Endpoint Compliance via PT-TLS Protocol » History » Version 16
Version 15 (Andreas Steffen, 10.04.2014 17:37) → Version 16/21 (Andreas Steffen, 10.04.2014 17:54)
h1. Endpoint Compliance via PT-TLS Protocol
{{>toc}}
h2. Starting the strongSwan Policy Decision Point (PDP)
The strongSwan PDP starts and loads its server certificate and the client credentials
<pre>
00[DMN] Starting IKE charon daemon (strongSwan 5.2.0dr1, Linux 3.13.5, x86_64)
00[LIB] openssl FIPS mode(0) - disabled
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG] loaded RSA private key from '/etc/ipsec.d/private/aaaKey.pem'
00[CFG] loaded EAP secret for carol
00[CFG] loaded EAP secret for dave
</pre>
Next the OS and SWID IMVs are loaded
<pre>
00[TNC] TNC recommendation policy is 'default'
00[TNC] loading IMVs from '/etc/tnc_config'
00[TNC] added IETF attributes
00[TNC] added ITA-HSR attributes
00[LIB] libimcv initialized
00[IMV] IMV 1 "OS" initialized
00[TNC] IMV 1 supports 1 message type: 'IETF/Operating System' 0x000000/0x00000001
00[TNC] IMV 1 "OS" loaded from '/usr/local/lib/ipsec/imcvs/imv-os.so'
00[IMV] IMV 2 "SWID" initialized
00[TNC] added TCG attributes
00[LIB] libpts initialized
00[TNC] IMV 2 supports 1 message type: 'TCG/SWID' 0x005597/0x00000003
00[TNC] IMV 2 "SWID" loaded from '/usr/local/lib/ipsec/imcvs/imv-swid.so'
</pre> 0</pre>
The PDP loads all plugins needed to communicate via its EAP-RADIUS and PT-TLS interfaces and spawns 16 worker threads
<pre>
00[IKE] eap method EAP_TTLS selected
00[LIB] loaded plugins: charon curl pem pkcs1 nonce x509 revocation constraints openssl socket-default kernel-netlink stroke tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
00[JOB] spawning 16 worker threads
09[CFG] received stroke: add connection 'aaa'
09[CFG] left nor right host is our side, assuming left=local
09[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" from 'aaaCert.pem'
09[CFG] added configuration 'aaa'
</pre>
h2. PT-TLS Connection by Access Requestor "carol"
<pre>
04[TNC] accepting PT-TLS stream from 192.168.0.100
</pre>
h3. Supported TLS 1.0, 1.1 and or 1.2 Cipher Suites
<pre>
04[TLS] 36 supported TLS cipher suites:
04[TLS] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
04[TLS] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
04[TLS] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
04[TLS] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
04[TLS] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
04[TLS] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
04[TLS] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
04[TLS] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
04[TLS] TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
04[TLS] TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
04[TLS] TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
04[TLS] TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
04[TLS] TLS_DHE_RSA_WITH_AES_128_CBC_SHA
04[TLS] TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
04[TLS] TLS_DHE_RSA_WITH_AES_256_CBC_SHA
04[TLS] TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
04[TLS] TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
04[TLS] TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
04[TLS] TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
04[TLS] TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
04[TLS] TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
04[TLS] TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
04[TLS] TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
04[TLS] TLS_RSA_WITH_AES_128_CBC_SHA
04[TLS] TLS_RSA_WITH_AES_128_CBC_SHA256
04[TLS] TLS_RSA_WITH_AES_256_CBC_SHA
04[TLS] TLS_RSA_WITH_AES_256_CBC_SHA256
04[TLS] TLS_RSA_WITH_AES_128_GCM_SHA256
04[TLS] TLS_RSA_WITH_AES_256_GCM_SHA384
04[TLS] TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
04[TLS] TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
04[TLS] TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
04[TLS] TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
04[TLS] TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
04[TLS] TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
04[TLS] TLS_RSA_WITH_3DES_EDE_CBC_SHA
</pre>
h3. TLS Connection Setup
<pre>
03[TNC] entering PT-TLS negotiation phase
03[TLS] processing TLS Handshake record (124 bytes)
03[TLS] received TLS ClientHello handshake (120 bytes)
03[TLS] received TLS 'signature algorithms' extension
03[TLS] received TLS 'elliptic curves' extension
03[TLS] received TLS 'ec point formats' extension
03[TLS] received TLS 'server name' extension
03[TLS] received 2 TLS cipher suites:
03[TLS] TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
03[TLS] TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
03[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
03[TLS] sending TLS ServerHello handshake (54 bytes)
03[TLS] sending TLS server certificate 'C=CH, O=Linux strongSwan, CN=aaa.strongswan.org'
03[TLS] sending TLS Certificate handshake (1066 bytes)
03[TLS] selected ECDH group SECP256R1
03[TLS] created signature with SHA256/RSA
03[TLS] sending TLS ServerKeyExchange handshake (329 bytes)
03[TLS] sending TLS cert request for 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA'
03[TLS] sending TLS CertificateRequest handshake (102 bytes)
03[TLS] sending TLS ServerHelloDone handshake (0 bytes)
03[TLS] sending TLS Handshake record (1571 bytes)
03[TLS] processing TLS Handshake record (77 bytes)
03[TLS] received TLS Certificate handshake (3 bytes)
03[TLS] received TLS ClientKeyExchange handshake (66 bytes)
03[TLS] processing TLS ChangeCipherSpec record (1 bytes)
03[TLS] processing TLS Handshake record (40 bytes)
03[TLS] received TLS Finished handshake (12 bytes)
03[TLS] sending TLS ChangeCipherSpec record (1 bytes)
03[TLS] sending TLS Finished handshake (12 bytes)
03[TLS] sending TLS Handshake record (40 bytes)
</pre>
