Presentation is loading. Please wait.

Presentation is loading. Please wait.

November 9, 2009IETF 76 NEA WG1 NEA Working Group IETF 76 Co-chairs: Steve Hanna

Published byAmelia West Modified over 10 years ago

Similar presentations

Presentation on theme: "November 9, 2009IETF 76 NEA WG1 NEA Working Group IETF 76 Co-chairs: Steve Hanna"— Presentation transcript:

1 November 9, 2009IETF 76 NEA WG1 NEA Working Group IETF 76 nea[-request@ietf.org http://tools.ietf.org/wg/nea Co-chairs: Steve Hanna shanna@juniper.netshanna@juniper.net Susan Thomsonsethomso@cisco.comsethomso@cisco.com

2 November 9, 2009IETF 76 NEA WG2 Agenda Review 1740 Administrivia Blue Sheets Jabber & Minute scribes Agenda bashing 1745 WG Status 1750 NEA Reference Model Review 1755 Review Process for soliciting proposals for PT protocol 1800 Summary of Changes in PA-TNC since last IETF: http://www.ietf.org/internet-drafts/draft-ietf-nea-pa-tnc-06.txt 1805 Summary of Changes in PB-TNC since last IETF: http://www.ietf.org/internet-drafts/draft-ietf-nea-pb-tnc-06.txt 1815 Conceptual Overview of Posture Transport protocols 1930 Discuss Proposed Milestone Update 1940 Adjourn

3 November 9, 2009IETF 76 NEA WG3 WG Status

4 November 9, 2009IETF 76 NEA WG4 WG Accomplishments since IETF 75 Updated PA-TNC & PB-TNC to address IESG issues IESG has approved PA-TNC -06 I-D! Verifying consensus on PB-TNC changes (comments due by November 16) Then IESG will approve PB-TNC IESG approved NEA charter update to work on PT Call for submissions for PT proposals (due by Jan 4)

5 November 9, 2009IETF 76 NEA WG5 Review of Process for PT Same process as for PA and PB Solicit individual submissions by Jan 4 WG reviews proposals WG determines contents of -00 NEA WG I-Ds Normal IETF development process from there

6 November 9, 2009IETF 76 NEA WG6 NEA Reference Model

7 November 9, 2009IETF 76 NEA WG7 NEA Reference Model from RFC 5209 Posture Collectors Posture Validators Posture Transport Server Posture Attribute (PA) protocol Posture Broker (PB) protocol NEA ClientNEA Server Posture Transport (PT) protocols Posture Transport Client Posture Broker Client Posture Broker Server

8 November 9, 2009IETF 76 NEA WG8 PA-TNC Within PB-TNC Within PT PT PB-TNC Header (Batch-Type=CDATA) PB-TNC Message (Type=PB-PA, PA Vendor ID=0, PA Subtype= OS) PA-TNC Message PA-TNC Attribute (Type=Product Info, Product ID=Windows XP) PA-TNC Attribute (Type=Numeric Version, Major=5, Minor=3,...)

9 November 9, 2009IETF 76 NEA WG9 Summary of Changes to PA-TNC

10 November 9, 2009IETF 76 NEA WG10 Summary of Changes in draft-ietf-nea-pa-tnc-05.txt Removed long discussion of TCG Removed PA-TNC field types Added language tag for remediation string Removed mention of previously proposed PA-TNC Security Protocol Fixes and clarifications

11 November 9, 2009IETF 76 NEA WG11 Summary of Changes in draft-ietf-nea-pa-tnc-06.txt Removed more references to PA-TNC Security Protocol –Added text on how PT security protects PA-TNC Changed IANA Considerations to match WG Consensus –Removed requirement for vendor-defined values to be clear and likely to ensure interoperability Fixes and clarifications

