November 9, 2009IETF 76 NEA WG1 NEA Working Group IETF 76 Co-chairs: Steve Hanna

Slides:



Advertisements
Similar presentations
RadSec – A better RADIUS protocol
Advertisements

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
NSIS WG 71th IETF Philadelphia, PA, USA March 12, 2008 WG chairs:John Loughney Martin Stiemerling.
Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.
March 2010IETF TRILL WG1 TRILL Working Group TRansparent Interconnection of Lots of Links Mailing list: Website:
March 2011IETF TRILL WG1 TRILL Working Group TRansparent Interconnection of Lots of Links Mailing list: Tools site:
CONEX BoF. Welcome to CONEX! Chairs: –Leslie Daigle –Philip Eardley Scribe Note well MORE INFO: -ECN.
XML Key Management Requirements W3C XML Key Management Working Group Meeting – Dec 9 th, 2001 Frederick Hirsch (Zolera Systems) Mike Just (Entrust)
PEAP & EAP-TTLS 1.EAP-TLS Drawbacks 2.PEAP 3.EAP-TTLS 4.EAP-TTLS – Full Example 5.Security Issues 6.PEAP vs. EAP-TTLS 7.Other EAP methods 8.Summary.
Web security: SSL and TLS
Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.
SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.
TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Cryptography and Network Security
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
CCNA – Network Fundamentals
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
TCG Confidential Copyright© 2005 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 TNC EAP IETF EAP.
IETF NEA WG (NEA = Network Endpoint Assessment) Chairs:Steve Hanna, Susan Thomson,
Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.
Chapter 8 Web Security.
NEA Working Group IETF meeting Nov 17, 2011 IETF 82 - NEA Meeting1.
© 2004 The MITRE Corporation. All rights reserved SCPS-TP Updates Cislunar WG Meeting CCSDS Toulouse November 2004.
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Audio/Video Transport Working Group 49th IETF, San Diego December 2000 Stephen Casner -- Packet Colin Perkins -- ISI,
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
July 27, 2009IETF NEA Meeting1 NEA Working Group IETF 75 Co-chairs: Steve Hanna
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
SACM Requirements Nancy Cam-Winget March 2014.
NEA Requirement I-D IETF 68 – Prague Paul Sangster Symantec Corporation.
Mar 22, 2010IETF NEA Meeting1 NEA Working Group (oauth is in Redondo!) IETF 77 Mar 22, Co-chairs:
SIEVE Mail Filtering WG IETF 65, Dallas WG Chairs: Cyrus Daboo, Alexey Melnikov Mailing List: Jabber:
NEA Working Group IETF 80 March 29, 2011 Mar 29, 2011IETF NEA Meeting1.
NEA Requirements Update -06 version summary. Posture Transport Considerations Issue –Ability of existing protocols used for network access to meet requirements.
TNC Proposals for NEA Protocols Presentation by Steve Hanna to NEA WG meeting at IETF 71 March 11, 2008.
EAP-FAST Version 2 draft-zhou-emu-eap-fastv2-00.txt Hao Zhou Nancy Cam-Winget Joseph Salowey Stephen Hanna March 2011.
NEA Working Group IETF meeting July 27, Co-chairs: Steve Hanna
Dec 5, 2007NEA Working Group1 NEA Requirement I-D IETF 70 – Vancouver Mahalingam Mani Avaya Inc.
Emu wg, IETF 70 Steve Hanna, EAP-TTLS draft-funk-eap-ttls-v0-02.txt draft-hanna-eap-ttls-agility-00.txt emu wg, IETF 70 Steve Hanna,
Encryption protocols Monil Adhikari. What is SSL / TLS? Transport Layer Security protocol, ver 1.0 De facto standard for Internet security “The primary.
November 20, 2002IETF 55 - Atlanta1 VPIM Voice Profile for Internet Mail Mailing list: To subscribe: send.
Slide title In CAPITALS 50 pt Slide subtitle 32 pt RTSP draft-ietf-mmusic-rfc2396bis-10 Magnus Westerlund Co-auhtors: Henning Schulzrinne, Rob Lanphier,
RObust Header Compression WG (ROHC) 66 th IETF Montreal, Canada, July 11, 2006 Meeting Chair: Carsten Bormann WG Chair: Lars-Erik Jonsson.
NEMO Basic Support update IETF 61. Status IANA assignments done Very close to AUTH48 call Some issues raised recently We need to figure out if we want.
NEA Working Group IETF meeting July 27, 2011 Jul 27, 2011IETF 81 - NEA Meeting1.
1 Review – The Internet’s Protocol Architecture. Protocols, Internetworking & the Internet 2 Introduction Internet standards Internet standards Layered.
NEA Working Group IETF 72 Co-chairs: Steve Hanna Susan
@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.
Cryptography CSS 329 Lecture 13:SSL.
Interface to Network Security Functions (I2NSF) Chairs: Linda Dunbar Adrian Farrel IETF 95, Thursday April 7, 2016,
Continuous Assessment Protocols for SACM draft-hanna-sacm-assessment-protocols-00.txt November 5, 20121IETF 85 - SACM Meeting.
SIPPING Working Group IETF 67 Mary Barnes Gonzalo Camarillo.
SIP Working Group IETF Chairs -- Rohan MAHY Dean WILLIS.
The Transport Layer Implementation Services Functions Protocols
Chapter 9: Transport Layer
Instructor Materials Chapter 9: Transport Layer
Secure Sockets Layer (SSL)
UNIT.4 IP Security.
Transport Layer.
CSCE 715: Network Systems Security
Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.
Mutual Attestation of IoT Devices and TPM 2
IETF-70 EAP Method Update (EMU)
Originally by Yu Yang and Lilly Wang Modified by T. A. Yang
draft-fitzgeraldmckay-sacm-endpointcompliance-00
CONEX BoF.
Process-to-Process Delivery:
Presentation transcript:

