420 likes | 443 Views
NEA Working Group IETF 76. nea[-request@ietf.org http://tools.ietf.org/wg/nea Co-chairs: Steve Hanna shanna@juniper.net Susan Thomson sethomso@cisco.com. Agenda Review. 1740 Administrivia Blue Sheets Jabber & Minute scribes Agenda bashing 1745 WG Status
E N D
IETF 76 NEA WG NEA Working GroupIETF 76 nea[-request@ietf.org http://tools.ietf.org/wg/nea Co-chairs: Steve Hanna shanna@juniper.net Susan Thomson sethomso@cisco.com
IETF 76 NEA WG Agenda Review 1740 Administrivia Blue Sheets Jabber & Minute scribes Agenda bashing 1745 WG Status 1750 NEA Reference Model Review 1755 Review Process for soliciting proposals for PT protocol 1800 Summary of Changes in PA-TNC since last IETF: http://www.ietf.org/internet-drafts/draft-ietf-nea-pa-tnc-06.txt 1805 Summary of Changes in PB-TNC since last IETF: http://www.ietf.org/internet-drafts/draft-ietf-nea-pb-tnc-06.txt 1815 Conceptual Overview of Posture Transport protocols 1930 Discuss Proposed Milestone Update 1940 Adjourn
IETF 76 NEA WG WG Status
IETF 76 NEA WG WG Accomplishments since IETF 75 • Updated PA-TNC & PB-TNC to address IESG issues • IESG has approved PA-TNC -06 I-D! • Verifying consensus on PB-TNC changes(comments due by November 16) • Then IESG will approve PB-TNC • IESG approved NEA charter update to work on PT • Call for submissions for PT proposals (due by Jan 4)
IETF 76 NEA WG Review of Process for PT • Same process as for PA and PB • Solicit individual submissions by Jan 4 • WG reviews proposals • WG determines contents of -00 NEA WG I-Ds • Normal IETF development process from there
IETF 76 NEA WG NEA Reference Model
IETF 76 NEA WG NEA Reference Modelfrom RFC 5209 NEA Client NEA Server Posture Attribute (PA) protocol Posture Collectors Posture Validators Posture Broker (PB) protocol Posture Broker Client Posture Broker Server Posture Transport Client Posture Transport Server Posture Transport (PT) protocols
IETF 76 NEA WG PA-TNC Within PB-TNC Within PT PT PB-TNC Header (Batch-Type=CDATA) PB-TNC Message (Type=PB-PA, PA Vendor ID=0, PA Subtype= OS) PA-TNC Message PA-TNC Attribute (Type=Product Info, Product ID=Windows XP) PA-TNC Attribute (Type=Numeric Version, Major=5, Minor=3, ...)
IETF 76 NEA WG Summary of Changes to PA-TNC
IETF 76 NEA WG Summary of Changes indraft-ietf-nea-pa-tnc-05.txt Removed long discussion of TCG Removed PA-TNC field types Added language tag for remediation string Removed mention of previously proposed PA-TNC Security Protocol Fixes and clarifications
IETF 76 NEA WG Summary of Changes indraft-ietf-nea-pa-tnc-06.txt Removed more references to PA-TNC Security Protocol Added text on how PT security protects PA-TNC Changed IANA Considerations to match WG Consensus Removed requirement for vendor-defined values to be clear and likely to ensure interoperability Fixes and clarifications
IETF 76 NEA WG Summary of Changes to PB-TNC
IETF 76 NEA WG WG Consensus Check Going Now Currently running WG consensus check on changes made in PB-TNC -05 and -06 Please email nea@ietf.org with any comments by November 16 Or bring up comments here(but please email also)
IETF 76 NEA WG Summary of Changes indraft-ietf-nea-pb-tnc-05.txt Removed long discussion of TCG Replaced with small acknowledgment Tightened up error handling Added CLOSE batch type (see next slide) Added additional PT requirements(see later slide) Added language tag for remediation string Changed language tag length to 8 bits Fixes and clarifications
IETF 76 NEA WG New CLOSE Batch Type Previously, no CLOSE batch type Fatal errors had to be sent in some other (inappropriate) batch type Non-error close handled by closing transport Added explicit CLOSE batch type Used for fatal errors and non-error close No change to PB-TNC state machine
IETF 76 NEA WG PB-TNC State Machine (FYI) Receive CRETRY SRETRY or SRETRY +----------------+ +--+ | | v | v | +---------+ CRETRY +---------+ CDATA | Server |<---------| Decided | CLOSE +----------->| Working |--------->| |-------+ | +---------+ RESULT +---------+ | | ^ | | v | | | +---------------------->======= ======== | | CLOSE " End " " Init " CDATA| |SDATA ======= ======== | | ^ ^ | | | v | | | | SDATA +---------+ CLOSE | | | +-------->| Client |----------------------+ | | | Working | | | +---------+ | | | ^ | | +--+ | | Receive CRETRY | | CLOSE | +--------------------------------------------------+
IETF 76 NEA WG New PT Requirements from IESG PT-6 The PT protocol MUST be connection oriented; it MUST support confirmed initiation and close down. PT-7 The PT protocol MUST be able to carry binary data. PT-8 The PT protocol MUST provide mechanisms for flow control and congestion control. PT-9 PT protocol specifications MUST describe the capabilities that they provide for and limitations that they impose on the PB protocol (e.g. half/full duplex, maximum message size).
