Slide 1

November 9, 2009IETF 76 NEA WG1 NEA Working Group IETF 76 nea[-request@ietf.org http://tools.ietf.org/wg/nea Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.comsethomso@cisco.com Slide 2 November 9, 2009IETF 76 NEA WG2 Agenda Review 1740 Administrivia Blue Sheets Jabber & Minute scribes Agenda bashing 1745 WG Status 1750 NEA Reference Model Review 1755 Review Process for soliciting proposals for PT protocol 1800 Summary of Changes in PA-TNC since last IETF: http://www.ietf.org/internet-drafts/draft-ietf-nea-pa-tnc-06.txt 1805 Summary of Changes in PB-TNC since last IETF: http://www.ietf.org/internet-drafts/draft-ietf-nea-pb-tnc-06.txt 1815 Conceptual Overview of Posture Transport protocols 1930 Discuss Proposed Milestone Update 1940 Adjourn Slide 3 November 9, 2009IETF 76 NEA WG3 WG Status Slide 4 November 9, 2009IETF 76 NEA WG4 WG Accomplishments since IETF 75 Updated PA-TNC & PB-TNC to address IESG issues IESG has approved PA-TNC -06 I-D! Verifying consensus on PB-TNC changes (comments due by November 16) Then IESG will approve PB-TNC IESG approved NEA charter update to work on PT Call for submissions for PT proposals (due by Jan 4) Slide 5 November 9, 2009IETF 76 NEA WG5 Review of Process for PT Same process as for PA and PB Solicit individual submissions by Jan 4 WG reviews proposals WG determines contents of -00 NEA WG I-Ds Normal IETF development process from there Slide 6 November 9, 2009IETF 76 NEA WG6 NEA Reference Model Slide 7 November 9, 2009IETF 76 NEA WG7 NEA Reference Model from RFC 5209 Posture Collectors Posture Validators Posture Transport Server Posture Attribute (PA) protocol Posture Broker (PB) protocol NEA ClientNEA Server Posture Transport (PT) protocols Posture Transport Client Posture Broker Client Posture Broker Server Slide 8 November 9, 2009IETF 76 NEA WG8 PA-TNC Within PB-TNC Within PT PT PB-TNC Header (Batch-Type=CDATA) PB-TNC Message (Type=PB-PA, PA Vendor ID=0, PA Subtype= OS) PA-TNC Message PA-TNC Attribute (Type=Product Info, Product ID=Windows XP) PA-TNC Attribute (Type=Numeric Version, Major=5, Minor=3,...) Slide 9 November 9, 2009IETF 76 NEA WG9 Summary of Changes to PA-TNC Slide 10 November 9, 2009IETF 76 NEA WG10 Summary of Changes in draft-ietf-nea-pa-tnc-05.txt Removed long discussion of TCG Removed PA-TNC field types Added language tag for remediation string Removed mention of previously proposed PA-TNC Security Protocol Fixes and clarifications Slide 11 November 9, 2009IETF 76 NEA WG11 Summary of Changes in draft-ietf-nea-pa-tnc-06.txt Removed more references to PA-TNC Security Protocol Added text on how PT security protects PA-TNC Changed IANA Considerations to match WG Consensus Removed requirement for vendor-defined values to be clear and likely to ensure interoperability Fixes and clarifications Slide 12 November 9, 2009IETF 76 NEA WG12 Summary of Changes to PB-TNC Slide 13 November 9, 2009IETF 76 NEA WG13 WG Consensus Check Going Now Currently running WG consensus check on changes made in PB-TNC -05 and -06 Please email nea@ietf.org with any comments by November 16nea@ietf.org Or bring up comments here (but please email also) Slide 14 November 9, 2009IETF 76 NEA WG14 Summary of Changes in draft-ietf-nea-pb-tnc-05.txt Removed long discussion of TCG Replaced with small acknowledgment Tightened up error handling Added CLOSE batch type (see next slide) Added additional PT requirements (see later slide) Added language tag for remediation string Changed language tag length to 8 bits Fixes and clarifications Slide 15 November 9, 