November 9, 2009IETF 76 NEA WG1 NEA Working Group IETF 76 Co-chairs: Steve Hanna Susan

November 9, 2009IETF 76 NEA WG2 Agenda Review 1740 Administrivia Blue Sheets Jabber & Minute scribes Agenda bashing 1745 WG Status 1750 NEA Reference Model Review 1755 Review Process for soliciting proposals for PT protocol 1800 Summary of Changes in PA-TNC since last IETF: Summary of Changes in PB-TNC since last IETF: Conceptual Overview of Posture Transport protocols 1930 Discuss Proposed Milestone Update 1940 Adjourn

November 9, 2009IETF 76 NEA WG3 WG Status

November 9, 2009IETF 76 NEA WG4 WG Accomplishments since IETF 75 Updated PA-TNC & PB-TNC to address IESG issues IESG has approved PA-TNC -06 I-D! Verifying consensus on PB-TNC changes (comments due by November 16) Then IESG will approve PB-TNC IESG approved NEA charter update to work on PT Call for submissions for PT proposals (due by Jan 4)

November 9, 2009IETF 76 NEA WG5 Review of Process for PT Same process as for PA and PB Solicit individual submissions by Jan 4 WG reviews proposals WG determines contents of -00 NEA WG I-Ds Normal IETF development process from there

November 9, 2009IETF 76 NEA WG6 NEA Reference Model

November 9, 2009IETF 76 NEA WG7 NEA Reference Model from RFC 5209 Posture Collectors Posture Validators Posture Transport Server Posture Attribute (PA) protocol Posture Broker (PB) protocol NEA ClientNEA Server Posture Transport (PT) protocols Posture Transport Client Posture Broker Client Posture Broker Server

November 9, 2009IETF 76 NEA WG8 PA-TNC Within PB-TNC Within PT PT PB-TNC Header (Batch-Type=CDATA) PB-TNC Message (Type=PB-PA, PA Vendor ID=0, PA Subtype= OS) PA-TNC Message PA-TNC Attribute (Type=Product Info, Product ID=Windows XP) PA-TNC Attribute (Type=Numeric Version, Major=5, Minor=3,...)