12 November 9, 2009IETF 76 NEA WG12 Summary of Changes to PB-TNC

13 November 9, 2009IETF 76 NEA WG13 WG Consensus Check Going Now Currently running WG consensus check on changes made in PB-TNC -05 and -06 Please email nea@ietf.org with any comments by November 16nea@ietf.org Or bring up comments here (but please email also)

14 November 9, 2009IETF 76 NEA WG14 Summary of Changes in draft-ietf-nea-pb-tnc-05.txt Removed long discussion of TCG –Replaced with small acknowledgment Tightened up error handling Added CLOSE batch type (see next slide) Added additional PT requirements (see later slide) Added language tag for remediation string Changed language tag length to 8 bits Fixes and clarifications

15 November 9, 2009IETF 76 NEA WG15 New CLOSE Batch Type Previously, no CLOSE batch type –Fatal errors had to be sent in some other (inappropriate) batch type –Non-error close handled by closing transport Added explicit CLOSE batch type –Used for fatal errors and non-error close –No change to PB-TNC state machine

16 November 9, 2009IETF 76 NEA WG16 PB-TNC State Machine (FYI) Receive CRETRY SRETRY or SRETRY +----------------+ +--+ | | v | v | +---------+ CRETRY +---------+ CDATA | Server |<---------| Decided | CLOSE +----------->| Working |--------->| |-------+ | +---------+ RESULT +---------+ | | ^ | | v | | | +---------------------->======= ======== | | CLOSE " End " " Init " CDATA| |SDATA ======= ======== | | ^ ^ | | | v | | | | SDATA +---------+ CLOSE | | | +-------->| Client |----------------------+ | | | Working | | | +---------+ | | | ^ | | +--+ | | Receive CRETRY | | CLOSE | +--------------------------------------------------+

17 November 9, 2009IETF 76 NEA WG17 New PT Requirements from IESG PT-6The PT protocol MUST be connection oriented; it MUST support confirmed initiation and close down. PT-7The PT protocol MUST be able to carry binary data. PT-8The PT protocol MUST provide mechanisms for flow control and congestion control. PT-9PT protocol specifications MUST describe the capabilities that they provide for and limitations that they impose on the PB protocol (e.g. half/full duplex, maximum message size).

18 November 9, 2009IETF 76 NEA WG18 Summary of Changes in draft-ietf-nea-pb-tnc-06.txt Changed IANA Considerations to match WG Consensus –Removed requirement for vendor-defined values to be clear and likely to ensure interoperability Fixes and clarifications

19 November 9, 2009IETF 76 NEA WG19 Conceptual Overview of PT protocols

20 November 9, 2009IETF 76 NEA WG20 PT-EAP Overview

21 November 9, 2009IETF 76 NEA WG21 What is PT-EAP? L2 PT Proposal Coming from TCG –Identical to TNC protocol EAP-TNC (aka IF-T Protocol Bindings for Tunneled EAP Methods) NEA Exchange Over Tunneled EAP Methods –Supports PEAP, EAP-TTLS, and EAP-FAST –No Change to the Tunneled EAP Methods Meets All PT Requirements

22 November 9, 2009IETF 76 NEA WG22 Why L2 PT? PT-4 says PT SHOULD be able to run over 802.1X or IKEv2 Motivating Use Cases on Next Slide

23 November 9, 2009IETF 76 NEA WG23 Use Cases for PT-EAP NEA Assessment on 802.1X Network –Consider posture in network access decision –Isolate vulnerable endpoints during remediation –Block or quarantine infected endpoints NEA Assessment during IKEv2 Handshake –Assess posture before granting network access –Isolate vulnerable endpoints during remediation –Block or quarantine infected endpoints

24 November 9, 2009IETF 76 NEA WG24 PT-EAP Operation Runs as an inner EAP method –Can be chained with other EAP methods for user or endpoint authentication –Supports key derivation, allowing inner method to be cryptographically tied to tunnel –Supports fragmentation and reassembly, when needed Due to EAP limitations… –Only one packet in flight (half duplex) –Large data transfer not recommended

