Endpoint Compliance via PT-TLS Protocol¶

• Table of contents
• Endpoint Compliance via PT-TLS Protocol
  • Starting the strongSwan Policy Decision Point (PDP)
  • PT-TLS Connection by Access Requestor "carol"
    • Supported TLS 1.0, 1.1 and 1.2 Cipher Suites
    • TLS Connection Setup
    • PT-TLS Negotiation
    • SASL Password-based Client Authentication
    • PT-TLS Transport Phase
    • IF-IMV 1.4 AR Identity
    • Operating System Information
    • Device Identity
    • Policy Manager generating Workitem List
    • Sending SWID Request
    • Receiving SWID Tag Identifier Inventory
    • Human-Readable SWID Tag Identifiers
    • Policy Manager integrating Measurement Results
    • Closing PT-TLS Connection
  • PT-TLS Connection by Access Requestor "dave"
    • TLS Connection Setup
    • PT-TLS Negotiation
    • TLS Certificate-based Client Authentication
    • PT-TLS Transport Phase
    • IF-IMV 1.4 AR Identity
    • Operating System Information
    • Device Identity
    • Policy Manager generating Workitem List
    • Sending SWID Request
    • Receiving SWID Tag Inventory
    • Human-Readable SWID Tags
    • Policy Manager integrating Measurement Results
    • Closing PT-TLS Connection
  • Terminating the strongSwan Policy Decision Point
  • PT-TLS Configuration Parameters

Starting the strongSwan Policy Decision Point (PDP)¶

The strongSwan PDP starts and loads its server certificate and the client credentials

00[DMN] Starting IKE charon daemon (strongSwan 5.2.0dr1, Linux 3.13.5, x86_64)
00[LIB] openssl FIPS mode(0) - disabled 
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG]   loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/aaaKey.pem'
00[CFG]   loaded EAP secret for carol
00[CFG]   loaded EAP secret for dave 

Next the OS and SWID IMVs are loaded

00[TNC] TNC recommendation policy is 'default'
00[TNC] loading IMVs from '/etc/tnc_config'
00[TNC] added IETF attributes
00[TNC] added ITA-HSR attributes
00[LIB] libimcv initialized
00[IMV] IMV 1 "OS" initialized
00[TNC] IMV 1 supports 1 message type: 'IETF/Operating System' 0x000000/0x00000001
00[TNC] IMV 1 "OS" loaded from '/usr/local/lib/ipsec/imcvs/imv-os.so'
00[IMV] IMV 2 "SWID" initialized
00[TNC] added TCG attributes
00[LIB] libpts initialized
00[TNC] IMV 2 supports 1 message type: 'TCG/SWID' 0x005597/0x00000003
00[TNC] IMV 2 "SWID" loaded from '/usr/local/lib/ipsec/imcvs/imv-swid.so'

The PDP loads all plugins needed to communicate via its EAP-RADIUS and PT-TLS interfaces and spawns 16 worker threads

00[IKE] eap method EAP_TTLS selected
00[LIB] loaded plugins: charon curl pem pkcs1 nonce x509 revocation constraints openssl socket-default kernel-netlink stroke tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
00[JOB] spawning 16 worker threads
09[CFG] received stroke: add connection 'aaa'
09[CFG] left nor right host is our side, assuming left=local
09[CFG]   loaded certificate "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" from 'aaaCert.pem'
09[CFG] added configuration 'aaa'

PT-TLS Connection by Access Requestor "carol"¶

04[TNC] accepting PT-TLS stream from 192.168.0.100

Supported TLS 1.0, 1.1 and 1.2 Cipher Suites¶

04[TLS] 36 supported TLS cipher suites:
04[TLS]   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
04[TLS]   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
04[TLS]   TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
04[TLS]   TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
04[TLS]   TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
04[TLS]   TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
04[TLS]   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
04[TLS]   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
04[TLS]   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
04[TLS]   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
04[TLS]   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
04[TLS]   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
04[TLS]   TLS_DHE_RSA_WITH_AES_128_CBC_SHA
04[TLS]   TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
04[TLS]   TLS_DHE_RSA_WITH_AES_256_CBC_SHA
04[TLS]   TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
04[TLS]   TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
04[TLS]   TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
04[TLS]   TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
04[TLS]   TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
04[TLS]   TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
04[TLS]   TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
04[TLS]   TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
04[TLS]   TLS_RSA_WITH_AES_128_CBC_SHA
04[TLS]   TLS_RSA_WITH_AES_128_CBC_SHA256
04[TLS]   TLS_RSA_WITH_AES_256_CBC_SHA
04[TLS]   TLS_RSA_WITH_AES_256_CBC_SHA256
04[TLS]   TLS_RSA_WITH_AES_128_GCM_SHA256
04[TLS]   TLS_RSA_WITH_AES_256_GCM_SHA384
04[TLS]   TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
04[TLS]   TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
04[TLS]   TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
04[TLS]   TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
04[TLS]   TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
04[TLS]   TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
04[TLS]   TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLS Connection Setup¶

03[TNC] entering PT-TLS negotiation phase
03[TLS] processing TLS Handshake record (124 bytes)
03[TLS] received TLS ClientHello handshake (120 bytes)
03[TLS] received TLS 'signature algorithms' extension
03[TLS] received TLS 'elliptic curves' extension
03[TLS] received TLS 'ec point formats' extension
03[TLS] received TLS 'server name' extension
03[TLS] received 2 TLS cipher suites:
03[TLS]   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
03[TLS]   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
03[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

The strongSwan TLS stack supports the high-performance TLS 1.2 AES-GCM cipher suites via the openssl plugin. The AEAD crypto operations are automatically laccelerated if the Intel AES-NI instruction set is available on the target processor.

03[TLS] sending TLS ServerHello handshake (54 bytes)
03[TLS] sending TLS server certificate 'C=CH, O=Linux strongSwan, CN=aaa.strongswan.org'
03[TLS] sending TLS Certificate handshake (1066 bytes)
03[TLS] selected ECDH group SECP256R1
03[TLS] created signature with SHA256/RSA
03[TLS] sending TLS ServerKeyExchange handshake (329 bytes)
03[TLS] sending TLS cert request for 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA'
03[TLS] sending TLS CertificateRequest handshake (102 bytes)
03[TLS] sending TLS ServerHelloDone handshake (0 bytes)
03[TLS] sending TLS Handshake record (1571 bytes)
03[TLS] processing TLS Handshake record (77 bytes)
03[TLS] received TLS Certificate handshake (3 bytes)
03[TLS] received TLS ClientKeyExchange handshake (66 bytes)
03[TLS] processing TLS ChangeCipherSpec record (1 bytes)
03[TLS] processing TLS Handshake record (40 bytes)
03[TLS] received TLS Finished handshake (12 bytes)
03[TLS] sending TLS ChangeCipherSpec record (1 bytes)
03[TLS] sending TLS Finished handshake (12 bytes)
03[TLS] sending TLS Handshake record (40 bytes)

PT-TLS Negotiation¶

03[TLS] processing TLS ApplicationData record (44 bytes)
03[TNC] received PT-TLS message #0 of type 'Version Request' (20 bytes)
03[TNC] sending PT-TLS message #0 of type 'Version Response' (20 bytes)
03[TLS] sending TLS ApplicationData record (44 bytes)
03[TNC] negotiated PT-TLS version 1

SASL Password-based Client Authentication¶

03[TNC] doing SASL client authentication
03[TNC] offering SASL PLAIN
03[TNC] sending PT-TLS message #1 of type 'SASL Mechanisms' (22 bytes)
03[TLS] sending TLS ApplicationData record (46 bytes)
03[TLS] processing TLS ApplicationData record (61 bytes)
03[TNC] received PT-TLS message #1 of type 'SASL Mechanism Selection' (37 bytes)
03[TNC] client starts SASL PLAIN authentication
03[TNC] SASL PLAIN authentication successful
03[TNC] SASL client identity is 'carol'
03[TNC] sending PT-TLS message #2 of type 'SASL Result' (17 bytes)
03[TLS] sending TLS ApplicationData record (41 bytes)
03[TNC] sending PT-TLS message #3 of type 'SASL Mechanisms' (16 bytes)
03[TLS] sending TLS ApplicationData record (40 bytes)

PT-TLS Transport Phase¶

03[TNC] entering PT-TLS data transport phase

IF-IMV 1.4 AR Identity¶

11[TLS] processing TLS ApplicationData record (299 bytes)
11[TNC] received PT-TLS message #2 of type 'PB-TNC Batch' (275 bytes)
11[TNC] assigned TNCCS Connection ID 1
11[IMV] IMV 1 "OS" created a state for IF-TNCCS 2.0 Connection ID 1: +long +excl -soh
11[IMV]   over IF-T for TLS 2.0 with maximum PA-TNC message size of 131024 bytes
11[IMV]   user AR identity 'carol' authenticated by password
11[IMV] IMV 2 "SWID" created a state for IF-TNCCS 2.0 Connection ID 1: +long +excl -soh
11[IMV]   over IF-T for TLS 2.0 with maximum PA-TNC message size of 131024 bytes
11[IMV]   user AR identity 'carol' authenticated by password
11[IMV] IMV 1 "OS" changed state of Connection ID 1 to 'Handshake'
11[IMV] IMV 2 "SWID" changed state of Connection ID 1 to 'Handshake'