2009IETF 76 NEA WG15 New CLOSE Batch Type Previously, no CLOSE batch type Fatal errors had to be sent in some other (inappropriate) batch type Non-error close handled by closing transport Added explicit CLOSE batch type Used for fatal errors and non-error close No change to PB-TNC state machine Slide 16 November 9, 2009IETF 76 NEA WG16 PB-TNC State Machine (FYI) Receive CRETRY SRETRY or SRETRY +----------------+ +--+ | | v | v | +---------+ CRETRY +---------+ CDATA | Server || Working |--------->| |-------+ | +---------+ RESULT +---------+ | | ^ | | v | | | +---------------------->======= ======== | | CLOSE " End " " Init " CDATA| |SDATA ======= ======== | | ^ ^ | | | v | | | | SDATA +---------+ CLOSE | | | +-------->| Client |----------------------+ | | | Working | | | +---------+ | | | ^ | | +--+ | | Receive CRETRY | | CLOSE | +--------------------------------------------------+ Slide 17 November 9, 2009IETF 76 NEA WG17 New PT Requirements from IESG PT-6The PT protocol MUST be connection oriented; it MUST support confirmed initiation and close down. PT-7The PT protocol MUST be able to carry binary data. PT-8The PT protocol MUST provide mechanisms for flow control and congestion control. PT-9PT protocol specifications MUST describe the capabilities that they provide for and limitations that they impose on the PB protocol (e.g. half/full duplex, maximum message size). Slide 18 November 9, 2009IETF 76 NEA WG18 Summary of Changes in draft-ietf-nea-pb-tnc-06.txt Changed IANA Considerations to match WG Consensus Removed requirement for vendor-defined values to be clear and likely to ensure interoperability Fixes and clarifications Slide 19 November 9, 2009IETF 76 NEA WG19 Conceptual Overview of PT protocols Slide 20 November 9, 2009IETF 76 NEA WG20 PT-EAP Overview Slide 21 November 9, 2009IETF 76 NEA WG21 What is PT-EAP? L2 PT Proposal Coming from TCG Identical to TNC protocol EAP-TNC (aka IF-T Protocol Bindings for Tunneled EAP Methods) NEA Exchange Over Tunneled EAP Methods Supports PEAP, EAP-TTLS, and EAP-FAST No Change to the Tunneled EAP Methods Meets All PT Requirements Slide 22 November 9, 2009IETF 76 NEA WG22 Why L2 PT? PT-4 says PT SHOULD be able to run over 802.1X or IKEv2 Motivating Use Cases on Next Slide Slide 23 November 9, 2009IETF 76 NEA WG23 Use Cases for PT-EAP NEA Assessment on 802.1X Network Consider posture in network access decision Isolate vulnerable endpoints during remediation Block or quarantine infected endpoints NEA Assessment during IKEv2 Handshake Assess posture before granting network access Isolate vulnerable endpoints during remediation Block or quarantine infected endpoints Slide 24 November 9, 2009IETF 76 NEA WG24 PT-EAP Operation Runs as an inner EAP method Can be chained with other EAP methods for user or endpoint authentication Supports key derivation, allowing inner method to be cryptographically tied to tunnel Supports fragmentation and reassembly, when needed Due to EAP limitations Only one packet in flight (half duplex) Large data transfer not recommended Slide 25 November 9, 2009IETF 76 NEA WG25 Three Phases of PT-EAP 1.Optional Diffie-Hellman Pre-Negotiation Establishes initial key 2.PB-TNC Exchange NEA Assessments Hashed into eventual key 3.Key Derivation and Export Slide 26 November 9, 2009IETF 76 NEA WG26 PT-EAP Sequence Diagram EAP Peer EAP Authenticator EAP Tunnel Setup Optional D-H Pre-Negotiation PB-TNC Exchange Slide 27 November 9, 2009IETF 76 NEA WG27 PT-EAP Message Encapsulation EAP Tunneled Method PT-EAP Message (EAP-Request or