November 9, 2009IETF 76 NEA WG9 Summary of Changes to PA-TNC

November 9, 2009IETF 76 NEA WG10 Summary of Changes in draft-ietf-nea-pa-tnc-05.txt Removed long discussion of TCG Removed PA-TNC field types Added language tag for remediation string Removed mention of previously proposed PA-TNC Security Protocol Fixes and clarifications

November 9, 2009IETF 76 NEA WG11 Summary of Changes in draft-ietf-nea-pa-tnc-06.txt Removed more references to PA-TNC Security Protocol –Added text on how PT security protects PA-TNC Changed IANA Considerations to match WG Consensus –Removed requirement for vendor-defined values to be clear and likely to ensure interoperability Fixes and clarifications

November 9, 2009IETF 76 NEA WG12 Summary of Changes to PB-TNC

November 9, 2009IETF 76 NEA WG13 WG Consensus Check Going Now Currently running WG consensus check on changes made in PB-TNC -05 and -06 Please with any comments by November Or bring up comments here (but please also)

November 9, 2009IETF 76 NEA WG14 Summary of Changes in draft-ietf-nea-pb-tnc-05.txt Removed long discussion of TCG –Replaced with small acknowledgment Tightened up error handling Added CLOSE batch type (see next slide) Added additional PT requirements (see later slide) Added language tag for remediation string Changed language tag length to 8 bits Fixes and clarifications

November 9, 2009IETF 76 NEA WG15 New CLOSE Batch Type Previously, no CLOSE batch type –Fatal errors had to be sent in some other (inappropriate) batch type –Non-error close handled by closing transport Added explicit CLOSE batch type –Used for fatal errors and non-error close –No change to PB-TNC state machine

November 9, 2009IETF 76 NEA WG16 PB-TNC State Machine (FYI) Receive CRETRY SRETRY or SRETRY | | v | v | CRETRY CDATA | Server |< | Decided | CLOSE >| Working | >| | | RESULT | | ^ | | v | | | >======= ======== | | CLOSE " End " " Init " CDATA| |SDATA ======= ======== | | ^ ^ | | | v | | | | SDATA CLOSE | | | >| Client | | | | Working | | | | | | ^ | | +--+ | | Receive CRETRY | | CLOSE |

November 9, 2009IETF 76 NEA WG17 New PT Requirements from IESG PT-6The PT protocol MUST be connection oriented; it MUST support confirmed initiation and close down. PT-7The PT protocol MUST be able to carry binary data. PT-8The PT protocol MUST provide mechanisms for flow control and congestion control. PT-9PT protocol specifications MUST describe the capabilities that they provide for and limitations that they impose on the PB protocol (e.g. half/full duplex, maximum message size).

November 9, 2009IETF 76 NEA WG18 Summary of Changes in draft-ietf-nea-pb-tnc-06.txt Changed IANA Considerations to match WG Consensus –Removed requirement for vendor-defined values to be clear and likely to ensure interoperability Fixes and clarifications

November 9, 2009IETF 76 NEA WG19 Conceptual Overview of PT protocols

November 9, 2009IETF 76 NEA WG20 PT-EAP Overview

November 9, 2009IETF 76 NEA WG21 What is PT-EAP? L2 PT Proposal Coming from TCG –Identical to TNC protocol EAP-TNC (aka IF-T Protocol Bindings for Tunneled EAP Methods) NEA Exchange Over Tunneled EAP Methods –Supports PEAP, EAP-TTLS, and EAP-FAST –No Change to the Tunneled EAP Methods Meets All PT Requirements

November 9, 2009IETF 76 NEA WG22 Why L2 PT? PT-4 says PT SHOULD be able to run over 802.1X or IKEv2 Motivating Use Cases on Next Slide

November 9, 2009IETF 76 NEA WG23 Use Cases for PT-EAP NEA Assessment on 802.1X Network –Consider posture in network access decision –Isolate vulnerable endpoints during remediation –Block or quarantine infected endpoints NEA Assessment during IKEv2 Handshake –Assess posture before granting network access –Isolate vulnerable endpoints during remediation –Block or quarantine infected endpoints

November 9, 2009IETF 76 NEA WG24 PT-EAP Operation Runs as an inner EAP method –Can be chained with other EAP methods for user or endpoint authentication –Supports key derivation, allowing inner method to be cryptographically tied to tunnel –Supports fragmentation and reassembly, when needed Due to EAP limitations… –Only one packet in flight (half duplex) –Large data transfer not recommended

November 9, 2009IETF 76 NEA WG25 Three Phases of PT-EAP 1.Optional Diffie-Hellman Pre-Negotiation –Establishes initial key 2.PB-TNC Exchange –NEA Assessments –Hashed into eventual key 3.Key Derivation and Export

November 9, 2009IETF 76 NEA WG26 PT-EAP Sequence Diagram EAP Peer EAP Authenticator EAP Tunnel Setup Optional D-H Pre-Negotiation PB-TNC Exchange

November 9, 2009IETF 76 NEA WG27 PT-EAP Message Encapsulation EAP Tunneled Method PT-EAP Message (EAP-Request or EAP-Response) PB-TNC Header (Batch-Type=CDATA) PB-TNC Message (Type=PB-PA, PA Vendor ID=0, PA Subtype= OS) PA-TNC Message PA-TNC Attribute (Type=Product Info, Product ID=Windows XP) PA-TNC Attribute (Type=Numeric Version, Major=5, Minor=3,...)