11[TNC] received TNCCS batch (259 bytes) for Connection ID 1
11[TNC] PB-TNC state transition from 'Init' to 'Server Working'
11[TNC] processing PB-TNC CDATA batch
11[TNC] processing IETF/PB-Language-Preference message (31 bytes)
11[TNC] processing IETF/PB-PA message (220 bytes)
11[TNC] setting language preference to 'en'

11[TNC] handling PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
11[IMV] IMV 1 "OS" received message for Connection ID 1 from IMC 1
11[IMV] => 196 bytes @ 0x6f09d0
11[IMV]    0: 01 00 00 00 B4 0C 4B 59 00 00 00 00 00 00 00 02  ......KY........
11[IMV]   16: 00 00 00 17 00 25 72 00 00 44 65 62 69 61 6E 00  .....%r..Debian.
11[IMV]   32: 00 00 00 00 00 00 04 00 00 00 19 0A 37 2E 34 20  ............7.4 
11[IMV]   48: 78 38 36 5F 36 34 00 00 00 00 00 00 00 00 00 03  x86_64..........
11[IMV]   64: 00 00 00 1C 00 00 00 07 00 00 00 04 00 00 00 00  ................
11[IMV]   80: 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 24  ...............$
11[IMV]   96: 03 01 00 00 32 30 31 34 2D 30 34 2D 31 30 54 30  ....2014-04-10T0
11[IMV]  112: 38 3A 31 32 3A 31 33 5A 00 00 00 00 00 00 00 0B  8:12:13Z........
11[IMV]  128: 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 0C  ................
11[IMV]  144: 00 00 00 10 00 00 00 00 00 00 90 2A 00 00 00 08  ...........*....
11[IMV]  160: 00 00 00 2C 65 64 33 32 64 63 37 63 31 65 62 33  ...,ed32dc7c1eb3
11[IMV]  176: 32 38 65 66 30 61 63 63 30 65 34 63 35 33 34 35  28ef0acc0e4c5345
11[IMV]  192: 62 38 65 34                                      b8e4
11[TNC] processing PA-TNC message with ID 0xb40c4b59
11[TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002
11[TNC] processing PA-TNC attribute type 'IETF/String Version' 0x000000/0x00000004
11[TNC] processing PA-TNC attribute type 'IETF/Numeric Version' 0x000000/0x00000003
11[TNC] processing PA-TNC attribute type 'IETF/Operational Status' 0x000000/0x00000005
11[TNC] processing PA-TNC attribute type 'IETF/Forwarding Enabled' 0x000000/0x0000000b
11[TNC] processing PA-TNC attribute type 'IETF/Factory Default Password Enabled' 0x000000/0x0000000c
11[TNC] processing PA-TNC attribute type 'ITA-HSR/Device ID' 0x00902a/0x00000008

Operating System Information¶

11[IMV] operating system name is 'Debian' from vendor Debian Project
11[IMV] operating system version is '7.4 x86_64'
11[IMV] operating system numeric version is 7.4
11[IMV] operational status: operational, result: successful
11[IMV] last boot: Apr 10 08:12:13 UTC 2014
11[IMV] IPv4 forwarding is disabled
11[IMV] factory default password is disabled

Device Identity¶

11[IMV] device ID is ed32dc7c1eb328ef0acc0e4c5345b8e4

Policy Manager generating Workitem List¶

This is strongSwan's proprietary Configuration Management Database (CMDB) interface. Based on historical client measurement data and a set of group policies the start script generates a list of measurement workitems. In our scenario only IPv4 forwarding and SWID tags are checked.

11[IMV] assigned session ID 2 to Connection ID 1
11[IMV] running policy script: 2>&1 TNC_SESSION_ID='2' ipsec imv_policy_manager start
11[IMV] policy: imv_policy_manager start successful
11[IMV] policy: No leaks detected, 11 suppressed by whitelist

Available workitems generated by the Policy Manager

11[IMV] FMEAS workitem 1
11[IMV] FMEAS workitem 2
11[IMV] FWDEN workitem 3
11[IMV] FMEAS workitem 4
11[IMV] FMETA workitem 5
11[IMV] SWIDT workitem 6
11[IMV] TCPOP workitem 7
11[IMV] UDPOP workitem 8

Assessment Result generated by the OS IMV

11[IMV] IMV 1 handles FWDEN workitem 3
11[IMV] IMV 1 handled FWDEN workitem 3: allow - forwarding not enabled
11[TNC] creating PA-TNC message with ID 0x4abaf071
11[TNC] creating PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009
11[IMV] created PA-TNC message: => 24 bytes @ 0x729180
11[IMV]    0: 01 00 00 00 4A BA F0 71 00 00 00 00 00 00 00 09  ....J..q........
11[IMV]   16: 00 00 00 10 00 00 00 00                          ........
11[TNC] creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
11[TNC] IMV 1 provides recommendation 'allow' and evaluation 'compliant'

Sending SWID Request¶

11[IMV] IMV 2 handles SWIDT workitem 6
11[IMV] IMV 2 issues SWID request 6
11[TNC] creating PA-TNC message with ID 0x551f2e1f
11[TNC] creating PA-TNC attribute type 'TCG/SWID Request' 0x005597/0x00000011
11[IMV] created PA-TNC message: => 32 bytes @ 0x6efce0
11[IMV]    0: 01 00 00 00 55 1F 2E 1F 00 00 55 97 00 00 00 11  ....U.....U.....
11[IMV]   16: 00 00 00 18 01 00 00 00 00 00 00 06 00 00 00 00  ................
11[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003
11[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
11[TNC] creating PB-TNC SDATA batch
11[TNC] adding IETF/PB-PA message
11[TNC] adding IETF/PB-PA message
11[TNC] sending PB-TNC SDATA batch (112 bytes) for Connection ID 1
11[TNC] sending PT-TLS message #4 of type 'PB-TNC Batch' (128 bytes)
11[TLS] sending TLS ApplicationData record (152 bytes)

Receiving SWID Tag Identifier Inventory¶

12[TLS] processing buffered TLS ApplicationData record (16408 bytes)
12[TNC] received PT-TLS message #3 of type 'PB-TNC Batch' (27320 bytes)
12[TLS] processing buffered TLS ApplicationData record (10960 bytes)
12[TNC] received TNCCS batch (27304 bytes) for Connection ID 1
12[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
12[TNC] processing PB-TNC CDATA batch
12[TNC] processing IETF/PB-PA message (27296 bytes)

