NEA Working Group IETF 72 - PowerPoint PPT Presentation

About This Presentation

Title:

NEA Working Group IETF 72

Description:

Integrate semantics into PB-TNC Header's Posture Collector ID (PC ID) ... PA-TNC Remediation Attribute allows PV to provide repair instructions to PC ... – PowerPoint PPT presentation

Number of Views:19

Avg rating:3.0/5.0

Slides: 36

Provided by: CiscoSys8

Learn more at: https://www.ietf.org

Category:

more less

Transcript and Presenter's Notes

Title: NEA Working Group IETF 72

1
NEA Working GroupIETF 72

nea-request_at_ietf.org
http//tools.ietf.org/wg/nea
Co-chairs Steve Hanna shanna_at_juniper.net
Susan Thomson sethomso_at_cisco.com

2
Agenda Review

0900 Administrivia
Blue Sheets
Jabber Minute scribes
Agenda bashing
0905 WG Status
0910 Protocol Overview
0915 Changes in -01 version of PB-TNC and PA-TNC
http//www.ietf.org/internet-drafts/draft-ietf-n
ea-pa-tnc-01.txt
http//www.ietf.org/internet-drafts/draft-ietf-n
ea-pb-tnc-01.txt
0930 Protocol Flows
1015 Proposed Changes in -02 version of PB-TNC
and PA-TNC
1100 Open Discussion
1125 Review Milestones
1130 Adjourn

3
WG Accomplishments since IETF71

Consensus Check on PA-TNC, PB-TNC as WG docs (Mar
2008)
PA-TNC and PB-TNC -00 I-D (April 2008)
WG Last Call for NEA requirements (April 2008)
NEA Requirements published as RFC 5209 (May 2008)
PA-TNC and PB-TNC -01 I-D (July 2008)
http//www.ietf.org/internet-drafts/draft-ietf-ne
a-pa-tnc-01.txt
http//www.ietf.org/internet-drafts/draft-ietf-ne
a-pb-tnc-01.txt

4
NEA Protocol Overview
5
NEA Reference Modelfrom RFC 5209
NEA Client
NEA Server
Posture Attribute (PA) protocol
Posture Collectors
Posture Validators
Posture Broker (PB) protocol
Posture Broker Client
Posture Broker Server
Posture Transport Client
Posture Transport Server
Posture Transport (PT) protocols
6
PA-TNC Within PB-TNC
PT
PB-TNC Header
PB-TNC Message (TypePB-Batch-Type,
Batch-TypeCDATA)
PB-TNC Message (TypePB-PA, PA Vendor ID0, PA
Subtype OS)
PA-TNC Message
PA-TNC Attribute (TypeProduct Info, Product
IDWindows XP)
PA-TNC Attribute (TypeNumeric Version, Major5,
Minor3, ...)
7
Changes in PB-TNC , PA-TNC Version -01
8
Changes in -01 versions ofPB-TNC and PA-TNC

Steve Hanna ltshanna_at_juniper.netgt
Kaushik Narayan ltkaushik_at_cisco.comgt
IETF 72

9
Common changes

Scaled back text on TCG/TNC
Added Design Considerations
Added evaluation for Requirement C-11
Added Appendix A (flows/use cases)
Added Kaushik Narayan as co-editor

10
Changes only in PB-TNC -01

MUST send error if message len lt 12

11
PB-TNC Design Considerations (Section 2)

Efficiency
Binary TLVs
Vendor ID
SMI PEN, assigned by IANA
Avoids collisions between vendor-defined values
IETF Standard values use Vendor ID 0
Two Choices for Message Addressing
PB-TNC Message Type (when EXPL 0)
PVs and PCs Subscribe To Message Types
Message Type PB-TNC Vendor ID PA Subtype
Explicit Delivery (when EXPL 1)
PBC/PBS delivers message only to one PC/PV
PC/PV identified by PC ID or PV ID field

12
Changes only in PA-TNC -01

Added Field Types
Defines commonly used primitive types in the
value field of attributes.
Types include
OctetArray (Binary data)
Integer (32 bit unsigned integer)
String (UTF-8 encoded Octet Array)
IPv4Address
IPv6Address
TimeString (UTC, RFC3339 compliant string)
VersionNum (64 bit value with major minor
version)

13
PA-TNC Design Considerations (Section 2)

Standard attribute namespace
Standard PA sub-types and attributes to enable
multi-vendor interoperability.
Vendor specific namespace
Vendor specific PA sub-types and attributes to
enable vendor differentiation and agility
TLV encoding
Binary encoding to optimize for bits-on-the-wire
and CPU utilization.