h3. PT-TLS Negotiation
<pre>
03[TLS] processing TLS ApplicationData record (44 bytes)
03[TNC] received PT-TLS message #0 of type 'Version Request' (20 bytes)
03[TNC] sending PT-TLS message #0 of type 'Version Response' (20 bytes)
03[TLS] sending TLS ApplicationData record (44 bytes)
03[TNC] negotiated PT-TLS version 1
</pre>
h3. SASL Password-based Client Authentication
<pre>
03[TNC] doing SASL client authentication
03[TNC] offering SASL PLAIN
03[TNC] sending PT-TLS message #1 of type 'SASL Mechanisms' (22 bytes)
03[TLS] sending TLS ApplicationData record (46 bytes)
03[TLS] processing TLS ApplicationData record (61 bytes)
03[TNC] received PT-TLS message #1 of type 'SASL Mechanism Selection' (37 bytes)
03[TNC] client starts SASL PLAIN authentication
03[TNC] SASL PLAIN authentication successful
03[TNC] SASL client identity is 'carol'
03[TNC] sending PT-TLS message #2 of type 'SASL Result' (17 bytes)
03[TLS] sending TLS ApplicationData record (41 bytes)
03[TNC] sending PT-TLS message #3 of type 'SASL Mechanisms' (16 bytes)
03[TLS] sending TLS ApplicationData record (40 bytes)
</pre>
h3. PT-TLS Transport Phase
<pre>
03[TNC] entering PT-TLS data transport phase
</pre>
h3. IF-IMV 1.4 AR Identity
<pre>
11[TLS] processing TLS ApplicationData record (299 bytes)
11[TNC] received PT-TLS message #2 of type 'PB-TNC Batch' (275 bytes)
11[TNC] assigned TNCCS Connection ID 1
11[IMV] IMV 1 "OS" created a state for IF-TNCCS 2.0 Connection ID 1: +long +excl -soh
11[IMV] over IF-T for TLS 2.0 with maximum PA-TNC message size of 131024 bytes
11[IMV] user AR identity 'carol' authenticated by password
11[IMV] IMV 2 "SWID" created a state for IF-TNCCS 2.0 Connection ID 1: +long +excl -soh
11[IMV] over IF-T for TLS 2.0 with maximum PA-TNC message size of 131024 bytes
11[IMV] user AR identity 'carol' authenticated by password
11[IMV] IMV 1 "OS" changed state of Connection ID 1 to 'Handshake'
11[IMV] IMV 2 "SWID" changed state of Connection ID 1 to 'Handshake'
</pre>
<pre>
11[TNC] received TNCCS batch (259 bytes) for Connection ID 1
11[TNC] PB-TNC state transition from 'Init' to 'Server Working'
11[TNC] processing PB-TNC CDATA batch
11[TNC] processing IETF/PB-Language-Preference message (31 bytes)
11[TNC] processing IETF/PB-PA message (220 bytes)
11[TNC] setting language preference to 'en'
</pre>
<pre>
11[TNC] handling PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
11[IMV] IMV 1 "OS" received message for Connection ID 1 from IMC 1
11[IMV] => 196 bytes @ 0x6f09d0
11[IMV] 0: 01 00 00 00 B4 0C 4B 59 00 00 00 00 00 00 00 02 ......KY........
11[IMV] 16: 00 00 00 17 00 25 72 00 00 44 65 62 69 61 6E 00 .....%r..Debian.
11[IMV] 32: 00 00 00 00 00 00 04 00 00 00 19 0A 37 2E 34 20 ............7.4
11[IMV] 48: 78 38 36 5F 36 34 00 00 00 00 00 00 00 00 00 03 x86_64..........
11[IMV] 64: 00 00 00 1C 00 00 00 07 00 00 00 04 00 00 00 00 ................
11[IMV] 80: 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 24 ...............$
11[IMV] 96: 03 01 00 00 32 30 31 34 2D 30 34 2D 31 30 54 30 ....2014-04-10T0
11[IMV] 112: 38 3A 31 32 3A 31 33 5A 00 00 00 00 00 00 00 0B 8:12:13Z........
11[IMV] 128: 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 0C ................
11[IMV] 144: 00 00 00 10 00 00 00 00 00 00 90 2A 00 00 00 08 ...........*....
11[IMV] 160: 00 00 00 2C 65 64 33 32 64 63 37 63 31 65 62 33 ...,ed32dc7c1eb3
11[IMV] 176: 32 38 65 66 30 61 63 63 30 65 34 63 35 33 34 35 28ef0acc0e4c5345
11[IMV] 192: 62 38 65 34 b8e4
11[TNC] processing PA-TNC message with ID 0xb40c4b59
11[TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002
11[TNC] processing PA-TNC attribute type 'IETF/String Version' 0x000000/0x00000004
11[TNC] processing PA-TNC attribute type 'IETF/Numeric Version' 0x000000/0x00000003
11[TNC] processing PA-TNC attribute type 'IETF/Operational Status' 0x000000/0x00000005
11[TNC] processing PA-TNC attribute type 'IETF/Forwarding Enabled' 0x000000/0x0000000b
11[TNC] processing PA-TNC attribute type 'IETF/Factory Default Password Enabled' 0x000000/0x0000000c
11[TNC] processing PA-TNC attribute type 'ITA-HSR/Device ID' 0x00902a/0x00000008
</pre>
h3. Operating System Information
<pre>
11[IMV] operating system name is 'Debian' from vendor Debian Project
11[IMV] operating system version is '7.4 x86_64'
11[IMV] operating system numeric version is 7.4
11[IMV] operational status: operational, result: successful
11[IMV] last boot: Apr 10 08:12:13 UTC 2014
11[IMV] IPv4 forwarding is disabled
11[IMV] factory default password is disabled
</pre>
h3. Device Identity
<pre>
11[IMV] device ID is ed32dc7c1eb328ef0acc0e4c5345b8e4
</pre>
h3. Policy Manager generating Workitem List
This is strongSwan's proprietary Configuration Management Database (CMDB) interface. Based on historical client measurement data and a set of group policies the start script generates a list of measurement workitems. In our scenario only IPv4 forwarding and SWID tags are checked.
<pre>
11[IMV] assigned session ID 2 to Connection ID 1
11[IMV] running policy script: 2>&1 TNC_SESSION_ID='2' ipsec imv_policy_manager start
11[IMV] policy: imv_policy_manager start successful
11[IMV] policy: No leaks detected, 11 suppressed by whitelist
</pre>
Available workitems generated by the Policy Manager
<pre> </pre>
11[IMV] FMEAS workitem 1
11[IMV] FMEAS workitem 2
11[IMV] FWDEN workitem 3
11[IMV] FMEAS workitem 4
11[IMV] FMETA workitem 5
11[IMV] SWIDT workitem 6
11[IMV] TCPOP workitem 7
11[IMV] UDPOP workitem 8
</pre>
Assessment Result generated by the OS IMV
<pre>
111[IMV] IMV 1 handles FWDEN workitem 3
11[IMV] IMV 1 handled FWDEN workitem 3: allow - forwarding not enabled
11[TNC] creating PA-TNC message with ID 0x4abaf071
11[TNC] creating PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009
11[IMV] created PA-TNC message: => 24 bytes @ 0x729180
11[IMV] 0: 01 00 00 00 4A BA F0 71 00 00 00 00 00 00 00 09 ....J..q........