12[TNC] handling PB-PA message type 'TCG/SWID' 0x005597/0x00000003
12[IMV] IMV 2 "SWID" received message for Connection ID 1 from IMC 2 to IMV 2
12[IMV] => 27272 bytes @ 0x753db0
12[IMV]    0: 01 00 00 00 4A AA D6 A9 00 00 55 97 00 00 00 12  ....J.....U.....
12[IMV]   16: 00 00 6A 80 00 00 01 6A 00 00 00 06 07 D2 01 F4  ..j....j........
12[IMV]   32: 00 00 00 01 00 1C 72 65 67 69 64 2E 32 30 30 34  ......regid.2004
12[IMV]   48: 2D 30 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 77  -03.org.strongsw
12[IMV]   64: 61 6E 00 2B 64 65 62 69 61 6E 5F 37 2E 34 2D 78  an.+debian_7.4-x
12[IMV]   80: 38 36 5F 36 34 2D 61 63 70 69 2D 73 75 70 70 6F  86_64-acpi-suppo
12[IMV]   96: 72 74 2D 62 61 73 65 2D 30 2E 31 34 30 2D 35 00  rt-base-0.140-5.
12[IMV]  112: 00 00 1C 72 65 67 69 64 2E 32 30 30 34 2D 30 33  ...regid.2004-03
12[IMV]  128: 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 77 61 6E 00  .org.strongswan.
12[IMV]  144: 29 64 65 62 69 61 6E 5F 37 2E 34 2D 78 38 36 5F  )debian_7.4-x86_
12[IMV]  160: 36 34 2D 61 63 70 69 64 2D 31 3A 32 2E 30 2E 31  64-acpid-1:2.0.1
12[IMV]  176: 36 2D 31 2B 64 65 62 37 75 31 00 00 00 1C 72 65  6-1+deb7u1....re
12[IMV]  192: 67 69 64 2E 32 30 30 34 2D 30 33 2E 6F 72 67 2E  gid.2004-03.org.
12[IMV]  208: 73 74 72 6F 6E 67 73 77 61 6E 00 24 64 65 62 69  strongswan.$debi
12[IMV]  224: 61 6E 5F 37 2E 34 2D 78 38 36 5F 36 34 2D 61 64  an_7.4-x86_64-ad
12[IMV]  240: 64 75 73 65 72 2D 33 2E 31 31 33 2B 6E 6D 75 33  duser-3.113+nmu3
12[IMV]  256: 00 00 00 1C 72 65 67 69 64 2E 32 30 30 34 2D 30  ....regid.2004-0
12[IMV]  272: 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 77 61 6E  3.org.strongswan
12[IMV]  288: 00 2A 64 65 62 69 61 6E 5F 37 2E 34 2D 78 38 36  .*debian_7.4-x86
12[IMV]  304: 5F 36 34 2D 61 70 61 63 68 65 32 2D 32 2E 32 2E  _64-apache2-2.2.
12[IMV]  320: 32 32 2D 31 33 2B 64 65 62 37 75 31 00 00 00 1C  22-13+deb7u1....
12[IMV]  336: 72 65 67 69 64 2E 32 30 30 34 2D 30 33 2E 6F 72  regid.2004-03.or
12[IMV]  352: 67 2E 73 74 72 6F 6E 67 73 77 61 6E 00 35 64 65  g.strongswan.5de
12[IMV]  368: 62 69 61 6E 5F 37 2E 34 2D 78 38 36 5F 36 34 2D  bian_7.4-x86_64-
12[IMV]  384: 61 70 61 63 68 65 32 2D 6D 70 6D 2D 77 6F 72 6B  apache2-mpm-work
12[IMV]  400: 65 72 2D 32 2E 32 2E 32 32 2D 31 33 2B 64 65 62  er-2.2.22-13+deb
12[IMV]  416: 37 75 31 00 00 00 1C 72 65 67 69 64 2E 32 30 30  7u1....regid.200
12[IMV]  432: 34 2D 30 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 73  4-03.org.strongs
12[IMV]  448: 77 61 6E 00 30 64 65 62 69 61 6E 5F 37 2E 34 2D  wan.0debian_7.4-
12[IMV]  464: 78 38 36 5F 36 34 2D 61 70 61 63 68 65 32 2D 75  x86_64-apache2-u
12[IMV]  480: 74 69 6C 73 2D 32 2E 32 2E 32 32 2D 31 33 2B 64  tils-2.2.22-13+d
12[IMV]  496: 65 62 37 75 31 00 00 00 1C 72 65 67 69 64 2E 32  eb7u1....regid.2
12[IMV]  512: 30 30 34 2D 30 33 2E 6F 72 67 2E 73 74 72 6F 6E  004-03.org.stron
12[IMV]  528: 67 73 77 61 6E 00 30 64 65 62 69 61 6E 5F 37 2E  gswan.0debian_7.
12[IMV]  544: 34 2D 78 38 36 5F 36 34 2D 61 70 61 63 68 65 32  4-x86_64-apache2
12[IMV]  560: 2E 32 2D 62 69 6E 2D 32 2E 32 2E 32 32 2D 31 33  .2-bin-2.2.22-13
12[IMV]  576: 2B 64 65 62 37 75 31 00 00 00 1C 72 65 67 69 64  +deb7u1....regid
12[IMV]  592: 2E 32 30 30 34 2D 30 33 2E 6F 72 67 2E 73 74 72  .2004-03.org.str
12[IMV]  608: 6F 6E 67 73 77 61 6E 00 33 64 65 62 69 61 6E 5F  ongswan.3debian_
12[IMV]  624: 37 2E 34 2D 78 38 36 5F 36 34 2D 61 70 61 63 68  7.4-x86_64-apach
12[IMV]  640: 65 32 2E 32 2D 63 6F 6D 6D 6F 6E 2D 32 2E 32 2E  e2.2-common-2.2.
12[IMV]  656: 32 32 2D 31 33 2B 64 65 62 37 75 31 00 00 00 1C  22-13+deb7u1....
...
12[IMV] 26736: 00 00 00 1C 72 65 67 69 64 2E 32 30 30 34 2D 30  ....regid.2004-0
12[IMV] 26752: 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 77 61 6E  3.org.strongswan
12[IMV] 26768: 00 26 64 65 62 69 61 6E 5F 37 2E 34 2D 78 38 36  .&debian_7.4-x86
12[IMV] 26784: 5F 36 34 2D 77 67 65 74 2D 31 2E 31 33 2E 34 2D  _64-wget-1.13.4-
12[IMV] 26800: 33 2B 64 65 62 37 75 31 00 00 00 1C 72 65 67 69  3+deb7u1....regi
12[IMV] 26816: 64 2E 32 30 30 34 2D 30 33 2E 6F 72 67 2E 73 74  d.2004-03.org.st
12[IMV] 26832: 72 6F 6E 67 73 77 61 6E 00 27 64 65 62 69 61 6E  rongswan.'debian
12[IMV] 26848: 5F 37 2E 34 2D 78 38 36 5F 36 34 2D 77 68 69 70  _7.4-x86_64-whip
12[IMV] 26864: 74 61 69 6C 2D 30 2E 35 32 2E 31 34 2D 31 31 2E  tail-0.52.14-11.
12[IMV] 26880: 31 00 00 00 1C 72 65 67 69 64 2E 32 30 30 34 2D  1....regid.2004-
12[IMV] 26896: 30 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 77 61  03.org.strongswa
12[IMV] 26912: 6E 00 30 64 65 62 69 61 6E 5F 37 2E 34 2D 78 38  n.0debian_7.4-x8
12[IMV] 26928: 36 5F 36 34 2D 78 7A 2D 75 74 69 6C 73 2D 35 2E  6_64-xz-utils-5.
12[IMV] 26944: 31 2E 31 61 6C 70 68 61 2B 32 30 31 32 30 36 31  1.1alpha+2012061
12[IMV] 26960: 34 2D 32 00 00 00 1C 72 65 67 69 64 2E 32 30 30  4-2....regid.200
12[IMV] 26976: 34 2D 30 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 73  4-03.org.strongs
12[IMV] 26992: 77 61 6E 00 28 64 65 62 69 61 6E 5F 37 2E 34 2D  wan.(debian_7.4-
12[IMV] 27008: 78 38 36 5F 36 34 2D 7A 6C 69 62 31 67 2D 31 3A  x86_64-zlib1g-1:
12[IMV] 27024: 31 2E 32 2E 37 2E 64 66 73 67 2D 31 33 00 00 00  1.2.7.dfsg-13...
12[IMV] 27040: 1C 72 65 67 69 64 2E 32 30 30 34 2D 30 33 2E 6F  .regid.2004-03.o
12[IMV] 27056: 72 67 2E 73 74 72 6F 6E 67 73 77 61 6E 00 2C 64  rg.strongswan.,d
12[IMV] 27072: 65 62 69 61 6E 5F 37 2E 34 2D 78 38 36 5F 36 34  ebian_7.4-x86_64
12[IMV] 27088: 2D 7A 6C 69 62 31 67 2D 64 65 76 2D 31 3A 31 2E  -zlib1g-dev-1:1.
12[IMV] 27104: 32 2E 37 2E 64 66 73 67 2D 31 33 00 00 00 1C 72  2.7.dfsg-13....r
12[IMV] 27120: 65 67 69 64 2E 32 30 30 34 2D 30 33 2E 6F 72 67  egid.2004-03.org
12[IMV] 27136: 2E 73 74 72 6F 6E 67 73 77 61 6E 00 13 73 74 72  .strongswan..str
12[IMV] 27152: 6F 6E 67 53 77 61 6E 2D 35 2D 32 2D 30 64 72 31  ongSwan-5-2-0dr1
12[IMV] 27168: 00 66 2F 75 73 72 2F 6C 6F 63 61 6C 2F 73 68 61  .f/usr/local/sha
12[IMV] 27184: 72 65 2F 72 65 67 69 64 2E 32 30 30 34 2D 30 33  re/regid.2004-03
12[IMV] 27200: 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 77 61 6E 2F  .org.strongswan/
12[IMV] 27216: 72 65 67 69 64 2E 32 30 30 34 2D 30 33 2E 6F 72  regid.2004-03.or
12[IMV] 27232: 67 2E 73 74 72 6F 6E 67 73 77 61 6E 5F 73 74 72  g.strongswan_str
12[IMV] 27248: 6F 6E 67 53 77 61 6E 2D 35 2D 32 2D 30 64 72 31  ongSwan-5-2-0dr1
12[IMV] 27264: 2E 73 77 69 64 74 61 67                          .swidtag
12[TNC] processing PA-TNC message with ID 0x4aaad6a9
12[TNC] processing PA-TNC attribute type 'TCG/SWID Tag Identifier Inventory' 0x005597/0x00000012