25 November 9, 2009IETF 76 NEA WG25 Three Phases of PT-EAP 1.Optional Diffie-Hellman Pre-Negotiation –Establishes initial key 2.PB-TNC Exchange –NEA Assessments –Hashed into eventual key 3.Key Derivation and Export

26 November 9, 2009IETF 76 NEA WG26 PT-EAP Sequence Diagram EAP Peer EAP Authenticator EAP Tunnel Setup Optional D-H Pre-Negotiation PB-TNC Exchange

27 November 9, 2009IETF 76 NEA WG27 PT-EAP Message Encapsulation EAP Tunneled Method PT-EAP Message (EAP-Request or EAP-Response) PB-TNC Header (Batch-Type=CDATA) PB-TNC Message (Type=PB-PA, PA Vendor ID=0, PA Subtype= OS) PA-TNC Message PA-TNC Attribute (Type=Product Info, Product ID=Windows XP) PA-TNC Attribute (Type=Numeric Version, Major=5, Minor=3,...)

28 November 9, 2009IETF 76 NEA WG28 Features of PT-EAP EAP method –Designed for use with Tunneled EAP Methods –Supports key derivation and export to bind method to tunnel Compatible with TCGs EAP-TNC –Same IPR grant as PA-TNC and PB-TNC Half Duplex (one packet in flight) Generally Low Bandwidth Simple Congestion Control (one packet in flight) Works over 802.1X and IKEv2 (since EAP does) Simple but extensible

29 November 9, 2009IETF 76 NEA WG29 Implementations of PT-EAP Several open source implementations –TNC@FHH –OpenSEA –wpa_supplicant –FreeRADIUS –libtnc Commercial implementations also

30 November 9, 2009IETF 76 NEA WG30 Questions?

31 November 9, 2009IETF 76 NEA WG31 PT-TLS Overview

32 November 9, 2009IETF 76 NEA WG32 What is PT-TLS? L3 PT Proposal Coming from TCG –Identical to TNC protocol IF-T Binding to TLS NEA Exchange Over TLS –Carried As Application Data –No Change to TLS Meets All PT Requirements

33 November 9, 2009IETF 76 NEA WG33 Why L3 PT? PT-5 says PT SHOULD be able to run over TCP or UDP Motivating Use Cases on Next Slide

34 November 9, 2009IETF 76 NEA WG34 Use Cases for PT-TLS NEA Assessment on Non-802.1X Network –Legacy Network –Remote Access Large Amount of Data in NEA Assessment –For example, Installed Packages –Unsuitable for EAP Transport Posture Re-assessment or Monitoring After 802.1X Assessment Application Server Needs to Perform NEA Assessment

35 November 9, 2009IETF 76 NEA WG35 Three Phases of PT-TLS 1.TLS Handshake –Unmodified 2.Pre-Negotiation –Version Negotiation –Optional Client Authentication 3.Data Transport –NEA Assessments

36 November 9, 2009IETF 76 NEA WG36 PT-TLS Sequence Diagram PT-TLS Initiator PT-TLS Responder TLS Handshake Version Request Version Response Optional Client Authentication PB-TNC Exchange … TLS Closure Alerts

37 November 9, 2009IETF 76 NEA WG37 PT-TLS Message Encapsulation TLS Record Protocol PT-TLS Message (Vendor ID=0, Type=PB-TNC Batch) PB-TNC Header (Batch-Type=CDATA) PB-TNC Message (Type=PB-PA, PA Vendor ID=0, PA Subtype= OS) PA-TNC Message PA-TNC Attribute (Type=Product Info, Product ID=Windows XP) PA-TNC Attribute (Type=Numeric Version, Major=5, Minor=3,...)