November 9, 2009IETF 76 NEA WG28 Features of PT-EAP EAP method –Designed for use with Tunneled EAP Methods –Supports key derivation and export to bind method to tunnel Compatible with TCGs EAP-TNC –Same IPR grant as PA-TNC and PB-TNC Half Duplex (one packet in flight) Generally Low Bandwidth Simple Congestion Control (one packet in flight) Works over 802.1X and IKEv2 (since EAP does) Simple but extensible

November 9, 2009IETF 76 NEA WG29 Implementations of PT-EAP Several open source implementations –OpenSEA –wpa_supplicant –FreeRADIUS –libtnc Commercial implementations also

November 9, 2009IETF 76 NEA WG30 Questions?

November 9, 2009IETF 76 NEA WG31 PT-TLS Overview

November 9, 2009IETF 76 NEA WG32 What is PT-TLS? L3 PT Proposal Coming from TCG –Identical to TNC protocol IF-T Binding to TLS NEA Exchange Over TLS –Carried As Application Data –No Change to TLS Meets All PT Requirements

November 9, 2009IETF 76 NEA WG33 Why L3 PT? PT-5 says PT SHOULD be able to run over TCP or UDP Motivating Use Cases on Next Slide

November 9, 2009IETF 76 NEA WG34 Use Cases for PT-TLS NEA Assessment on Non-802.1X Network –Legacy Network –Remote Access Large Amount of Data in NEA Assessment –For example, Installed Packages –Unsuitable for EAP Transport Posture Re-assessment or Monitoring After 802.1X Assessment Application Server Needs to Perform NEA Assessment

November 9, 2009IETF 76 NEA WG35 Three Phases of PT-TLS 1.TLS Handshake –Unmodified 2.Pre-Negotiation –Version Negotiation –Optional Client Authentication 3.Data Transport –NEA Assessments

November 9, 2009IETF 76 NEA WG36 PT-TLS Sequence Diagram PT-TLS Initiator PT-TLS Responder TLS Handshake Version Request Version Response Optional Client Authentication PB-TNC Exchange … TLS Closure Alerts

November 9, 2009IETF 76 NEA WG37 PT-TLS Message Encapsulation TLS Record Protocol PT-TLS Message (Vendor ID=0, Type=PB-TNC Batch) PB-TNC Header (Batch-Type=CDATA) PB-TNC Message (Type=PB-PA, PA Vendor ID=0, PA Subtype= OS) PA-TNC Message PA-TNC Attribute (Type=Product Info, Product ID=Windows XP) PA-TNC Attribute (Type=Numeric Version, Major=5, Minor=3,...)

November 9, 2009IETF 76 NEA WG38 Features of PT-TLS Layered on established secure protocol (TLS) –No changes to TLS, only application data over it Compatible with TCGs IF-T/TLS –Same IPR grant as PA-TNC and PB-TNC Full Duplex High Bandwidth Congestion Controlled Easy to Implement using any TLS library Works over any IP network Extensible

November 9, 2009IETF 76 NEA WG39 Implementations of PT-TLS Fairly new spec –Announced May 2009 Several implementations rumored but none publicly announced

November 9, 2009IETF 76 NEA WG40 Questions?

November 9, 2009IETF 76 NEA WG41 Discuss Proposed Milestone Updates

November 9, 2009IETF 76 NEA WG42 Proposed Revised Milestones Done Call for individual submissions for PT protocols Jan 2010Proposals for PT due Review and resolve proposals at interim meeting Feb 2010Post -00 WG version of PT protocols Mar 2010Review and resolve issues at IETF 77 Apr 2010Post -01 version of PT protocols Jun 2010 WGLC on PT protocols Jul 2010Resolve WGLC comments at IETF 78 Aug 2010 Post -02 version of PT protocols Sep 2010IETF LC for PT protocols

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.