Human-Readable SWID Tag Identifiers¶

12[IMV] received SWID tag ID inventory for request 6 at eid 1 of epoch 0x07d201f4
12[IMV]   regid.2004-03.org.strongswan_debian_7.4-x86_64-acpi-support-base-0.140-5
12[IMV]   regid.2004-03.org.strongswan_debian_7.4-x86_64-acpid-1:2.0.16-1+deb7u1
12[IMV]   regid.2004-03.org.strongswan_debian_7.4-x86_64-adduser-3.113+nmu3
12[IMV]   regid.2004-03.org.strongswan_debian_7.4-x86_64-apache2-2.2.22-13+deb7u1
12[IMV]   regid.2004-03.org.strongswan_debian_7.4-x86_64-apache2-mpm-worker-2.2.22-13+deb7u1
12[IMV]   regid.2004-03.org.strongswan_debian_7.4-x86_64-apache2-utils-2.2.22-13+deb7u1
12[IMV]   regid.2004-03.org.strongswan_debian_7.4-x86_64-apache2.2-bin-2.2.22-13+deb7u1
12[IMV]   regid.2004-03.org.strongswan_debian_7.4-x86_64-apache2.2-common-2.2.22-13+deb7u1
...
12[IMV]   regid.2004-03.org.strongswan_debian_7.4-x86_64-wget-1.13.4-3+deb7u1
12[IMV]   regid.2004-03.org.strongswan_debian_7.4-x86_64-whiptail-0.52.14-11.1
12[IMV]   regid.2004-03.org.strongswan_debian_7.4-x86_64-xz-utils-5.1.1alpha+20120614-2
12[IMV]   regid.2004-03.org.strongswan_debian_7.4-x86_64-zlib1g-1:1.2.7.dfsg-13
12[IMV]   regid.2004-03.org.strongswan_debian_7.4-x86_64-zlib1g-dev-1:1.2.7.dfsg-13
12[IMV]   regid.2004-03.org.strongswan_strongSwan-5-2-0dr1

112[IMV] IMV 2 handled SWIDT workitem 6: allow - received inventory of 362 SWID tag IDs
12[TNC] creating PA-TNC message with ID 0x6dd65b3a
12[TNC] creating PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009
12[IMV] created PA-TNC message: => 24 bytes @ 0x730390
12[IMV]    0: 01 00 00 00 6D D6 5B 3A 00 00 00 00 00 00 00 09  ....m.[:........
12[IMV]   16: 00 00 00 10 00 00 00 00                          ........
12[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003
12[TNC] IMV 2 provides recommendation 'allow' and evaluation 'compliant'

Policy Manager integrating Measurement Results¶

12[IMV] running policy script: 2>&1 TNC_SESSION_ID='2' ipsec imv_policy_manager stop
12[IMV] policy: imv_policy_manager stop successful

12[IMV] IMV 1 "OS" changed state of Connection ID 1 to 'Allowed'
12[IMV] IMV 2 "SWID" changed state of Connection ID 1 to 'Allowed'
12[TNC] PB-TNC state transition from 'Server Working' to 'Decided'
12[TNC] creating PB-TNC RESULT batch
12[TNC] adding IETF/PB-PA message
12[TNC] adding IETF/PB-Assessment-Result message
12[TNC] adding IETF/PB-Access-Recommendation message
12[TNC] sending PB-TNC RESULT batch (88 bytes) for Connection ID 1
12[TNC] sending PT-TLS message #5 of type 'PB-TNC Batch' (104 bytes)
12[TLS] sending TLS ApplicationData record (128 bytes)

Closing PT-TLS Connection¶

13[TLS] processing TLS ApplicationData record (48 bytes)
13[TNC] received PT-TLS message #4 of type 'PB-TNC Batch' (24 bytes)
13[TNC] received TNCCS batch (8 bytes) for Connection ID 1
13[TNC] PB-TNC state transition from 'Decided' to 'End'
13[TNC] processing PB-TNC CLOSE batch
13[TNC] final recommendation is 'allow' and evaluation is 'compliant'
13[TNC] PT-TLS connection terminates
13[IMV] IMV 1 "OS" deleted the state of Connection ID 1
13[IMV] IMV 2 "SWID" deleted the state of Connection ID 1
13[TNC] removed TNCCS Connection ID 1
13[TLS] sending TLS close notify
13[TLS] sending TLS Alert record (26 bytes)

PT-TLS Connection by Access Requestor "dave"¶

14[TNC] accepting PT-TLS stream from 192.168.0.200

TLS Connection Setup¶

15[TNC] entering PT-TLS negotiation phase
15[TLS] processing TLS Handshake record (124 bytes)
15[TLS] received TLS ClientHello handshake (120 bytes)
15[TLS] received TLS 'signature algorithms' extension
15[TLS] received TLS 'elliptic curves' extension
15[TLS] received TLS 'ec point formats' extension
15[TLS] received TLS 'server name' extension
15[TLS] received 2 TLS cipher suites:
15[TLS]   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
15[TLS]   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
15[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
15[TLS] sending TLS ServerHello handshake (54 bytes)
15[TLS] sending TLS server certificate 'C=CH, O=Linux strongSwan, CN=aaa.strongswan.org'
15[TLS] sending TLS Certificate handshake (1066 bytes)
15[TLS] selected ECDH group SECP256R1
15[TLS] created signature with SHA256/RSA
15[TLS] sending TLS ServerKeyExchange handshake (329 bytes)
15[TLS] sending TLS cert request for 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA'
15[TLS] sending TLS CertificateRequest handshake (102 bytes)
15[TLS] sending TLS ServerHelloDone handshake (0 bytes)
15[TLS] sending TLS Handshake record (1571 bytes)
15[TLS] processing TLS Handshake record (1406 bytes)
15[TLS] received TLS Certificate handshake (1068 bytes)
15[TLS] received TLS peer certificate 'C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org'
15[TLS] received TLS ClientKeyExchange handshake (66 bytes)
15[TLS] received TLS CertificateVerify handshake (260 bytes)
15[CFG]   using certificate "C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org" 
15[CFG]   using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 
15[CFG] checking certificate status of "C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org" 
15[CFG]   fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
15[CFG]   using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 
15[CFG]   crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 
15[CFG]   crl is valid: until May 10 08:11:39 2014
15[CFG] certificate status is good
15[CFG]   reached self-signed root ca with a path length of 0
15[TLS] verified signature with SHA256/RSA
15[TLS] processing TLS ChangeCipherSpec record (1 bytes)
15[TLS] buffering 31 bytes, 31 bytes of 45 byte TLS record received
15[TLS] buffering 14 bytes, 45 bytes of 45 byte TLS record received
15[TLS] processing buffered TLS Handshake record (40 bytes)
15[TLS] received TLS Finished handshake (12 bytes)
15[TLS] sending TLS ChangeCipherSpec record (1 bytes)
15[TLS] sending TLS Finished handshake (12 bytes)
15[TLS] sending TLS Handshake record (40 bytes)

PT-TLS Negotiation¶

03[TLS] processing TLS ApplicationData record (64 bytes)
03[TNC] received PT-TLS message #0 of type 'Version Request' (20 bytes)
03[TNC] sending PT-TLS message #0 of type 'Version Response' (20 bytes)
03[TLS] sending TLS ApplicationData record (64 bytes)
03[TNC] negotiated PT-TLS version 1

TLS Certificate-based Client Authentication¶

15[TNC] doing SASL client authentication
15[TNC] skipping SASL, client already authenticated by TLS certificate
15[TNC] sending PT-TLS message #1 of type 'SASL Mechanisms' (16 bytes)
15[TLS] sending TLS ApplicationData record (40 bytes)

PT-TLS Transport Phase¶

15[TNC] entering PT-TLS data transport phase

IF-IMV 1.4 AR Identity¶

16[TLS] processing TLS ApplicationData record (79 bytes)
16[TNC] received PT-TLS message #1 of type 'PB-TNC Batch' (55 bytes)
16[TNC] assigned TNCCS Connection ID 2
16[IMV] IMV 1 "OS" created a state for IF-TNCCS 2.0 Connection ID 2: +long +excl -soh
16[IMV]   over IF-T for TLS 2.0 with maximum PA-TNC message size of 131024 bytes
16[IMV]   user AR identity 'C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org' authenticated by certificate
16[IMV] IMV 2 "SWID" created a state for IF-TNCCS 2.0 Connection ID 2: +long +excl -soh
16[IMV]   over IF-T for TLS 2.0 with maximum PA-TNC message size of 131024 bytes
16[IMV]   user AR identity 'C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org' authenticated by certificate
16[IMV] IMV 1 "OS" changed state of Connection ID 2 to 'Handshake'
16[IMV] IMV 2 "SWID" changed state of Connection ID 2 to 'Handshake'

16[TNC] received TNCCS batch (39 bytes) for Connection ID 2
16[TNC] PB-TNC state transition from 'Init' to 'Server Working'
16[TNC] processing PB-TNC CDATA batch
16[TNC] processing IETF/PB-Language-Preference message (31 bytes)
16[TNC] setting language preference to 'en'