11[IMV] 16: 00 00 00 10 00 00 00 00 ........
11[TNC] creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
11[TNC] IMV 1 provides recommendation 'allow' and evaluation 'compliant'
</pre>
h3. Sending SWID Request
<pre>
11[IMV] IMV 2 handles SWIDT workitem 6
11[IMV] IMV 2 issues SWID request 6
11[TNC] creating PA-TNC message with ID 0x551f2e1f
11[TNC] creating PA-TNC attribute type 'TCG/SWID Request' 0x005597/0x00000011
11[IMV] created PA-TNC message: => 32 bytes @ 0x6efce0
11[IMV] 0: 01 00 00 00 55 1F 2E 1F 00 00 55 97 00 00 00 11 ....U.....U.....
11[IMV] 16: 00 00 00 18 01 00 00 00 00 00 00 06 00 00 00 00 ................
11[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003
11[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
11[TNC] creating PB-TNC SDATA batch
11[TNC] adding IETF/PB-PA message
11[TNC] adding IETF/PB-PA message
11[TNC] sending PB-TNC SDATA batch (112 bytes) for Connection ID 1
11[TNC] sending PT-TLS message #4 of type 'PB-TNC Batch' (128 bytes)
11[TLS] sending TLS ApplicationData record (152 bytes)
</pre>
h3. Receiving SWID Tag Identifier Inventory
<pre>
12[TLS] 13[TLS] processing buffered TLS ApplicationData record (16408 (224 bytes)
12[TNC] 13[TNC] received PT-TLS message #3 of type 'PB-TNC Batch' (27320 (183 bytes)
12[TLS] processing buffered TLS ApplicationData record (10960 bytes)
12[TNC] 13[TNC] received TNCCS batch (27304 (167 bytes) for Connection ID 1
12[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
12[TNC] processing PB-TNC CDATA batch
12[TNC] processing IETF/PB-PA message (27296 bytes)
</pre>
<pre>
12[TNC] handling PB-PA message type 'TCG/SWID' 0x005597/0x00000003
12[IMV] IMV 2 "SWID" received message for Connection ID 1 from IMC 2 to IMV 2
12[IMV] 13[TNC] => 27272 167 bytes @ 0x753db0 0x6f1f30
12[IMV] 13[TNC] 0: 02 00 00 01 00 00 00 4A AA D6 A9 A7 80 00 00 55 97 00 00 00 12 00 01 ....J.....U..... ................
12[IMV] 13[TNC] 16: 00 00 6A 00 9F 80 00 55 97 00 00 00 03 00 02 00 02 ......U.........
13[TNC] 32: 01 6A 00 00 00 DC 86 EF 69 00 00 55 97 00 00 00 12 .......i..U.....
13[TNC] 48: 00 00 00 7F 00 00 00 02 00 00 00 06 07 D2 01 F4 71 43 2A 93 ..j....j........ ............qC*.
12[IMV] 13[TNC] 32: 64: 00 00 00 01 00 1C 72 65 67 69 64 2E 32 30 30 34 ......regid.2004
12[IMV] 13[TNC] 48: 80: 2D 30 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 77 -03.org.strongsw
12[IMV] 13[TNC] 64: 96: 61 6E 00 2B 64 65 62 69 61 6E 5F 37 2E 34 2D 78 an.+debian_7.4-x
12[IMV] 80: 38 36 5F 36 34 2D 61 63 70 69 2D 14 73 75 70 70 6F 86_64-acpi-suppo
12[IMV] 96: 72 74 2D 62 61 73 65 2D 30 2E 31 34 30 2D 35 00 rt-base-0.140-5.
12[IMV] 112: 00 00 1C 72 65 67 69 64 2E 32 30 30 34 2D 30 33 ...regid.2004-03
12[IMV] 128: 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 53 77 61 6E 00 .org.strongswan.
12[IMV] 144: 29 64 65 62 69 61 6E 5F 37 2E 34 2D 78 38 36 5F 35 )debian_7.4-x86_ an..strongSwan-5
12[IMV] 13[TNC] 160: 36 34 112: 2D 61 63 70 69 64 31 2D 31 3A 32 2E 30 2E 31 64-acpid-1:2.0.1
12[IMV] 176: 36 2D 31 2B 64 65 62 37 75 31 72 32 00 00 00 1C 18 72 65 67 69 6-1+deb7u1....re -1-1-dr2....regi
12[IMV] 13[TNC] 192: 67 69 128: 64 2E 32 30 30 34 31 39 39 39 2D 30 33 2E 6F 72 67 2E 64 65 gid.2004-03.org. d.1999-03.org.de
12[IMV] 13[TNC] 208: 73 74 72 6F 6E 67 73 77 144: 62 69 61 6E 00 24 64 0F 73 71 6C 69 74 65 62 69 strongswan.$debi
12[IMV] 224: 61 6E 5F 37 2E 34 2D 78 38 36 5F 36 34 33 2D 61 64 37 an_7.4-x86_64-ad bian..sqlite-3-7
12[IMV] 13[TNC] 240: 64 75 73 65 72 160: 2D 31 33 2E 2D 31 31 33 2B 6E 6D 75 33 duser-3.113+nmu3
12[IMV] 256: 00 00 00 1C 72 65 67 69 64 2E 32 30 30 34 2D 30 ....regid.2004-0 -13-1..
12[IMV] 272: 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 77 61 6E 3.org.strongswan 13[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
12[IMV] 288: 00 2A 64 65 62 69 61 6E 5F 37 2E 34 2D 78 38 36 .*debian_7.4-x86 13[TNC] processing PB-TNC CDATA batch
12[IMV] 304: 5F 36 34 2D 61 70 61 63 68 65 32 2D 32 2E 32 2E _64-apache2-2.2. 13[TNC] processing PB-PA message (159 bytes)
12[IMV] 320: 32 32 2D 31 33 2B 64 65 62 37 75 31 </pre>
<pre>
13[TNC] handling PB-PA message type 'TCG/SWID' 0x005597/0x00000003
13[IMV] IMV 2 "SWID" received message for Connection ID 1 from IMC 2 to IMV 2
13[IMV] => 135 bytes @ 0x6f4780
13[IMV] 0: 01 00 00 00 1C 22-13+deb7u1....
12[IMV] 336: 72 65 67 DC 86 EF 69 64 2E 32 30 30 34 2D 30 33 2E 6F 72 00 00 55 97 00 00 00 12 regid.2004-03.or .......i..U.....
