nea working group ietf 72 nea[-request]@ietf.org co-chairs: steve hanna...
TRANSCRIPT
![Page 1: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/1.jpg)
NEA Working GroupIETF 72
nea[-request]@ietf.org
http://tools.ietf.org/wg/nea
Co-chairs: Steve Hanna [email protected]
Susan Thomson [email protected]
![Page 2: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/2.jpg)
Agenda Review0900 Administrivia
Blue SheetsJabber & Minute scribesAgenda bashing
0905 WG Status0910 Protocol Overview 0915 Changes in -01 version of PB-TNC and PA-TNC:
http://www.ietf.org/internet-drafts/draft-ietf-nea-pa-tnc-01.txthttp://www.ietf.org/internet-drafts/draft-ietf-nea-pb-tnc-01.txt
0930 Protocol Flows1015 Proposed Changes in -02 version of PB-TNC and PA-TNC 1100 Open Discussion1125 Review Milestones 1130 Adjourn
![Page 3: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/3.jpg)
WG Accomplishments since IETF71
• Consensus Check on PA-TNC, PB-TNC as WG docs (Mar 2008)
• PA-TNC and PB-TNC -00 I-D (April 2008) • WG Last Call for NEA requirements (April 2008)• NEA Requirements published as RFC 5209
(May 2008)• PA-TNC and PB-TNC -01 I-D (July 2008)
http://www.ietf.org/internet-drafts/draft-ietf-nea-pa-tnc-01.txthttp://www.ietf.org/internet-drafts/draft-ietf-nea-pb-tnc-01.txt
![Page 4: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/4.jpg)
NEA Protocol Overview
![Page 5: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/5.jpg)
NEA Reference Modelfrom RFC 5209
Posture Collectors
Posture Validators
PostureTransportServer
Posture Attribute (PA) protocol
Posture Broker (PB) protocol
NEA Client NEA Server
Posture Transport (PT) protocolsPostureTransportClient
PostureBrokerClient
PostureBrokerServer
![Page 6: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/6.jpg)
PA-TNC Within PB-TNCPT
PB-TNC Header
PB-TNC Message (Type=PB-Batch-Type, Batch-Type=CDATA)
PB-TNC Message (Type=PB-PA, PA Vendor ID=0, PA Subtype= OS)
PA-TNC Message
PA-TNC Attribute (Type=Product Info, Product ID=Windows XP)
PA-TNC Attribute (Type=Numeric Version, Major=5, Minor=3, ...)
![Page 7: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/7.jpg)
Changes in PB-TNC , PA-TNC Version -01
![Page 8: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/8.jpg)
Changes in -01 versions ofPB-TNC and PA-TNC
Steve Hanna <[email protected]>
Kaushik Narayan <[email protected]>
IETF 72
![Page 9: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/9.jpg)
Common changes
• Scaled back text on TCG/TNC
• Added Design Considerations
• Added evaluation for Requirement C-11
• Added Appendix A (flows/use cases)
• Added Kaushik Narayan as co-editor
![Page 10: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/10.jpg)
Changes only in PB-TNC -01
• MUST send error if message len < 12
![Page 11: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/11.jpg)
PB-TNC Design Considerations (Section 2)
• Efficiency– Binary TLVs
• Vendor ID– SMI PEN, assigned by IANA– Avoids collisions between vendor-defined values– IETF Standard values use Vendor ID 0
• Two Choices for Message Addressing– PB-TNC Message Type (when EXPL = 0)
• PVs and PCs Subscribe To Message Types• Message Type = PB-TNC Vendor ID + PA Subtype
– Explicit Delivery (when EXPL = 1)• PBC/PBS delivers message only to one PC/PV• PC/PV identified by PC ID or PV ID field
![Page 12: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/12.jpg)
Changes only in PA-TNC -01
• Added Field Types– Defines commonly used primitive types in the value
field of attributes.– Types include
• OctetArray (Binary data)• Integer (32 bit unsigned integer)• String (UTF-8 encoded Octet Array)• IPv4Address • IPv6Address• TimeString (UTC, RFC3339 compliant string)• VersionNum (64 bit value with major & minor version)
![Page 13: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/13.jpg)
PA-TNC Design Considerations (Section 2)
• Standard attribute namespace– Standard PA sub-types and attributes to enable multi-
vendor interoperability.
• Vendor specific namespace– Vendor specific PA sub-types and attributes to enable
vendor differentiation and agility
• TLV encoding– Binary encoding to optimize for bits-on-the-wire and
CPU utilization.
![Page 14: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/14.jpg)
NEA Protocol Flows
![Page 15: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/15.jpg)
Proposed Changes in PB-TNC, PA-TNC Version -02
![Page 16: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/16.jpg)
Proposed updates toPosture Broker protocol
draft-ietf-nea-pb-tnc-01.txt
Ravi SahitaIETF 72 NEA WG
July 31, 2008
![Page 17: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/17.jpg)
Outline of proposed changes to NEA Posture Broker protocol
• Simplification items
• New proposed changes– Protocol changes to allow unsolicited retries– Evaluation results
![Page 18: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/18.jpg)
Simplification: Reduce Message Types
• Move PB-Batch-Type into PB-TNC header– PB-Batch-Type carried with every batch
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version|D| Reserved | Batch Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Batch Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
![Page 19: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/19.jpg)
Proposed Addition of unsolicited retries to Posture Broker Protocol
• Allow Unsolicited Retry from NEA Client or Server at any time (if PT allows)
• Support matching requests to response messages by adding a Message Id to the protocol
• Update error reporting parameters message to allow indicating erroneous message by specifying Message Id
• See updated state machine on next slide
![Page 20: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/20.jpg)
Posture Broker - Updated State Machine
![Page 21: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/21.jpg)
Proposed Addition of Global Assessment Decision
• Indicates posture assessment result to the posture broker client
• Does not replace Access-Recommendation message type
• Suggested Values• Compliant• Non-compliant• Non-compliant major issue• Error• Don’t Know Result
![Page 22: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/22.jpg)
Proposed updates toPosture Attribute protocol
draft-ietf-nea-pa-tnc-01.txt
Paul SangsterIETF 72 NEA WG
July 31, 2008
![Page 23: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/23.jpg)
PA-TNC Proposed Changes
• New Approach to Attribute Correlation
• Add PA-TNC Assessment Result Attribute
• Add PA-TNC Remediation Attribute
![Page 24: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/24.jpg)
Correlation ID
• Correlation ID– Only used when PC reports posture on
multiple implementations of component– ID allows PV to associate attributes describing
same implementation– Attributes are atomic so PV needs to know
which implementation associated with attribute (e.g. which AV has version 1.2.3?)