16[TNC] creating PA-TNC message with ID 0x9c5c5488
16[TNC] creating PA-TNC attribute type 'IETF/Attribute Request' 0x000000/0x00000001
16[IMV] created PA-TNC message: => 76 bytes @ 0x73cbf0
16[IMV]    0: 01 00 00 00 9C 5C 54 88 00 00 00 00 00 00 00 01  .....\T.........
16[IMV]   16: 00 00 00 44 00 00 00 00 00 00 00 02 00 00 00 00  ...D............
16[IMV]   32: 00 00 00 04 00 00 00 00 00 00 00 03 00 00 00 00  ................
16[IMV]   48: 00 00 00 05 00 00 00 00 00 00 00 0B 00 00 00 00  ................
16[IMV]   64: 00 00 00 0C 00 00 90 2A 00 00 00 08              .......*....
16[TNC] creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
16[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
16[TNC] creating PB-TNC SDATA batch
16[TNC] adding IETF/PB-PA message
16[TNC] sending PB-TNC SDATA batch (108 bytes) for Connection ID 2
16[TNC] sending PT-TLS message #2 of type 'PB-TNC Batch' (124 bytes)
16[TLS] sending TLS ApplicationData record (148 bytes)

02[TLS] processing TLS ApplicationData record (268 bytes)
02[TNC] received PT-TLS message #2 of type 'PB-TNC Batch' (244 bytes)
02[TNC] received TNCCS batch (228 bytes) for Connection ID 2
02[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
02[TNC] processing PB-TNC CDATA batch
02[TNC] processing IETF/PB-PA message (220 bytes)
02[TNC] handling PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
02[IMV] IMV 1 "OS" received message for Connection ID 2 from IMC 1 to IMV 1
02[IMV] => 196 bytes @ 0x73bf90
02[IMV]    0: 01 00 00 00 AA 91 FC F0 00 00 00 00 00 00 00 02  ................
02[IMV]   16: 00 00 00 17 00 25 72 00 00 44 65 62 69 61 6E 00  .....%r..Debian.
02[IMV]   32: 00 00 00 00 00 00 04 00 00 00 19 0A 37 2E 34 20  ............7.4 
02[IMV]   48: 78 38 36 5F 36 34 00 00 00 00 00 00 00 00 00 03  x86_64..........
02[IMV]   64: 00 00 00 1C 00 00 00 07 00 00 00 04 00 00 00 00  ................
02[IMV]   80: 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 24  ...............$
02[IMV]   96: 03 01 00 00 32 30 31 34 2D 30 34 2D 31 30 54 30  ....2014-04-10T0
02[IMV]  112: 38 3A 31 32 3A 31 34 5A 00 00 00 00 00 00 00 0B  8:12:14Z........
02[IMV]  128: 00 00 00 10 00 00 00 01 00 00 00 00 00 00 00 0C  ................
02[IMV]  144: 00 00 00 10 00 00 00 00 00 00 90 2A 00 00 00 08  ...........*....
02[IMV]  160: 00 00 00 2C 61 61 62 62 63 63 64 64 65 65 66 66  ...,aabbccddeeff
02[IMV]  176: 31 31 32 32 33 33 34 34 35 35 36 36 37 37 38 38  1122334455667788
02[IMV]  192: 39 39 30 30                                      9900
02[TNC] processing PA-TNC message with ID 0xaa91fcf0
02[TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002
02[TNC] processing PA-TNC attribute type 'IETF/String Version' 0x000000/0x00000004
02[TNC] processing PA-TNC attribute type 'IETF/Numeric Version' 0x000000/0x00000003
02[TNC] processing PA-TNC attribute type 'IETF/Operational Status' 0x000000/0x00000005
02[TNC] processing PA-TNC attribute type 'IETF/Forwarding Enabled' 0x000000/0x0000000b
02[TNC] processing PA-TNC attribute type 'IETF/Factory Default Password Enabled' 0x000000/0x0000000c
02[TNC] processing PA-TNC attribute type 'ITA-HSR/Device ID' 0x00902a/0x00000008

Operating System Information¶

02[IMV] operating system name is 'Debian' from vendor Debian Project
02[IMV] operating system version is '7.4 x86_64'
02[IMV] operating system numeric version is 7.4
02[IMV] operational status: operational, result: successful
02[IMV] last boot: Apr 10 08:12:14 UTC 2014
02[IMV] IPv4 forwarding is enabled
02[IMV] factory default password is disabled

Device Identity¶

02[IMV] device ID is aabbccddeeff11223344556677889900

Policy Manager generating Workitem List¶

This is strongSwan's proprietary Configuration Management Database (CMDB) interface. Based on historical client measurement data and a set of group policies the start script generates a list of measurement workitems. In our scenario only IPv4 forwarding and SWID tags are checked.

02[IMV] assigned session ID 3 to Connection ID 2
02[IMV] running policy script: 2>&1 TNC_SESSION_ID='3' ipsec imv_policy_manager start
02[IMV] policy: imv_policy_manager start successful
02[IMV] policy: No leaks detected, 11 suppressed by whitelist
02[IMV] DREFM workitem 9
02[IMV] FWDEN workitem 10
02[IMV] SWIDT workitem 11

02[IMV] IMV 1 handles FWDEN workitem 10
02[IMV] IMV 1 handled FWDEN workitem 10: isolate - forwarding enabled
02[TNC] creating PA-TNC message with ID 0x98785488
02[TNC] creating PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009
02[TNC] creating PA-TNC attribute type 'IETF/Remediation Instructions' 0x000000/0x0000000a
02[IMV] created PA-TNC message: => 117 bytes @ 0x728f50
02[IMV]    0: 01 00 00 00 98 78 54 88 00 00 00 00 00 00 00 09  .....xT.........
02[IMV]   16: 00 00 00 10 00 00 00 02 00 00 00 00 00 00 00 0A  ................
02[IMV]   32: 00 00 00 5D 00 00 00 00 00 00 00 02 00 00 00 42  ...]...........B
02[IMV]   48: 49 50 20 50 61 63 6B 65 74 20 46 6F 72 77 61 72  IP Packet Forwar
02[IMV]   64: 64 69 6E 67 0A 20 20 50 6C 65 61 73 65 20 64 69  ding.  Please di
02[IMV]   80: 73 61 62 6C 65 20 74 68 65 20 66 6F 72 77 61 72  sable the forwar
02[IMV]   96: 64 69 6E 67 20 6F 66 20 49 50 20 70 61 63 6B 65  ding of IP packe
02[IMV]  112: 74 73 02 65 6E                                   ts.en
02[TNC] creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
02[TNC] IMV 1 is setting reason string to 'Improper OS settings were detected'
02[TNC] IMV 1 is setting reason language to 'en'
02[TNC] IMV 1 provides recommendation 'isolate' and evaluation 'non-compliant major'

Sending SWID Request¶

02[IMV] IMV 2 handles SWIDT workitem 11
02[IMV] IMV 2 issues SWID request 11
02[TNC] creating PA-TNC message with ID 0xb2c5708e
02[TNC] creating PA-TNC attribute type 'TCG/SWID Request' 0x005597/0x00000011
02[IMV] created PA-TNC message: => 32 bytes @ 0x737a60
02[IMV]    0: 01 00 00 00 B2 C5 70 8E 00 00 55 97 00 00 00 11  ......p...U.....
02[IMV]   16: 00 00 00 18 00 00 00 00 00 00 00 0B 00 00 00 00  ................
02[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003

02[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
02[TNC] creating PB-TNC SDATA batch
02[TNC] adding PB-PA message
02[TNC] adding PB-PA message
02[TNC] sending PB-TNC SDATA batch (205 bytes) for Connection ID 2
02[TNC] => 205 bytes @ 0x6f8480
02[TNC]    0: 02 80 00 02 00 00 00 CD 80 00 00 00 00 00 00 01  ................
02[TNC]   16: 00 00 00 8D 00 00 00 00 00 00 00 01 FF FF 00 01  ................
02[TNC]   32: 01 00 00 00 E9 84 5D 2F 00 00 00 00 00 00 00 09  ......]/........
02[TNC]   48: 00 00 00 10 00 00 00 02 00 00 00 00 00 00 00 0A  ................
02[TNC]   64: 00 00 00 5D 00 00 00 00 00 00 00 02 00 00 00 42  ...]...........B
02[TNC]   80: 49 50 20 50 61 63 6B 65 74 20 46 6F 72 77 61 72  IP Packet Forwar
02[TNC]   96: 64 69 6E 67 0A 20 20 50 6C 65 61 73 65 20 64 69  ding.  Please di
02[TNC]  112: 73 61 62 6C 65 20 74 68 65 20 66 6F 72 77 61 72  sable the forwar
02[TNC]  128: 64 69 6E 67 20 6F 66 20 49 50 20 70 61 63 6B 65  ding of IP packe
02[TNC]  144: 74 73 02 65 6E 80 00 00 00 00 00 00 01 00 00 00  ts.en...........
02[TNC]  160: 38 00 00 55 97 00 00 00 03 FF FF 00 02 01 00 00  8..U............
02[TNC]  176: 00 FF 7D 72 78 00 00 55 97 00 00 00 11 00 00 00  ..}rx..U........
02[TNC]  192: 18 00 00 00 00 00 00 00 0B 00 00 00 00           .............
02[TNC] sending PT-TLS message #3 of type 'PB-TNC Batch' (221 bytes)
02[TLS] sending TLS ApplicationData record (272 bytes)