12[IMV] 352: 67 2E 73 74 72 6F 6E 67 73 77 61 6E 13[IMV] 16: 00 35 64 65 00 00 7F 00 00 00 02 00 00 00 06 71 43 2A 93 g.strongswan.5de ............qC*.
12[IMV] 368: 62 69 61 6E 5F 37 2E 34 2D 78 38 36 5F 36 34 2D bian_7.4-x86_64-
12[IMV] 384: 61 70 61 63 68 65 32 2D 6D 70 6D 2D 77 6F 72 6B apache2-mpm-work
12[IMV] 400: 65 72 2D 32 2E 32 2E 32 32 2D 31 33 2B 64 65 62 er-2.2.22-13+deb
12[IMV] 416: 37 75 31 13[IMV] 32: 00 00 00 01 00 1C 72 65 67 69 64 2E 32 30 30 34 7u1....regid.200 ......regid.2004
12[IMV] 432: 34 13[IMV] 48: 2D 30 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 77 4-03.org.strongs -03.org.strongsw
12[IMV] 448: 77 13[IMV] 64: 61 6E 00 30 64 65 62 69 61 6E 5F 37 2E 34 2D wan.0debian_7.4-
12[IMV] 464: 78 38 36 5F 36 34 2D 61 70 61 63 68 65 32 2D 75 x86_64-apache2-u
12[IMV] 480: 74 69 6C 14 73 2D 32 2E 32 2E 32 32 2D 31 33 2B 64 tils-2.2.22-13+d
12[IMV] 496: 65 62 37 75 31 00 00 00 1C 72 65 67 69 64 2E 32 eb7u1....regid.2
12[IMV] 512: 30 30 34 2D 30 33 2E 6F 72 67 2E 73 74 72 6F 6E 004-03.org.stron
12[IMV] 528: 67 73 53 77 61 6E 00 30 64 65 62 69 61 6E 5F 37 2E gswan.0debian_7.
12[IMV] 544: 34 2D 78 38 36 5F 36 34 2D 61 70 61 63 68 65 32 35 4-x86_64-apache2 an..strongSwan-5
12[IMV] 560: 2E 32 13[IMV] 80: 2D 62 69 6E 31 2D 32 2E 32 2E 32 32 31 2D 31 33 .2-bin-2.2.22-13
12[IMV] 576: 2B 64 65 62 37 75 31 72 32 00 00 00 1C 18 72 65 67 69 64 +deb7u1....regid -1-1-dr2....regi
12[IMV] 592: 13[IMV] 96: 64 2E 32 30 30 34 31 39 39 39 2D 30 33 2E 6F 72 67 2E 73 74 72 64 65 .2004-03.org.str d.1999-03.org.de
12[IMV] 13[IMV] 608: 6F 6E 67 73 77 112: 62 69 61 6E 00 33 64 65 62 0F 73 71 6C 69 61 6E 5F ongswan.3debian_
12[IMV] 624: 37 2E 34 2D 78 38 36 5F 36 34 2D 61 70 61 63 68 7.4-x86_64-apach
12[IMV] 640: 74 65 32 2E 32 2D 63 6F 6D 6D 6F 6E 33 2D 32 2E 32 2E 37 e2.2-common-2.2. bian..sqlite-3-7
12[IMV] 13[IMV] 656: 32 32 128: 2D 31 33 2B 64 65 62 37 75 2D 31 00 00 00 1C 22-13+deb7u1.... -13-1..
... 13[TNC] processing PA-TNC message with ID 0xdc86ef69
12[IMV] 26736: 13[TNC] processing PA-TNC attribute type 'TCG/SWID Tag Identifier Inventory' 0x005597/0x00000012
13[TNC] => 115 bytes @ 0x6f4794
13[TNC] 0: 00 00 00 1C 72 65 67 69 64 2E 32 30 30 34 2D 30 ....regid.2004-0
12[IMV] 26752: 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 77 61 6E 3.org.strongswan
12[IMV] 26768: 02 00 26 64 65 62 69 61 6E 5F 37 2E 34 2D 78 38 36 00 00 06 71 43 2A 93 00 00 00 01 .&debian_7.4-x86 ........qC*.....
12[IMV] 26784: 5F 36 34 2D 77 67 65 74 2D 31 2E 31 33 2E 34 2D _64-wget-1.13.4-
12[IMV] 26800: 33 2B 64 65 62 37 75 31 13[TNC] 16: 00 00 00 1C 72 65 67 69 3+deb7u1....regi
12[IMV] 26816: 64 2E 32 30 30 34 2D 30 33 2E ..regid.2004-03.
13[TNC] 32: 6F 72 67 2E 73 74 d.2004-03.org.st
12[IMV] 26832: 72 6F 6E 67 73 77 61 6E 00 27 64 65 62 69 61 6E 14 rongswan.'debian org.strongswan..
12[IMV] 26848: 5F 37 2E 34 2D 78 38 36 5F 36 34 2D 77 68 69 70 _7.4-x86_64-whip
12[IMV] 26864: 74 61 69 6C 2D 30 2E 35 32 2E 31 34 2D 31 31 2E tail-0.52.14-11.
12[IMV] 26880: 31 00 00 00 1C 72 65 67 69 64 2E 32 30 30 34 2D 1....regid.2004-
12[IMV] 26896: 30 33 2E 6F 72 67 2E 13[TNC] 48: 73 74 72 6F 6E 67 73 53 77 61 03.org.strongswa
12[IMV] 26912: 6E 00 30 64 65 62 69 61 6E 5F 37 2E 34 2D 78 38 n.0debian_7.4-x8
12[IMV] 26928: 36 5F 36 34 35 2D 78 7A 31 2D 75 74 69 6C 73 2D 35 2E 6_64-xz-utils-5.
12[IMV] 26944: 31 2E 31 61 6C 70 68 61 2B 32 30 31 32 30 36 31 1.1alpha+2012061 strongSwan-5-1-1
12[IMV] 26960: 34 13[TNC] 64: 2D 64 72 32 00 00 00 1C 18 72 65 67 69 64 2E 32 30 30 31 39 4-2....regid.200 -dr2....regid.19
12[IMV] 26976: 34 13[TNC] 80: 39 39 2D 30 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 4-03.org.strongs
12[IMV] 26992: 77 61 6E 00 28 64 65 62 69 61 6E 5F 37 2E 34 2D wan.(debian_7.4- 99-03.org.debian
12[IMV] 27008: 78 38 36 5F 36 34 2D 7A 13[TNC] 96: 00 0F 73 71 6C 69 62 31 67 2D 31 3A x86_64-zlib1g-1:
12[IMV] 27024: 31 2E 32 2E 37 2E 64 66 73 67 2D 31 33 00 00 00 1.2.7.dfsg-13...
