Proposals for NEA Protocols

  22. Main Types Defined inPB-TNC and PA-TNC • PB-TNC Message Type • PB-Batch-Type, PB-PA, etc. • PB-TNC Batch Type • CDATA, SDATA, etc. • PA Subtype • Operating System, Anti-Virus, etc. • PA-TNC Attribute Type • Product Information, Numeric Version, etc. • All easily extensible except PB-TNC Batch Type • Via PEN for vendor-specific values • Via IANA registry for standard values TNC Proposals for NEA Protocols

  23. Questions about PA-TNC? TNC Proposals for NEA Protocols

  24. PA-TNC Security TNC Proposals for NEA Protocols

  25. PA-TNC Security Purpose & Requirements • PA-TNC Security Purpose • Secure attributes between PCs & PVs • PA-TNC Security Challenging Requirements • SHOULD provide authentication, integrity, and confidentiality protection of PA attributes • [If security protection is included,] MUST protect against active and passive attacks by intermediaries and endpoints including replay attacks • MUST operate efficiently over low-bandwidth links TNC Proposals for NEA Protocols

  26. PA-TNC Security Design Features • Use Cryptographic Message Syntax (CMS) to secure PA-TNC messages • Avoids need for roundtrips to establish session keys • Allows for granular use of PA-TNC security only when desired • Allows for authentication without confidentiality • Extensible for nonce and capabilities exchange • Allow protection of multiple attributes at once • Reduces bandwidth • Assume that PCs and PVs handle authorization TNC Proposals for NEA Protocols

  27. CMS Protected ContentPA-TNC Attribute Type • New PA-TNC Attribute Type • May be contained in any PA Subtype • Contains CMS ContentInfo structure • May have signed-data or enveloped-data TNC Proposals for NEA Protocols

  28. signed-data • Used when confidentiality protection is not needed • encapContentInfo MUST contain one or more PA-TNC attributes • certificates MUST include signer’s certificate and SHOULD include certificate path to trust anchor • crls MAY include CRLs • Only one SignerInfo permitted • MUST include signedAttrs with Nonce CMS attribute • MUST: RSA 2048 & SHA-256 • MUST-: SHA-1 • SHOULD: ECDSA 256 TNC Proposals for NEA Protocols

  29. Nonce CMS Attribute • Provides replay protection • MUST be included in all signedAttrs • Includes pcNonce and pvNonce fields • PC & PV select unpredictable initial values • Increment to 2^32-1, then reselect TNC Proposals for NEA Protocols

  30. enveloped-data • Used when confidentiality protection is needed • encryptedContentInfo MUST contain encrypted version of signed-data • originatorInfo MUST include signer’s certificate and SHOULD include certificate path to trust anchor, MAY include CRLs • recipientInfo contains encryption keys for recipients TNC Proposals for NEA Protocols

  31. enveloped-data Algorithms TNC Proposals for NEA Protocols

  32. Security CapabilitiesPA-TNC Attribute Type • Used to indicate prioritized list of supported algorithms • May be contained in any PA Subtype • May be requested with Attribute Request • Contains signed-data with Nonce and paTncSecurityCapabilities in SignerInfo’s signedAttrs and empty encapContent TNC Proposals for NEA Protocols

  33. Concerns with PA-TNC Security • Need review by CMS experts • Concern about data size • Concern about complexity for PC & PV • Concern about difficulty of configuring PC & PV authorization TNC Proposals for NEA Protocols

  34. Questions aboutPA-TNC Security? TNC Proposals for NEA Protocols

More Related