01[TLS] processing buffered TLS ApplicationData record (16408 bytes)
01[TNC] received PT-TLS message #3 of type 'PB-TNC Batch' (127188 bytes)
01[TLS] processing buffered TLS ApplicationData record (16408 bytes)
01[TLS] processing buffered TLS ApplicationData record (16408 bytes)
01[TLS] processing buffered TLS ApplicationData record (16408 bytes)
01[TLS] processing buffered TLS ApplicationData record (16408 bytes)
01[TLS] processing buffered TLS ApplicationData record (16408 bytes)
01[TLS] processing buffered TLS ApplicationData record (16408 bytes)
01[TLS] processing buffered TLS ApplicationData record (12524 bytes)
01[TNC] received TNCCS batch (127172 bytes) for Connection ID 2
01[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
01[TNC] processing PB-TNC CDATA batch
01[TNC] processing IETF/PB-PA message (127164 bytes)

Receiving SWID Tag Inventory¶

01[TNC] handling PB-PA message type 'TCG/SWID' 0x005597/0x00000003
01[IMV] IMV 2 "SWID" received message for Connection ID 2 from IMC 2 to IMV 2
01[IMV] => 127140 bytes @ 0x7c75b0
01[IMV]    0: 01 00 00 00 B2 B6 85 7C 00 00 55 97 00 00 00 14  .......|..U.....
01[IMV]   16: 00 01 F0 9C 00 00 01 6A 00 00 00 0B 2A AE 20 7D  .......j....*. }
01[IMV]   32: 00 00 00 01 00 00 00 00 01 5B 3C 3F 78 6D 6C 20  .........[<?xml 
01[IMV]   48: 76 65 72 73 69 6F 6E 3D 27 31 2E 30 27 20 65 6E  version='1.0' en
01[IMV]   64: 63 6F 64 69 6E 67 3D 27 55 54 46 2D 38 27 3F 3E  coding='UTF-8'?>
01[IMV]   80: 3C 53 6F 66 74 77 61 72 65 49 64 65 6E 74 69 74  <SoftwareIdentit
01[IMV]   96: 79 20 6E 61 6D 65 3D 22 61 63 70 69 2D 73 75 70  y name="acpi-sup
01[IMV]  112: 70 6F 72 74 2D 62 61 73 65 22 20 75 6E 69 71 75  port-base" uniqu
01[IMV]  128: 65 49 64 3D 22 64 65 62 69 61 6E 5F 37 2E 34 2D  eId="debian_7.4-
01[IMV]  144: 78 38 36 5F 36 34 2D 61 63 70 69 2D 73 75 70 70  x86_64-acpi-supp
01[IMV]  160: 6F 72 74 2D 62 61 73 65 2D 30 2E 31 34 30 2D 35  ort-base-0.140-5
01[IMV]  176: 22 20 76 65 72 73 69 6F 6E 3D 22 30 2E 31 34 30  " version="0.140
01[IMV]  192: 2D 35 22 20 76 65 72 73 69 6F 6E 53 63 68 65 6D  -5" versionSchem
01[IMV]  208: 65 3D 22 61 6C 70 68 61 6E 75 6D 65 72 69 63 22  e="alphanumeric" 
01[IMV]  224: 20 78 6D 6C 6E 73 3D 22 68 74 74 70 3A 2F 2F 73   xmlns="http://s
01[IMV]  240: 74 61 6E 64 61 72 64 73 2E 69 73 6F 2E 6F 72 67  tandards.iso.org
01[IMV]  256: 2F 69 73 6F 2F 31 39 37 37 30 2F 2D 32 2F 32 30  /iso/19770/-2/20
01[IMV]  272: 31 34 2F 73 63 68 65 6D 61 2E 78 73 64 22 3E 3C  14/schema.xsd"><
01[IMV]  288: 45 6E 74 69 74 79 20 6E 61 6D 65 3D 22 73 74 72  Entity name="str
01[IMV]  304: 6F 6E 67 53 77 61 6E 22 20 72 65 67 69 64 3D 22  ongSwan" regid=" 
01[IMV]  320: 72 65 67 69 64 2E 32 30 30 34 2D 30 33 2E 6F 72  regid.2004-03.or
01[IMV]  336: 67 2E 73 74 72 6F 6E 67 73 77 61 6E 22 20 72 6F  g.strongswan" ro
01[IMV]  352: 6C 65 3D 22 74 61 67 63 72 65 61 74 6F 72 22 20  le="tagcreator" 
01[IMV]  368: 2F 3E 3C 2F 53 6F 66 74 77 61 72 65 49 64 65 6E  /></SoftwareIden
01[IMV]  384: 74 69 74 79 3E 00 00 00 00 01 57 3C 3F 78 6D 6C  tity>.....W<?xml
01[IMV]  400: 20 76 65 72 73 69 6F 6E 3D 27 31 2E 30 27 20 65   version='1.0' e
01[IMV]  416: 6E 63 6F 64 69 6E 67 3D 27 55 54 46 2D 38 27 3F  ncoding='UTF-8'?
01[IMV]  432: 3E 3C 53 6F 66 74 77 61 72 65 49 64 65 6E 74 69  ><SoftwareIdenti
01[IMV]  448: 74 79 20 6E 61 6D 65 3D 22 61 63 70 69 64 22 20  ty name="acpid" 
01[IMV]  464: 75 6E 69 71 75 65 49 64 3D 22 64 65 62 69 61 6E  uniqueId="debian
01[IMV]  480: 5F 37 2E 34 2D 78 38 36 5F 36 34 2D 61 63 70 69  _7.4-x86_64-acpi
01[IMV]  496: 64 2D 31 3A 32 2E 30 2E 31 36 2D 31 2B 64 65 62  d-1:2.0.16-1+deb
01[IMV]  512: 37 75 31 22 20 76 65 72 73 69 6F 6E 3D 22 31 3A  7u1" version="1:
01[IMV]  528: 32 2E 30 2E 31 36 2D 31 2B 64 65 62 37 75 31 22  2.0.16-1+deb7u1" 
01[IMV]  544: 20 76 65 72 73 69 6F 6E 53 63 68 65 6D 65 3D 22   versionScheme=" 
01[IMV]  560: 61 6C 70 68 61 6E 75 6D 65 72 69 63 22 20 78 6D  alphanumeric" xm
01[IMV]  576: 6C 6E 73 3D 22 68 74 74 70 3A 2F 2F 73 74 61 6E  lns="http://stan
01[IMV]  592: 64 61 72 64 73 2E 69 73 6F 2E 6F 72 67 2F 69 73  dards.iso.org/is
01[IMV]  608: 6F 2F 31 39 37 37 30 2F 2D 32 2F 32 30 31 34 2F  o/19770/-2/2014/
01[IMV]  624: 73 63 68 65 6D 61 2E 78 73 64 22 3E 3C 45 6E 74  schema.xsd"><Ent
01[IMV]  640: 69 74 79 20 6E 61 6D 65 3D 22 73 74 72 6F 6E 67  ity name="strong
01[IMV]  656: 53 77 61 6E 22 20 72 65 67 69 64 3D 22 72 65 67  Swan" regid="reg
01[IMV]  672: 69 64 2E 32 30 30 34 2D 30 33 2E 6F 72 67 2E 73  id.2004-03.org.s
01[IMV]  688: 74 72 6F 6E 67 73 77 61 6E 22 20 72 6F 6C 65 3D  trongswan" role=
01[IMV]  704: 22 74 61 67 63 72 65 61 74 6F 72 22 20 2F 3E 3C  "tagcreator" /><
01[IMV]  720: 2F 53 6F 66 74 77 61 72 65 49 64 65 6E 74 69 74  /SoftwareIdentit
01[IMV]  736: 79 3E 00 00 00 00 01 4D 3C 3F 78 6D 6C 20 76 65  y>.....M<?xml ve
...
01[IMV] 125680: 79 3E 00 00 00 00 01 5D 3C 3F 78 6D 6C 20 76 65  y>.....]<?xml ve
01[IMV] 125696: 72 73 69 6F 6E 3D 27 31 2E 30 27 20 65 6E 63 6F  rsion='1.0' enco
01[IMV] 125712: 64 69 6E 67 3D 27 55 54 46 2D 38 27 3F 3E 3C 53  ding='UTF-8'?><S
01[IMV] 125728: 6F 66 74 77 61 72 65 49 64 65 6E 74 69 74 79 20  oftwareIdentity 
01[IMV] 125744: 6E 61 6D 65 3D 22 7A 6C 69 62 31 67 2D 64 65 76  name="zlib1g-dev
01[IMV] 125760: 22 20 75 6E 69 71 75 65 49 64 3D 22 64 65 62 69  " uniqueId="debi
01[IMV] 125776: 61 6E 5F 37 2E 34 2D 78 38 36 5F 36 34 2D 7A 6C  an_7.4-x86_64-zl
01[IMV] 125792: 69 62 31 67 2D 64 65 76 2D 31 3A 31 2E 32 2E 37  ib1g-dev-1:1.2.7
01[IMV] 125808: 2E 64 66 73 67 2D 31 33 22 20 76 65 72 73 69 6F  .dfsg-13" versio
01[IMV] 125824: 6E 3D 22 31 3A 31 2E 32 2E 37 2E 64 66 73 67 2D  n="1:1.2.7.dfsg-
01[IMV] 125840: 31 33 22 20 76 65 72 73 69 6F 6E 53 63 68 65 6D  13" versionSchem
01[IMV] 125856: 65 3D 22 61 6C 70 68 61 6E 75 6D 65 72 69 63 22  e="alphanumeric" 
01[IMV] 125872: 20 78 6D 6C 6E 73 3D 22 68 74 74 70 3A 2F 2F 73   xmlns="http://s
01[IMV] 125888: 74 61 6E 64 61 72 64 73 2E 69 73 6F 2E 6F 72 67  tandards.iso.org
01[IMV] 125904: 2F 69 73 6F 2F 31 39 37 37 30 2F 2D 32 2F 32 30  /iso/19770/-2/20
01[IMV] 125920: 31 34 2F 73 63 68 65 6D 61 2E 78 73 64 22 3E 3C  14/schema.xsd"><
01[IMV] 125936: 45 6E 74 69 74 79 20 6E 61 6D 65 3D 22 73 74 72  Entity name="str