12[IMV] 27040: 1C 72 74 65 67 69 64 2E 32 30 30 34 2D 30 33 2E 6F .regid.2004-03.o
12[IMV] 27056: 72 67 2E 73 74 72 6F 6E 67 73 77 61 6E 00 2C 64 rg.strongswan.,d
12[IMV] 27072: 65 62 69 61 6E 5F 37 2E 34 2D 78 38 36 5F 36 34 ebian_7.4-x86_64
12[IMV] 27088: 2D 7A 6C 69 62 31 67 2D 64 65 76 2D 31 3A 31 2E -zlib1g-dev-1:1.
12[IMV] 27104: 32 2E 37 2E 64 66 73 67 2D 31 33 00 00 00 1C 72 2.7.dfsg-13....r
12[IMV] 27120: 65 67 69 64 2E 32 30 30 34 2D 30 33 2E 6F 72 67 egid.2004-03.org ..sqlite-3-7-13-
12[IMV] 27136: 2E 73 74 72 6F 6E 67 73 77 61 6E 00 13 73 74 72 13[TNC] .strongswan..str
12[IMV] 27152: 6F 6E 67 53 77 61 6E 2D 35 2D 32 2D 30 64 72 112: 31 ongSwan-5-2-0dr1
12[IMV] 27168: 00 66 2F 75 73 72 2F 6C 6F 63 61 6C 2F 73 68 61 .f/usr/local/sha 00 1..
12[IMV] 27184: 72 65 2F 72 65 67 69 64 2E 32 30 30 34 2D 30 33 re/regid.2004-03
12[IMV] 27200: 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 77 61 6E 2F .org.strongswan/
12[IMV] 27216: 72 65 67 69 64 2E 32 30 30 34 2D 30 33 2E 6F 72 regid.2004-03.or
12[IMV] 27232: 67 2E 73 74 72 6F 6E 67 73 77 61 6E 5F 73 74 72 g.strongswan_str
12[IMV] 27248: 6F 6E 67 53 77 61 6E 2D 35 2D 32 2D 30 64 72 31 ongSwan-5-2-0dr1
12[IMV] 27264: 2E 73 77 69 64 74 61 67 .swidtag
12[TNC] processing PA-TNC message with ID 0x4aaad6a9
12[TNC] processing PA-TNC attribute type 'TCG/SWID Tag Identifier Inventory' 0x005597/0x00000012
</pre>
h3. Human-Readable SWID Tag Identifiers
<pre>
12[IMV] 13[IMV] received SWID tag ID inventory for request 6 at eid 1 of epoch 0x07d201f4 0x71432a93
12[IMV] 13[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-acpi-support-base-0.140-5 regid.2004-03.org.strongswan_strongSwan-5-1-1-dr2.swidtag
12[IMV] 13[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-acpid-1:2.0.16-1+deb7u1 regid.1999-03.org.debian_sqlite-3-7-13-1.swidtag
12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-adduser-3.113+nmu3
12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-apache2-2.2.22-13+deb7u1
12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-apache2-mpm-worker-2.2.22-13+deb7u1
12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-apache2-utils-2.2.22-13+deb7u1
12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-apache2.2-bin-2.2.22-13+deb7u1
12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-apache2.2-common-2.2.22-13+deb7u1
...
12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-wget-1.13.4-3+deb7u1
12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-whiptail-0.52.14-11.1
12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-xz-utils-5.1.1alpha+20120614-2
12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-zlib1g-1:1.2.7.dfsg-13
12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-zlib1g-dev-1:1.2.7.dfsg-13
12[IMV] regid.2004-03.org.strongswan_strongSwan-5-2-0dr1
</pre>
<pre>
112[IMV] 13[IMV] IMV 2 handled SWIDT workitem 6: allow - received inventory of 362 2 SWID tag IDs
12[TNC] 13[TNC] creating PA-TNC message with ID 0x6dd65b3a 0x85fed4ee
12[TNC] 13[TNC] creating PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009
12[IMV] 13[TNC] => 4 bytes @ 0x6e3220
13[TNC] 0: 00 00 00 00 ....
13[IMV] created PA-TNC message: => 24 bytes @ 0x730390 0x6ecdc0
12[IMV] 13[IMV] 0: 01 00 00 00 6D D6 5B 3A 85 FE D4 EE 00 00 00 00 00 00 00 09 ....m.[:........ ................
12[IMV] 13[IMV] 16: 00 00 00 10 00 00 00 00 ........
12[TNC] 13[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003
12[TNC] 13[TNC] IMV 2 provides recommendation 'allow' and evaluation 'compliant'
</pre>
h3. Policy Manager integrating Measurement Results
<pre>
12[IMV] 13[IMV] running policy script: 2>&1 TNC_SESSION_ID='2' ipsec imv_policy_manager stop
12[IMV] 13[IMV] policy: imv_policy_manager stop successful
</pre>
<pre>
12[IMV] 13[IMV] IMV 1 "OS" changed state of Connection ID 1 to 'Allowed'
12[IMV] 13[IMV] IMV 2 "SWID" changed state of Connection ID 1 to 'Allowed'
12[TNC] 13[TNC] PB-TNC state transition from 'Server Working' to 'Decided'
12[TNC] 13[TNC] creating PB-TNC RESULT batch
12[TNC] 13[TNC] adding IETF/PB-PA PB-PA message
12[TNC] 13[TNC] adding IETF/PB-Assessment-Result PB-Assessment-Result message
12[TNC] 13[TNC] adding IETF/PB-Access-Recommendation PB-Access-Recommendation message
12[TNC] 13[TNC] sending PB-TNC RESULT batch (88 bytes) for Connection ID 1
12[TNC] 13[TNC] => 88 bytes @ 0x6ee0a0
13[TNC] 0: 02 80 00 03 00 00 00 58 80 00 00 00 00 00 00 01 .......X........
13[TNC] 16: 00 00 00 30 00 00 55 97 00 00 00 03 FF FF 00 02 ...0..U.........
13[TNC] 32: 01 00 00 00 85 FE D4 EE 00 00 00 00 00 00 00 09 ................
13[TNC] 48: 00 00 00 10 00 00 00 00 80 00 00 00 00 00 00 02 ................
13[TNC] 64: 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 03 ................
13[TNC] 80: 00 00 00 10 00 00 00 01 ........