• Not expected to be the common case
![Page 25: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/25.jpg)
Proposed New Approach to Correlation
• Proposal– Remove PA-TNC Correlation ID– Integrate semantics into PB-TNC Header’s Posture
Collector ID (PC ID)• PC ID is source identifier for use by PV• Now some PCs might have multiple PC IDs
– Each component implementation needs separate PA-TNC message (with different PC IDs)
• PV doesn’t know that single PC supporting multiple implementations of same component– Both appear as separate PCs
• PC associates different PC IDs with different implementations of same component type
![Page 26: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/26.jpg)
Before Correlation ChangePT
PB-TNC Header
PB-TNC Message TLV (Type=PB-Batch-Type, Batch-Type=CDATA)
PB-TNC Message TLV (Type=PB-PA, PA Vendor=0, PA Subtype=OS)
PB-PA TNC Header
PA-TNC Attribute TLV (Type=Prod Info, Prod ID=Norton AV, C=1)
PA-TNC Attribute TLV (Type=Numeric Version, Maj=5, Min=3, C=1)
PA-TNC Attribute TLV (Type=Prod Info, Prod ID=McAfee AV, C=2)
PA-TNC Attribute TLV (Type=Numeric Version, Maj=1, Min=2, C=2)
![Page 27: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/27.jpg)
After Correlation ChangePT
PB-TNC Header
PB-TNC Message TLV (Type=PB-Batch-Type, Batch-Type=CDATA)
PB-TNC Message TLV (Type=PB-PA, PA Vendor=0, PA Subtype=OS)
PB-PA TNC Header
PA-TNC Attribute TLV (Type=Prod Info, Prod ID=Norton AV)
PA-TNC Attribute TLV (Type=Numeric Version, Maj=5, Min=3)
PB-TNC Message TLV (Type=PB-PA, PA Vendor=0, PA Subtype=OS)
PB-PA TNC Header
PA-TNC Attribute TLV (Type=Prod Info, Prod ID=McAfee AV)
PA-TNC Attribute TLV (Type=Numeric Version, Maj=1, Min=2)
+12B
-4B
-4B
+12B
-4B
-4B
![Page 28: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/28.jpg)
Correlation ID Trade-Off
• Benefit– Simplifies PA-TNC Attribute Header– Removes optional Attribute Header field and flag– Less bits on wire when many attributes sent for same
component (more common case)
• Cost– Attributes about each implementation must be in
separate PB-TNC messages– More bits on wire when fewer attributes for multiple
products reported (less common case)– Potentially more complex PBC, PBS implementation
![Page 29: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/29.jpg)
Proposed Addition of Assessment Result Attribute
• PA Result Attribute conveys PV’s compliance decision about component
• Not mandatory to send• Largely informational for Posture Collector• Posture Collector would learn if
assessment was deemed compliant only for its peer Posture Validator
• Could be accompanied by new Remediation Attribute
![Page 30: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/30.jpg)
Proposed Addition of Remediation Attribute
• PA-TNC Remediation Attribute allows PV to provide repair instructions to PC
• Remediation instructions allows for standard and vendor-defined data formats
• Parallels current PB-Remediation-Parameters TLV
• Exclusive delivery may be required so only one PC performs remediation
![Page 31: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/31.jpg)
Open Mic
![Page 32: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/32.jpg)
Additional Attribute?
• What additional standard attributes should be included in the standard?
• Currently have:– Attribute Request– Product Information– Numeric Version– String Version– Operational Status– Port Filter– Installed Packages– PA-TNC Error
![Page 33: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/33.jpg)
Additional Components?
• What additional standard components should be included in the standard?
• Currently have:– Operating System– Anti-Virus– Anti-Spyware– Anti-Malware– Firewall– Host-based Intrusion Detection/Prevention Software– Virtual Private Network
![Page 34: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/34.jpg)
Milestones
Done Proposals for PA and PB dueDone Review and resolve proposals at IETF 71Done Post first WG version of PA and PBDone Post second version of PA and PBJul 2008 Resolve issues at IETF 72Aug 2008 Post third version of PA and PBSep 2008 WGLC on PA and PBNov 2008 Resolve WGLC comments at IETF 73 Post fourth version of PA and PBDec 2008 IETF LC for PA and PBJan 2009 IESG considers PA and PB for Proposed Standard
![Page 35: NEA Working Group IETF 72 nea[-request]@ietf.org Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.com](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649f445503460f94c65b31/html5/thumbnails/35.jpg)
Next Steps
• Raise proposed changes on mailing list.
• Submit -02 version of PA-TNC, PB-TNC protocols based on comments received