01[IMV] 125952: 6F 6E 67 53 77 61 6E 22 20 72 65 67 69 64 3D 22  ongSwan" regid=" 
01[IMV] 125968: 72 65 67 69 64 2E 32 30 30 34 2D 30 33 2E 6F 72  regid.2004-03.or
01[IMV] 125984: 67 2E 73 74 72 6F 6E 67 73 77 61 6E 22 20 72 6F  g.strongswan" ro
01[IMV] 126000: 6C 65 3D 22 74 61 67 63 72 65 61 74 6F 72 22 20  le="tagcreator" 
01[IMV] 126016: 2F 3E 3C 2F 53 6F 66 74 77 61 72 65 49 64 65 6E  /></SoftwareIden
01[IMV] 126032: 74 69 74 79 3E 00 66 2F 75 73 72 2F 6C 6F 63 61  tity>.f/usr/loca
01[IMV] 126048: 6C 2F 73 68 61 72 65 2F 72 65 67 69 64 2E 32 30  l/share/regid.20
01[IMV] 126064: 30 34 2D 30 33 2E 6F 72 67 2E 73 74 72 6F 6E 67  04-03.org.strong
01[IMV] 126080: 73 77 61 6E 2F 72 65 67 69 64 2E 32 30 30 34 2D  swan/regid.2004-
01[IMV] 126096: 30 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 77 61  03.org.strongswa
01[IMV] 126112: 6E 5F 73 74 72 6F 6E 67 53 77 61 6E 2D 35 2D 32  n_strongSwan-5-2
01[IMV] 126128: 2D 30 64 72 31 2E 73 77 69 64 74 61 67 00 00 03  -0dr1.swidtag...
01[IMV] 126144: E3 3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22  .<?xml version=" 
01[IMV] 126160: 31 2E 30 22 20 65 6E 63 6F 64 69 6E 67 3D 22 75  1.0" encoding="u
01[IMV] 126176: 74 66 2D 38 22 3F 3E 0A 3C 73 6F 66 74 77 61 72  tf-8"?>.<softwar
01[IMV] 126192: 65 5F 69 64 65 6E 74 69 66 69 63 61 74 69 6F 6E  e_identification
01[IMV] 126208: 5F 74 61 67 20 78 6D 6C 6E 73 3D 22 68 74 74 70  _tag xmlns="http
01[IMV] 126224: 3A 2F 2F 73 74 61 6E 64 61 72 64 73 2E 69 73 6F  ://standards.iso
01[IMV] 126240: 2E 6F 72 67 2F 69 73 6F 2F 31 39 37 37 30 2F 2D  .org/iso/19770/-
01[IMV] 126256: 32 2F 32 30 30 39 2F 73 63 68 65 6D 61 2E 78 73  2/2009/schema.xs
01[IMV] 126272: 64 22 3E 0A 20 20 3C 65 6E 74 69 74 6C 65 6D 65  d">.  <entitleme
01[IMV] 126288: 6E 74 5F 72 65 71 75 69 72 65 64 5F 69 6E 64 69  nt_required_indi
01[IMV] 126304: 63 61 74 6F 72 3E 74 72 75 65 3C 2F 65 6E 74 69  cator>true</enti
01[IMV] 126320: 74 6C 65 6D 65 6E 74 5F 72 65 71 75 69 72 65 64  tlement_required
01[IMV] 126336: 5F 69 6E 64 69 63 61 74 6F 72 3E 0A 20 20 3C 70  _indicator>.  <p
01[IMV] 126352: 72 6F 64 75 63 74 5F 74 69 74 6C 65 3E 73 74 72  roduct_title>str
01[IMV] 126368: 6F 6E 67 53 77 61 6E 3C 2F 70 72 6F 64 75 63 74  ongSwan</product
01[IMV] 126384: 5F 74 69 74 6C 65 3E 0A 20 20 3C 70 72 6F 64 75  _title>.  <produ
01[IMV] 126400: 63 74 5F 76 65 72 73 69 6F 6E 3E 0A 20 20 20 20  ct_version>.    
01[IMV] 126416: 3C 6E 61 6D 65 3E 35 2E 32 2E 30 64 72 31 3C 2F  <name>5.2.0dr1</
01[IMV] 126432: 6E 61 6D 65 3E 0A 20 20 20 20 3C 6E 75 6D 65 72  name>.    <numer
01[IMV] 126448: 69 63 3E 0A 20 20 20 20 20 20 3C 6D 61 6A 6F 72  ic>.      <major
01[IMV] 126464: 3E 35 3C 2F 6D 61 6A 6F 72 3E 0A 20 20 20 20 20  >5</major>.     
01[IMV] 126480: 20 3C 6D 69 6E 6F 72 3E 32 3C 2F 6D 69 6E 6F 72   <minor>2</minor
01[IMV] 126496: 3E 0A 20 20 20 20 20 20 3C 62 75 69 6C 64 3E 30  >.      <build>0
01[IMV] 126512: 3C 2F 62 75 69 6C 64 3E 0A 20 20 20 20 20 20 3C  </build>.      <
01[IMV] 126528: 72 65 76 69 65 77 3E 64 72 31 3C 2F 72 65 76 69  review>dr1</revi
01[IMV] 126544: 65 77 3E 0A 20 20 20 20 3C 2F 6E 75 6D 65 72 69  ew>.    </numeri
01[IMV] 126560: 63 3E 0A 20 20 3C 2F 70 72 6F 64 75 63 74 5F 76  c>.  </product_v
01[IMV] 126576: 65 72 73 69 6F 6E 3E 0A 20 20 3C 73 6F 66 74 77  ersion>.  <softw
01[IMV] 126592: 61 72 65 5F 63 72 65 61 74 6F 72 3E 0A 20 20 20  are_creator>.   
01[IMV] 126608: 20 3C 6E 61 6D 65 3E 73 74 72 6F 6E 67 53 77 61   <name>strongSwa
01[IMV] 126624: 6E 20 50 72 6F 6A 65 63 74 3C 2F 6E 61 6D 65 3E  n Project</name>
01[IMV] 126640: 0A 20 20 20 20 3C 72 65 67 69 64 3E 72 65 67 69  .    <regid>regi
01[IMV] 126656: 64 2E 32 30 30 34 2D 30 33 2E 6F 72 67 2E 73 74  d.2004-03.org.st
01[IMV] 126672: 72 6F 6E 67 73 77 61 6E 3C 2F 72 65 67 69 64 3E  rongswan</regid>
01[IMV] 126688: 0A 20 20 3C 2F 73 6F 66 74 77 61 72 65 5F 63 72  .  </software_cr
01[IMV] 126704: 65 61 74 6F 72 3E 0A 20 20 3C 73 6F 66 74 77 61  eator>.  <softwa
01[IMV] 126720: 72 65 5F 6C 69 63 65 6E 73 6F 72 3E 0A 20 20 20  re_licensor>.   
01[IMV] 126736: 20 3C 6E 61 6D 65 3E 73 74 72 6F 6E 67 53 77 61   <name>strongSwa
01[IMV] 126752: 6E 20 50 72 6F 6A 65 63 74 3C 2F 6E 61 6D 65 3E  n Project</name>
01[IMV] 126768: 0A 20 20 20 20 3C 72 65 67 69 64 3E 72 65 67 69  .    <regid>regi
01[IMV] 126784: 64 2E 32 30 30 34 2D 30 33 2E 6F 72 67 2E 73 74  d.2004-03.org.st
01[IMV] 126800: 72 6F 6E 67 73 77 61 6E 3C 2F 72 65 67 69 64 3E  rongswan</regid>
01[IMV] 126816: 0A 20 20 3C 2F 73 6F 66 74 77 61 72 65 5F 6C 69  .  </software_li
01[IMV] 126832: 63 65 6E 73 6F 72 3E 0A 20 20 3C 73 6F 66 74 77  censor>.  <softw
01[IMV] 126848: 61 72 65 5F 69 64 3E 0A 20 20 20 20 3C 75 6E 69  are_id>.    <uni
01[IMV] 126864: 71 75 65 5F 69 64 3E 73 74 72 6F 6E 67 53 77 61  que_id>strongSwa
01[IMV] 126880: 6E 2D 35 2D 32 2D 30 64 72 31 3C 2F 75 6E 69 71  n-5-2-0dr1</uniq
01[IMV] 126896: 75 65 5F 69 64 3E 0A 20 20 20 20 3C 74 61 67 5F  ue_id>.    <tag_
01[IMV] 126912: 63 72 65 61 74 6F 72 5F 72 65 67 69 64 3E 72 65  creator_regid>re
01[IMV] 126928: 67 69 64 2E 32 30 30 34 2D 30 33 2E 6F 72 67 2E  gid.2004-03.org.
01[IMV] 126944: 73 74 72 6F 6E 67 73 77 61 6E 3C 2F 74 61 67 5F  strongswan</tag_
01[IMV] 126960: 63 72 65 61 74 6F 72 5F 72 65 67 69 64 3E 0A 20  creator_regid>. 
01[IMV] 126976: 20 3C 2F 73 6F 66 74 77 61 72 65 5F 69 64 3E 0A   </software_id>.
01[IMV] 126992: 20 20 3C 74 61 67 5F 63 72 65 61 74 6F 72 3E 0A    <tag_creator>.
01[IMV] 127008: 20 20 20 20 3C 6E 61 6D 65 3E 73 74 72 6F 6E 67      <name>strong
01[IMV] 127024: 53 77 61 6E 20 50 72 6F 6A 65 63 74 3C 2F 6E 61  Swan Project</na
01[IMV] 127040: 6D 65 3E 0A 20 20 20 20 3C 72 65 67 69 64 3E 72  me>.    <regid>r
01[IMV] 127056: 65 67 69 64 2E 32 30 30 34 2D 30 33 2E 6F 72 67  egid.2004-03.org
01[IMV] 127072: 2E 73 74 72 6F 6E 67 73 77 61 6E 3C 2F 72 65 67  .strongswan</reg
01[IMV] 127088: 69 64 3E 0A 20 20 3C 2F 74 61 67 5F 63 72 65 61  id>.  </tag_crea
01[IMV] 127104: 74 6F 72 3E 0A 3C 2F 73 6F 66 74 77 61 72 65 5F  tor>.</software_
01[IMV] 127120: 69 64 65 6E 74 69 66 69 63 61 74 69 6F 6E 5F 74  identification_t
01[IMV] 127136: 61 67 3E 0A                                      ag>.