13[TNC] sending PT-TLS message #5 of type 'PB-TNC Batch' (104 bytes)
12[TLS] 13[TLS] sending TLS ApplicationData record (128 (144 bytes)
</pre>
h3. Closing PT-TLS Connection
<pre>
13[TLS] 14[TLS] processing TLS ApplicationData record (48 (64 bytes)
13[TNC] 14[TNC] received PT-TLS message #4 of type 'PB-TNC Batch' (24 bytes)
13[TNC] 14[TNC] received TNCCS batch (8 bytes) for Connection ID 1
13[TNC] 14[TNC] => 8 bytes @ 0x6ef420
14[TNC] 0: 02 00 00 06 00 00 00 08 ........
14[TNC] PB-TNC state transition from 'Decided' to 'End'
13[TNC] 14[TNC] processing PB-TNC CLOSE batch
13[TNC] 14[TNC] final recommendation is 'allow' and evaluation is 'compliant'
13[TNC] 14[TNC] PT-TLS connection terminates
13[IMV] 14[IMV] IMV 1 "OS" deleted the state of Connection ID 1
13[IMV] 14[IMV] IMV 2 "SWID" deleted the state of Connection ID 1
13[TNC] 14[TNC] removed TNCCS Connection ID 1
13[TLS] 14[TLS] sending TLS close notify
13[TLS] 14[TLS] sending TLS Alert record (26 (48 bytes)
</pre>
h2. PT-TLS Connection by Access Requestor "dave"
<pre>
15[TNC] accepting PT-TLS stream from 192.168.0.200
</pre>
h3. TLS Connection Setup
<pre>
03[TNC] entering PT-TLS negotiation phase
03[TLS] processing TLS Handshake record (176 bytes)
03[TLS] received TLS ClientHello handshake (172 bytes)
03[TLS] received TLS 'signature algorithms' extension
03[TLS] received TLS 'elliptic curves' extension
03[TLS] received TLS 'ec point formats' extension
03[TLS] received TLS 'server name' extension
03[TLS] received 28 TLS cipher suites:
03[TLS] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
03[TLS] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
03[TLS] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
03[TLS] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
03[TLS] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
03[TLS] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
03[TLS] TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
03[TLS] TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
03[TLS] TLS_DHE_RSA_WITH_AES_128_CBC_SHA
03[TLS] TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
03[TLS] TLS_DHE_RSA_WITH_AES_256_CBC_SHA
03[TLS] TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
03[TLS] TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
03[TLS] TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
03[TLS] TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
03[TLS] TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
03[TLS] TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
03[TLS] TLS_RSA_WITH_AES_128_CBC_SHA
03[TLS] TLS_RSA_WITH_AES_128_CBC_SHA256
03[TLS] TLS_RSA_WITH_AES_256_CBC_SHA
03[TLS] TLS_RSA_WITH_AES_256_CBC_SHA256
03[TLS] TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
03[TLS] TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
03[TLS] TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
03[TLS] TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
03[TLS] TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
03[TLS] TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
03[TLS] TLS_RSA_WITH_3DES_EDE_CBC_SHA
03[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
03[TLS] sending TLS ServerHello handshake (54 bytes)
03[TLS] sending TLS server certificate 'C=CH, O=Linux strongSwan, CN=aaa.strongswan.org'
03[TLS] sending TLS Certificate handshake (1066 bytes)
03[TLS] selected ECDH group SECP256R1
03[TLS] created signature with MD5/RSA
03[TLS] sending TLS ServerKeyExchange handshake (329 bytes)
03[TLS] sending TLS cert request for 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA'
03[TLS] sending TLS CertificateRequest handshake (102 bytes)
03[TLS] sending TLS ServerHelloDone handshake (0 bytes)
03[TLS] sending TLS Handshake record (1571 bytes)
03[TLS] processing TLS Handshake record (1406 bytes)
03[TLS] received TLS Certificate handshake (1068 bytes)
03[TLS] received TLS peer certificate 'C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org'
03[TLS] received TLS ClientKeyExchange handshake (66 bytes)
03[TLS] received TLS CertificateVerify handshake (260 bytes)
03[CFG] using certificate "C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org"
03[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
03[CFG] checking certificate status of "C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org"
03[CFG] fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
03[CFG] using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
03[CFG] crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
03[CFG] crl is valid: until Sep 29 14:02:30 2013
03[CFG] certificate status is good
03[CFG] reached self-signed root ca with a path length of 0
03[TLS] verified signature with SHA1/RSA
03[TLS] processing TLS ChangeCipherSpec record (1 bytes)
03[TLS] buffering 31 bytes, 31 bytes of 69 byte TLS record received
03[TLS] buffering 38 bytes, 69 bytes of 69 byte TLS record received
03[TLS] processing buffered TLS Handshake record (64 bytes)
03[TLS] received TLS Finished handshake (12 bytes)
03[TLS] sending TLS ChangeCipherSpec record (1 bytes)
03[TLS] sending TLS Finished handshake (12 bytes)
03[TLS] sending TLS Handshake record (64 bytes)
</pre>
h3. PT-TLS Negotiation
<pre>
03[TLS] processing TLS ApplicationData record (64 bytes)
03[TNC] received PT-TLS message #0 of type 'Version Request' (20 bytes)
03[TNC] sending PT-TLS message #0 of type 'Version Response' (20 bytes)
03[TLS] sending TLS ApplicationData record (64 bytes)
03[TNC] negotiated PT-TLS version 1
</pre>
h3. TLS Certificate-based Client Authentication
<pre>
03[TNC] doing SASL client authentication
03[TNC] skipping SASL, client already authenticated by TLS certificate
03[TNC] sending PT-TLS message #1 of type 'SASL Mechanisms' (16 bytes)
03[TLS] sending TLS ApplicationData record (64 bytes)
</pre>
h3. PT-TLS Transport Phase
<pre>
03[TNC] entering PT-TLS data transport phase
</pre>
h3. IF-IMV 1.4 AR Identity
<pre>
16[TLS] processing TLS ApplicationData record (320 bytes)
16[TNC] received PT-TLS message #1 of type 'PB-TNC Batch' (275 bytes)
16[TNC] assigned TNCCS Connection ID 2
16[IMV] IMV 1 "OS" created a state for IF-TNCCS 2.0 Connection ID 2: +long +excl -soh
16[IMV] over IF-T for TLS 2.0 with maximum PA-TNC message size of 131024 bytes
16[IMV] user AR identity 'C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org' authenticated by certificate
16[IMV] assigned session ID 3
16[IMV] IMV 2 "SWID" created a state for IF-TNCCS 2.0 Connection ID 2: +long +excl -soh
16[IMV] over IF-T for TLS 2.0 with maximum PA-TNC message size of 131024 bytes
16[IMV] user AR identity 'C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org' authenticated by certificate
16[IMV] assigned session ID 3
16[IMV] IMV 1 "OS" changed state of Connection ID 2 to 'Handshake'
16[IMV] IMV 2 "SWID" changed state of Connection ID 2 to 'Handshake'
</pre>
<pre>
16[TNC] received TNCCS batch (39 bytes) for Connection ID 2
16[TNC] => 39 bytes @ 0x72d800
16[TNC] 0: 02 00 00 01 00 00 00 27 00 00 00 00 00 00 00 06 .......'........