IETF 76 NEA WG Summary of Changes indraft-ietf-nea-pb-tnc-06.txt Changed IANA Considerations to match WG Consensus Removed requirement for vendor-defined values to be clear and likely to ensure interoperability Fixes and clarifications
IETF 76 NEA WG Conceptual Overview of PT protocols
IETF 76 NEA WG PT-EAP Overview
IETF 76 NEA WG What is PT-EAP? L2 PT Proposal Coming from TCG Identical to TNC protocol EAP-TNC (aka IF-T Protocol Bindings for Tunneled EAP Methods) NEA Exchange Over Tunneled EAP Methods Supports PEAP, EAP-TTLS, and EAP-FAST No Change to the Tunneled EAP Methods Meets All PT Requirements
IETF 76 NEA WG Why L2 PT? PT-4 says PT SHOULD be able to run over 802.1X or IKEv2 Motivating Use Cases on Next Slide
IETF 76 NEA WG Use Cases for PT-EAP NEA Assessment on 802.1X Network Consider posture in network access decision Isolate vulnerable endpoints during remediation Block or quarantine infected endpoints NEA Assessment during IKEv2 Handshake Assess posture before granting network access Isolate vulnerable endpoints during remediation Block or quarantine infected endpoints
IETF 76 NEA WG PT-EAP Operation Runs as an inner EAP method Can be chained with other EAP methods for user or endpoint authentication Supports key derivation, allowing inner method to be cryptographically tied to tunnel Supports fragmentation and reassembly, when needed Due to EAP limitations… Only one packet in flight (half duplex) Large data transfer not recommended
IETF 76 NEA WG Three Phases of PT-EAP Optional Diffie-Hellman Pre-Negotiation Establishes initial key PB-TNC Exchange NEA Assessments Hashed into eventual key Key Derivation and Export
IETF 76 NEA WG PT-EAP Sequence Diagram EAP Authenticator EAP Peer EAP Tunnel Setup Optional D-H Pre-Negotiation PB-TNC Exchange
IETF 76 NEA WG PT-EAP Message Encapsulation EAP Tunneled Method PT-EAP Message (EAP-Request or EAP-Response) PB-TNC Header (Batch-Type=CDATA) PB-TNC Message (Type=PB-PA, PA Vendor ID=0, PA Subtype= OS) PA-TNC Message PA-TNC Attribute (Type=Product Info, Product ID=Windows XP) PA-TNC Attribute (Type=Numeric Version, Major=5, Minor=3, ...)
IETF 76 NEA WG Features of PT-EAP EAP method Designed for use with Tunneled EAP Methods Supports key derivation and export to bind method to tunnel Compatible with TCG’s EAP-TNC Same IPR grant as PA-TNC and PB-TNC Half Duplex (one packet in flight) Generally Low Bandwidth Simple Congestion Control (one packet in flight) Works over 802.1X and IKEv2 (since EAP does) Simple but extensible
IETF 76 NEA WG Implementations of PT-EAP Several open source implementations TNC@FHH OpenSEA wpa_supplicant FreeRADIUS libtnc Commercial implementations also
IETF 76 NEA WG Questions?
IETF 76 NEA WG PT-TLS Overview
IETF 76 NEA WG What is PT-TLS? L3 PT Proposal Coming from TCG Identical to TNC protocol IF-T Binding to TLS NEA Exchange Over TLS Carried As Application Data No Change to TLS Meets All PT Requirements
IETF 76 NEA WG Why L3 PT? PT-5 says PT SHOULD be able to run over TCP or UDP Motivating Use Cases on Next Slide
IETF 76 NEA WG Use Cases for PT-TLS NEA Assessment on Non-802.1X Network Legacy Network Remote Access Large Amount of Data in NEA Assessment For example, Installed Packages Unsuitable for EAP Transport Posture Re-assessment or Monitoring After 802.1X Assessment Application Server Needs to Perform NEA Assessment
IETF 76 NEA WG Three Phases of PT-TLS TLS Handshake Unmodified Pre-Negotiation Version Negotiation Optional Client Authentication Data Transport NEA Assessments
IETF 76 NEA WG PT-TLS Sequence Diagram PT-TLS Responder PT-TLS Initiator TLS Handshake Version Request Version Response Optional Client Authentication PB-TNC Exchange … TLS Closure Alerts
IETF 76 NEA WG PT-TLS Message Encapsulation TLS Record Protocol PT-TLS Message (Vendor ID=0, Type=PB-TNC Batch) PB-TNC Header (Batch-Type=CDATA) PB-TNC Message (Type=PB-PA, PA Vendor ID=0, PA Subtype= OS) PA-TNC Message PA-TNC Attribute (Type=Product Info, Product ID=Windows XP) PA-TNC Attribute (Type=Numeric Version, Major=5, Minor=3, ...)
IETF 76 NEA WG Features of PT-TLS Layered on established secure protocol (TLS) No changes to TLS, only application data over it Compatible with TCG’s IF-T/TLS Same IPR grant as PA-TNC and PB-TNC Full Duplex High Bandwidth Congestion Controlled Easy to Implement using any TLS library Works over any IP network Extensible
IETF 76 NEA WG Implementations of PT-TLS Fairly new spec Announced May 2009 Several implementations rumored but none publicly announced
IETF 76 NEA WG Questions?
IETF 76 NEA WG Discuss ProposedMilestone Updates
IETF 76 NEA WG Proposed Revised Milestones Done Call for individual submissions for PT protocols Jan 2010 Proposals for PT due Review and resolve proposals at interim meeting Feb 2010 Post -00 WG version of PT protocols Mar 2010 Review and resolve issues at IETF 77 Apr 2010 Post -01 version of PT protocols Jun 2010 WGLC on PT protocols Jul 2010 Resolve WGLC comments at IETF 78 Aug 2010 Post -02 version of PT protocols Sep 2010 IETF LC for PT protocols