01[TNC] processing PA-TNC message with ID 0xb2b6857c
01[TNC] processing PA-TNC attribute type 'TCG/SWID Tag Inventory' 0x005597/0x00000014

Human-Readable SWID Tags¶

01[IMV] received SWID tag inventory for request 11 at eid 1 of epoch 0x2aae207d
01[IMV] <?xml version='1.0' encoding='UTF-8'?>
01[IMV] <SoftwareIdentity name="acpi-support-base" uniqueId="debian_7.4-x86_64-acpi-support-base-0.140-5" version="0.140-5" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd">
01[IMV]   <Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" />
01[IMV]</SoftwareIdentity>

01[IMV] <?xml version='1.0' encoding='UTF-8'?>
01[IMV] <SoftwareIdentity name="acpid" uniqueId="debian_7.4-x86_64-acpid-1:2.0.16-1+deb7u1" version="1:2.0.16-1+deb7u1" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd">
01[IMV]  <Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" />
01[IMV] </SoftwareIdentity>

...

01[IMV] <?xml version='1.0' encoding='UTF-8'?>
01[IMV] <SoftwareIdentity name="zlib1g-dev" uniqueId="debian_7.4-x86_64-zlib1g-dev-1:1.2.7.dfsg-13" version="1:1.2.7.dfsg-13" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd">
01[IMV]   <Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" />
01[IMV] </SoftwareIdentity>

361 of the 362 received SWID tags were generated by the Debian dpkg package manager with the new ISO/IEC 19770-2:2014 format and since they are not stored in a file, have a zero Tag File Path field.

The last tag collected is the traditional ISO/IEC 19770-2:2009 encoded strongSwan tag

01[IMV] <?xml version="1.0" encoding="utf-8"?>
01[IMV] <software_identification_tag xmlns="http://standards.iso.org/iso/19770/-2/2009/schema.xsd">
01[IMV]   <entitlement_required_indicator>true</entitlement_required_indicator>
01[IMV]   <product_title>strongSwan</product_title>
01[IMV]   <product_version>
01[IMV]     <name>5.2.0dr1</name>
01[IMV]     <numeric>
01[IMV]       <major>5</major>
01[IMV]       <minor>2</minor>
01[IMV]       <build>0</build>
01[IMV]       <review>dr1</review>
01[IMV]     </numeric>
01[IMV]   </product_version>
01[IMV]   <software_creator>
01[IMV]     <name>strongSwan Project</name>
01[IMV]     <regid>regid.2004-03.org.strongswan</regid>
01[IMV]   </software_creator>
01[IMV]   <software_licensor>
01[IMV]     <name>strongSwan Project</name>
01[IMV]     <regid>regid.2004-03.org.strongswan</regid>
01[IMV]   </software_licensor>
01[IMV]   <software_id>
01[IMV]     <unique_id>strongSwan-5-2-0dr1</unique_id>
01[IMV]     <tag_creator_regid>regid.2004-03.org.strongswan</tag_creator_regid>
01[IMV]   </software_id>
01[IMV]   <tag_creator>
01[IMV]     <name>strongSwan Project</name>
01[IMV]     <regid>regid.2004-03.org.strongswan</regid>
01[IMV]   </tag_creator>
01[IMV] </software_identification_tag>

extracted from a swidtag file with the Tag File Path

/usr/local/share/regid.2004-03.org.strongswan/regid.2004-03.org.strongswan_strongSwan-5-2-0dr1.swidtag

01[IMV] IMV 2 handled SWIDT workitem 11: allow - received inventory of 362 SWID tags
01[TNC] creating PA-TNC message with ID 0xc928920a
01[TNC] creating PA-TNC attribute type 'IETF/Assessm> 01[IMV] 126128: 2D 30 64 72 31 2E 73 77 69 64 74 61 67 00 00 03  

ent Result' 0x000000/0x00000009
01[IMV] created PA-TNC message: => 24 bytes @ 0x73a990
01[IMV]    0: 01 00 00 00 C9 28 92 0A 00 00 00 00 00 00 00 09  .....(..........
01[IMV]   16: 00 00 00 10 00 00 00 00                          ........
01[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003
01[TNC] IMV 2 provides recommendation 'allow' and evaluation 'compliant'

Policy Manager integrating Measurement Results¶

01[IMV] running policy script: 2>&1 TNC_SESSION_ID='3' ipsec imv_policy_manager stop
01[IMV] policy: imv_policy_manager stop successful

01[IMV] IMV 1 "OS" changed state of Connection ID 2 to 'Isolated'
01[IMV] IMV 2 "SWID" changed state of Connection ID 2 to 'Isolated'
01[TNC] PB-TNC state transition from 'Server Working' to 'Decided'
01[TNC] creating PB-TNC RESULT batch
01[TNC] adding IETF/PB-PA message
01[TNC] adding IETF/PB-Assessment-Result message
01[TNC] adding IETF/PB-Access-Recommendation message
01[TNC] adding IETF/PB-Reason-String message
01[TNC] sending PB-TNC RESULT batch (141 bytes) for Connection ID 2
01[TNC] sending PT-TLS message #4 of type 'PB-TNC Batch' (157 bytes)
01[TLS] sending TLS ApplicationData record (181 bytes)

Closing PT-TLS Connection¶

10[TLS] processing TLS ApplicationData record (48 bytes)
10[TNC] received PT-TLS message #4 of type 'PB-TNC Batch' (24 bytes)
10[TNC] received TNCCS batch (8 bytes) for Connection ID 2
10[TNC] PB-TNC state transition from 'Decided' to 'End'
10[TNC] processing PB-TNC CLOSE batch
10[TNC] final recommendation is 'isolate' and evaluation is 'non-compliant major'
10[TNC] PT-TLS connection terminates
10[IMV] IMV 1 "OS" deleted the state of Connection ID 2
10[IMV] IMV 2 "SWID" deleted the state of Connection ID 2
10[TNC] removed TNCCS Connection ID 2
10[TLS] sending TLS close notify
10[TLS] sending TLS Alert record (26 bytes)

Terminating the strongSwan Policy Decision Point¶

00[DMN] signal of type SIGINT received. Shutting down
00[IMV] IMV 2 "SWID" terminated
00[TNC] removed TCG attributes
00[LIB] libpts terminated
00[IMV] IMV 1 "OS" terminated
00[TNC] removed IETF attributes
00[TNC] removed ITA-HSR attributes
00[LIB] libimcv terminated

PT-TLS Configuration Parameters¶

The complete configuration parameters for this example scenario can be found here.