16[TNC] 16: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67 75 ....Accept-Langu
16[TNC] 32: 61 67 65 3A 20 65 6E age: en
16[TNC] PB-TNC state transition from 'Init' to 'Server Working'
16[TNC] processing PB-TNC CDATA batch
16[TNC] processing PB-Language-Preference message (31 bytes)
16[TNC] setting language preference to 'en'
</pre>
<pre>
16[TNC] creating PA-TNC message with ID 0x252361d0
16[TNC] creating PA-TNC attribute type 'IETF/Attribute Request' 0x000000/0x00000001
16[TNC] => 56 bytes @ 0x738320
16[TNC] 0: 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 04 ................
16[TNC] 16: 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 05 ................
16[TNC] 32: 00 00 00 00 00 00 00 0B 00 00 00 00 00 00 00 0C ................
16[TNC] 48: 00 00 90 2A 00 00 00 08 ...*....
16[IMV] created PA-TNC message: => 76 bytes @ 0x73b3b0
16[IMV] 0: 01 00 00 00 25 23 61 D0 00 00 00 00 00 00 00 01 ....%#a.........
16[IMV] 16: 00 00 00 44 00 00 00 00 00 00 00 02 00 00 00 00 ...D............
16[IMV] 32: 00 00 00 04 00 00 00 00 00 00 00 03 00 00 00 00 ................
16[IMV] 48: 00 00 00 05 00 00 00 00 00 00 00 0B 00 00 00 00 ................
16[IMV] 64: 00 00 00 0C 00 00 90 2A 00 00 00 08 .......*....
16[TNC] creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
16[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
16[TNC] creating PB-TNC SDATA batch
16[TNC] adding PB-PA message
16[TNC] sending PB-TNC SDATA batch (108 bytes) for Connection ID 2
16[TNC] => 108 bytes @ 0x725950
16[TNC] 0: 02 80 00 02 00 00 00 6C 80 00 00 00 00 00 00 01 .......l........
16[TNC] 16: 00 00 00 64 00 00 00 00 00 00 00 01 FF FF 00 01 ...d............
16[TNC] 32: 01 00 00 00 25 23 61 D0 00 00 00 00 00 00 00 01 ....%#a.........
16[TNC] 48: 00 00 00 44 00 00 00 00 00 00 00 02 00 00 00 00 ...D............
16[TNC] 64: 00 00 00 04 00 00 00 00 00 00 00 03 00 00 00 00 ................
16[TNC] 80: 00 00 00 05 00 00 00 00 00 00 00 0B 00 00 00 00 ................
16[TNC] 96: 00 00 00 0C 00 00 90 2A 00 00 00 08 .......*....
16[TNC] sending PT-TLS message #2 of type 'PB-TNC Batch' (124 bytes)
16[TLS] sending TLS ApplicationData record (176 bytes)
</pre>
<pre>
02[TLS] processing TLS ApplicationData record (288 bytes)
02[TNC] received PT-TLS message #2 of type 'PB-TNC Batch' (244 bytes)
02[TNC] received TNCCS batch (228 bytes) for Connection ID 2
02[TNC] => 228 bytes @ 0x70b060
02[TNC] 0: 02 00 00 01 00 00 00 E4 80 00 00 00 00 00 00 01 ................
02[TNC] 16: 00 00 00 DC 80 00 00 00 00 00 00 01 00 01 00 01 ................
02[TNC] 32: 01 00 00 00 26 B5 99 EA 00 00 00 00 00 00 00 02 ....&...........
02[TNC] 48: 00 00 00 17 00 25 72 00 00 44 65 62 69 61 6E 00 .....%r..Debian.
02[TNC] 64: 00 00 00 00 00 00 04 00 00 00 19 0A 37 2E 30 20 ............7.0
02[TNC] 80: 78 38 36 5F 36 34 00 00 00 00 00 00 00 00 00 03 x86_64..........
02[TNC] 96: 00 00 00 1C 00 00 00 07 00 00 00 00 00 00 00 00 ................
02[TNC] 112: 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 24 ...............$
02[TNC] 128: 03 01 00 00 32 30 31 33 2D 30 38 2D 33 30 54 31 ....2013-08-30T1
02[TNC] 144: 34 3A 30 32 3A 33 37 5A 00 00 00 00 00 00 00 0B 4:02:37Z........
02[TNC] 160: 00 00 00 10 00 00 00 01 00 00 00 00 00 00 00 0C ................
02[TNC] 176: 00 00 00 10 00 00 00 00 00 00 90 2A 00 00 00 08 ...........*....
02[TNC] 192: 00 00 00 2C 61 61 62 62 63 63 64 64 65 65 66 66 ...,aabbccddeeff
02[TNC] 208: 31 31 32 32 33 33 34 34 35 35 36 36 37 37 38 38 1122334455667788
02[TNC] 224: 39 39 30 30 9900
02[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
02[TNC] processing PB-TNC CDATA batch
02[TNC] processing PB-PA message (220 bytes)
02[TNC] handling PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
02[IMV] IMV 1 "OS" received message for Connection ID 2 from IMC 1 to IMV 1
02[IMV] => 196 bytes @ 0x73a420
02[IMV] 0: 01 00 00 00 26 B5 99 EA 00 00 00 00 00 00 00 02 ....&...........
02[IMV] 16: 00 00 00 17 00 25 72 00 00 44 65 62 69 61 6E 00 .....%r..Debian.
02[IMV] 32: 00 00 00 00 00 00 04 00 00 00 19 0A 37 2E 30 20 ............7.0
02[IMV] 48: 78 38 36 5F 36 34 00 00 00 00 00 00 00 00 00 03 x86_64..........
02[IMV] 64: 00 00 00 1C 00 00 00 07 00 00 00 00 00 00 00 00 ................