14
NEA Protocol Flows
15
Proposed Changes in PB-TNC, PA-TNC Version -02
16
Proposed updates toPosture Broker
protocoldraft-ietf-nea-pb-tnc-01.txt Ravi
SahitaIETF 72 NEA WGJuly 31, 2008
17
Outline of proposed changes to NEA Posture Broker
protocol

Simplification items
New proposed changes
Protocol changes to allow unsolicited retries
Evaluation results

18
Simplification Reduce Message Types

Move PB-Batch-Type into PB-TNC header
PB-Batch-Type carried with every batch

0 1 2
3 0 1 2 3 4 5 6 7 8 9 0 1 2
3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-------------------------
------- VersionD Reserved
Batch Type
-------------------------
------- Batch
Length
-------------------------
-------
19
Proposed Addition of unsolicited retries to
Posture Broker Protocol

Allow Unsolicited Retry from NEA Client or Server
at any time (if PT allows)
Support matching requests to response messages by
adding a Message Id to the protocol
Update error reporting parameters message to
allow indicating erroneous message by specifying
Message Id
See updated state machine on next slide

20
Posture Broker - Updated State Machine
21
Proposed Addition of Global Assessment Decision

Indicates posture assessment result to the
posture broker client
Does not replace Access-Recommendation message
type
Suggested Values
Compliant
Non-compliant
Non-compliant major issue
Error
Dont Know Result

22
Proposed updates toPosture Attribute
protocoldraft-ietf-nea-pa-tnc-01.txt Paul
SangsterIETF 72 NEA WGJuly 31, 2008
23
PA-TNC Proposed Changes

New Approach to Attribute Correlation
Add PA-TNC Assessment Result Attribute
Add PA-TNC Remediation Attribute

24
Correlation ID

Correlation ID
Only used when PC reports posture on multiple
implementations of component
ID allows PV to associate attributes describing
same implementation
Attributes are atomic so PV needs to know which
implementation associated with attribute (e.g.
which AV has version 1.2.3?)
Not expected to be the common case

25
Proposed New Approach to Correlation

Proposal
Remove PA-TNC Correlation ID
Integrate semantics into PB-TNC Headers Posture
Collector ID (PC ID)
PC ID is source identifier for use by PV
Now some PCs might have multiple PC IDs
Each component implementation needs separate
PA-TNC message (with different PC IDs)
PV doesnt know that single PC supporting
multiple implementations of same component
Both appear as separate PCs
PC associates different PC IDs with different
implementations of same component type

26
Before Correlation Change
PT
PB-TNC Header
PB-TNC Message TLV (TypePB-Batch-Type,
Batch-TypeCDATA)
PB-TNC Message TLV (TypePB-PA, PA Vendor0, PA
SubtypeOS)
PB-PA TNC Header
PA-TNC Attribute TLV (TypeProd Info, Prod
IDNorton AV, C1)
PA-TNC Attribute TLV (TypeNumeric Version,
Maj5, Min3, C1)
PA-TNC Attribute TLV (TypeProd Info, Prod
IDMcAfee AV, C2)
PA-TNC Attribute TLV (TypeNumeric Version,
Maj1, Min2, C2)
27
After Correlation Change
PT
PB-TNC Header
PB-TNC Message TLV (TypePB-Batch-Type,
Batch-TypeCDATA)
PB-TNC Message TLV (TypePB-PA, PA Vendor0, PA
SubtypeOS)
PB-PA TNC Header
PA-TNC Attribute TLV (TypeProd Info, Prod
IDNorton AV)
-4B
PA-TNC Attribute TLV (TypeNumeric Version,
Maj5, Min3)
-4B
PB-TNC Message TLV (TypePB-PA, PA Vendor0, PA
SubtypeOS)
12B
PB-PA TNC Header
12B
PA-TNC Attribute TLV (TypeProd Info, Prod
IDMcAfee AV)
-4B
PA-TNC Attribute TLV (TypeNumeric Version,
Maj1, Min2)
-4B
28
Correlation ID Trade-Off

Benefit
Simplifies PA-TNC Attribute Header
Removes optional Attribute Header field and flag
Less bits on wire when many attributes sent for
same component (more common case)
Cost
Attributes about each implementation must be in
separate PB-TNC messages
More bits on wire when fewer attributes for
multiple products reported (less common case)
Potentially more complex PBC, PBS implementation

29
Proposed Addition of Assessment Result Attribute

PA Result Attribute conveys PVs compliance
decision about component
Not mandatory to send
Largely informational for Posture Collector
Posture Collector would learn if assessment was
deemed compliant only for its peer Posture
Validator
Could be accompanied by new Remediation Attribute

30
Proposed Addition of Remediation Attribute