EAP-Response) PB-TNC Header (Batch-Type=CDATA) PB-TNC Message (Type=PB-PA, PA Vendor ID=0, PA Subtype= OS) PA-TNC Message PA-TNC Attribute (Type=Product Info, Product ID=Windows XP) PA-TNC Attribute (Type=Numeric Version, Major=5, Minor=3,...) Slide 28 November 9, 2009IETF 76 NEA WG28 Features of PT-EAP EAP method Designed for use with Tunneled EAP Methods Supports key derivation and export to bind method to tunnel Compatible with TCGs EAP-TNC Same IPR grant as PA-TNC and PB-TNC Half Duplex (one packet in flight) Generally Low Bandwidth Simple Congestion Control (one packet in flight) Works over 802.1X and IKEv2 (since EAP does) Simple but extensible Slide 29 November 9, 2009IETF 76 NEA WG29 Implementations of PT-EAP Several open source implementations TNC@FHH OpenSEA wpa_supplicant FreeRADIUS libtnc Commercial implementations also Slide 30 November 9, 2009IETF 76 NEA WG30 Questions? Slide 31 November 9, 2009IETF 76 NEA WG31 PT-TLS Overview Slide 32 November 9, 2009IETF 76 NEA WG32 What is PT-TLS? L3 PT Proposal Coming from TCG Identical to TNC protocol IF-T Binding to TLS NEA Exchange Over TLS Carried As Application Data No Change to TLS Meets All PT Requirements Slide 33 November 9, 2009IETF 76 NEA WG33 Why L3 PT? PT-5 says PT SHOULD be able to run over TCP or UDP Motivating Use Cases on Next Slide Slide 34 November 9, 2009IETF 76 NEA WG34 Use Cases for PT-TLS NEA Assessment on Non-802.1X Network Legacy Network Remote Access Large Amount of Data in NEA Assessment For example, Installed Packages Unsuitable for EAP Transport Posture Re-assessment or Monitoring After 802.1X Assessment Application Server Needs to Perform NEA Assessment Slide 35 November 9, 2009IETF 76 NEA WG35 Three Phases of PT-TLS 1.TLS Handshake Unmodified 2.Pre-Negotiation Version Negotiation Optional Client Authentication 3.Data Transport NEA Assessments Slide 36 November 9, 2009IETF 76 NEA WG36 PT-TLS Sequence Diagram PT-TLS Initiator PT-TLS Responder TLS Handshake Version Request Version Response Optional Client Authentication PB-TNC Exchange TLS Closure Alerts Slide 37 November 9, 2009IETF 76 NEA WG37 PT-TLS Message Encapsulation TLS Record Protocol PT-TLS Message (Vendor ID=0, Type=PB-TNC Batch) PB-TNC Header (Batch-Type=CDATA) PB-TNC Message (Type=PB-PA, PA Vendor ID=0, PA Subtype= OS) PA-TNC Message PA-TNC Attribute (Type=Product Info, Product ID=Windows XP) PA-TNC Attribute (Type=Numeric Version, Major=5, Minor=3,...) Slide 38 November 9, 2009IETF 76 NEA WG38 Features of PT-TLS Layered on established secure protocol (TLS) No changes to TLS, only application data over it Compatible with TCGs IF-T/TLS Same IPR grant as PA-TNC and PB-TNC Full Duplex High Bandwidth Congestion Controlled Easy to Implement using any TLS library Works over any IP network Extensible Slide 39 November 9, 2009IETF 76 NEA WG39 Implementations of PT-TLS Fairly new spec Announced May 2009 Several implementations rumored but none publicly announced Slide 40 November 9, 2009IETF 76 NEA WG40 Questions? Slide 41 November 9, 2009IETF 76 NEA WG41 Discuss Proposed Milestone Updates Slide 42 November 9, 2009IETF 76 NEA WG42 Proposed Revised Milestones Done Call for individual submissions for PT protocols Jan 2010Proposals for PT due Review and resolve proposals at interim meeting Feb 2010Post -00 WG version of PT protocols Mar 2010Review and resolve issues at IETF 77 Apr 2010Post -01 version of PT protocols Jun 2010 WGLC on PT protocols Jul 2010Resolve WGLC comments at IETF 78 Aug 2010 Post -02 version of PT protocols Sep 2010IETF LC for PT protocols