38 November 9, 2009IETF 76 NEA WG38 Features of PT-TLS Layered on established secure protocol (TLS) –No changes to TLS, only application data over it Compatible with TCGs IF-T/TLS –Same IPR grant as PA-TNC and PB-TNC Full Duplex High Bandwidth Congestion Controlled Easy to Implement using any TLS library Works over any IP network Extensible

39 November 9, 2009IETF 76 NEA WG39 Implementations of PT-TLS Fairly new spec –Announced May 2009 Several implementations rumored but none publicly announced

40 November 9, 2009IETF 76 NEA WG40 Questions?

41 November 9, 2009IETF 76 NEA WG41 Discuss Proposed Milestone Updates

42 November 9, 2009IETF 76 NEA WG42 Proposed Revised Milestones Done Call for individual submissions for PT protocols Jan 2010Proposals for PT due Review and resolve proposals at interim meeting Feb 2010Post -00 WG version of PT protocols Mar 2010Review and resolve issues at IETF 77 Apr 2010Post -01 version of PT protocols Jun 2010 WGLC on PT protocols Jul 2010Resolve WGLC comments at IETF 78 Aug 2010 Post -02 version of PT protocols Sep 2010IETF LC for PT protocols

Download ppt "November 9, 2009IETF 76 NEA WG1 NEA Working Group IETF 76 Co-chairs: Steve Hanna"

Similar presentations

RadSec – A better RADIUS protocol

RadSec – A better RADIUS protocol
Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
NSIS WG 71th IETF Philadelphia, PA, USA March 12, 2008 WG chairs:John Loughney Martin Stiemerling.

NSIS WG 71th IETF Philadelphia, PA, USA March 12, 2008 WG chairs:John Loughney Martin Stiemerling.
Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.

Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.
March 2010IETF TRILL WG1 TRILL Working Group TRansparent Interconnection of Lots of Links Mailing list: Website:

March 2010IETF TRILL WG1 TRILL Working Group TRansparent Interconnection of Lots of Links Mailing list: Website:
March 2011IETF TRILL WG1 TRILL Working Group TRansparent Interconnection of Lots of Links Mailing list: Tools site:

March 2011IETF TRILL WG1 TRILL Working Group TRansparent Interconnection of Lots of Links Mailing list: Tools site:
CONEX BoF. Welcome to CONEX! Chairs: –Leslie Daigle –Philip Eardley Scribe Note well MORE INFO: -ECN.

CONEX BoF. Welcome to CONEX! Chairs: –Leslie Daigle –Philip Eardley Scribe Note well MORE INFO: -ECN.
XML Key Management Requirements W3C XML Key Management Working Group Meeting – Dec 9 th, 2001 Frederick Hirsch (Zolera Systems) Mike Just (Entrust)

XML Key Management Requirements W3C XML Key Management Working Group Meeting – Dec 9 th, 2001 Frederick Hirsch (Zolera Systems) Mike Just (Entrust)
PEAP & EAP-TTLS 1.EAP-TLS Drawbacks 2.PEAP 3.EAP-TTLS 4.EAP-TTLS – Full Example 5.Security Issues 6.PEAP vs. EAP-TTLS 7.Other EAP methods 8.Summary.

PEAP & EAP-TTLS 1.EAP-TLS Drawbacks 2.PEAP 3.EAP-TTLS 4.EAP-TTLS – Full Example 5.Security Issues 6.PEAP vs. EAP-TTLS 7.Other EAP methods 8.Summary.
Web security: SSL and TLS

Web security: SSL and TLS
Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.

Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.
SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.

SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Cryptography and Network Security

Cryptography and Network Security
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
CCNA – Network Fundamentals

CCNA – Network Fundamentals
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
TCG Confidential Copyright© 2005 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 TNC EAP IETF EAP.

TCG Confidential Copyright© 2005 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 TNC EAP IETF EAP.
IETF NEA WG (NEA = Network Endpoint Assessment) Chairs:Steve Hanna, Susan Thomson,

IETF NEA WG (NEA = Network Endpoint Assessment) Chairs:Steve Hanna, Susan Thomson,

Similar presentations

Ads by Google