02[IMV] 80: 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 24 ...............$
02[IMV] 96: 03 01 00 00 32 30 31 33 2D 30 38 2D 33 30 54 31 ....2013-08-30T1
02[IMV] 112: 34 3A 30 32 3A 33 37 5A 00 00 00 00 00 00 00 0B 4:02:37Z........
02[IMV] 128: 00 00 00 10 00 00 00 01 00 00 00 00 00 00 00 0C ................
02[IMV] 144: 00 00 00 10 00 00 00 00 00 00 90 2A 00 00 00 08 ...........*....
02[IMV] 160: 00 00 00 2C 61 61 62 62 63 63 64 64 65 65 66 66 ...,aabbccddeeff
02[IMV] 176: 31 31 32 32 33 33 34 34 35 35 36 36 37 37 38 38 1122334455667788
02[IMV] 192: 39 39 30 30 9900
02[TNC] processing PA-TNC message with ID 0x26b599ea
02[TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002
02[TNC] => 11 bytes @ 0x73a434
02[TNC] 0: 00 25 72 00 00 44 65 62 69 61 6E .%r..Debian
02[TNC] processing PA-TNC attribute type 'IETF/String Version' 0x000000/0x00000004
02[TNC] => 13 bytes @ 0x73a44b
02[TNC] 0: 0A 37 2E 30 20 78 38 36 5F 36 34 00 00 .7.0 x86_64..
02[TNC] processing PA-TNC attribute type 'IETF/Numeric Version' 0x000000/0x00000003
02[TNC] => 16 bytes @ 0x73a464
02[TNC] 0: 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00 00 ................
02[TNC] processing PA-TNC attribute type 'IETF/Operational Status' 0x000000/0x00000005
02[TNC] => 24 bytes @ 0x73a480
02[TNC] 0: 03 01 00 00 32 30 31 33 2D 30 38 2D 33 30 54 31 ....2013-08-30T1
02[TNC] 16: 34 3A 30 32 3A 33 37 5A 4:02:37Z
02[TNC] processing PA-TNC attribute type 'IETF/Forwarding Enabled' 0x000000/0x0000000b
02[TNC] => 4 bytes @ 0x73a4a4
02[TNC] 0: 00 00 00 01 ....
02[TNC] processing PA-TNC attribute type 'IETF/Factory Default Password Enabled' 0x000000/0x0000000c
02[TNC] => 4 bytes @ 0x73a4b4
02[TNC] 0: 00 00 00 00 ....
02[TNC] processing PA-TNC attribute type 'ITA-HSR/Device ID' 0x00902a/0x00000008
02[TNC] => 32 bytes @ 0x73a4c4
02[TNC] 0: 61 61 62 62 63 63 64 64 65 65 66 66 31 31 32 32 aabbccddeeff1122
02[TNC] 16: 33 33 34 34 35 35 36 36 37 37 38 38 39 39 30 30 3344556677889900
</pre>
h3. Operating System Information
<pre>
02[IMV] operating system name is 'Debian' from vendor Debian Project
02[IMV] operating system version is '7.0 x86_64'
02[IMV] operating system numeric version is 7.0
02[IMV] operational status: operational, result: successful
02[IMV] last boot: Aug 30 14:02:37 UTC 2013
02[IMV] IPv4 forwarding is enabled
02[IMV] factory default password is disabled
</pre>
h3. Device Identity
<pre>
02[IMV] device ID is aabbccddeeff11223344556677889900
</pre>
h3. Policy Manager generating Workitem List
This is strongSwan's proprietary Configuration Management Database (CMDB) interface. Based on historical client measurement data and a set of group policies the start script generates a list of measurement workitems. In our scenario only IPv4 forwarding and SWID tags are checked.
<pre>
02[IMV] running policy script: 2>&1 TNC_SESSION_ID='3' ipsec imv_policy_manager start
02[IMV] policy: imv_policy_manager start successful
</pre>
<pre>
02[IMV] IMV 1 handles FWDEN workitem 9
02[IMV] IMV 1 handled FWDEN workitem 9: isolate - forwarding enabled
02[TNC] creating PA-TNC message with ID 0xe9845d2f
02[TNC] creating PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009
02[TNC] => 4 bytes @ 0x710b30
02[TNC] 0: 00 00 00 02 ....
02[TNC] creating PA-TNC attribute type 'IETF/Remediation Instructions' 0x000000/0x0000000a
02[TNC] => 81 bytes @ 0x73c150
02[TNC] 0: 00 00 00 00 00 00 00 02 00 00 00 42 49 50 20 50 ...........BIP P
02[TNC] 16: 61 63 6B 65 74 20 46 6F 72 77 61 72 64 69 6E 67 acket Forwarding
02[TNC] 32: 0A 20 20 50 6C 65 61 73 65 20 64 69 73 61 62 6C . Please disabl
02[TNC] 48: 65 20 74 68 65 20 66 6F 72 77 61 72 64 69 6E 67 e the forwarding
02[TNC] 64: 20 6F 66 20 49 50 20 70 61 63 6B 65 74 73 02 65 of IP packets.e
02[TNC] 80: 6E n
02[IMV] created PA-TNC message: => 117 bytes @ 0x738c40
02[IMV] 0: 01 00 00 00 E9 84 5D 2F 00 00 00 00 00 00 00 09 ......]/........
02[IMV] 16: 00 00 00 10 00 00 00 02 00 00 00 00 00 00 00 0A ................
02[IMV] 32: 00 00 00 5D 00 00 00 00 00 00 00 02 00 00 00 42 ...]...........B
02[IMV] 48: 49 50 20 50 61 63 6B 65 74 20 46 6F 72 77 61 72 IP Packet Forwar
02[IMV] 64: 64 69 6E 67 0A 20 20 50 6C 65 61 73 65 20 64 69 ding. Please di
02[IMV] 80: 73 61 62 6C 65 20 74 68 65 20 66 6F 72 77 61 72 sable the forwar
02[IMV] 96: 64 69 6E 67 20 6F 66 20 49 50 20 70 61 63 6B 65 ding of IP packe
02[IMV] 112: 74 73 02 65 6E ts.en
02[TNC] creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
02[TNC] IMV 1 is setting reason string to 'Improper OS settings were detected'
02[TNC] IMV 1 is setting reason language to 'en'
02[TNC] IMV 1 provides recommendation 'isolate' and evaluation 'non-compliant major'
</pre>
h3. Sending SWID Request
<pre>
02[IMV] IMV 2 handles SWIDT workitem 11
02[IMV] IMV 2 issues SWID request 11
02[TNC] creating PA-TNC message with ID 0xff7d7278
02[TNC] creating PA-TNC attribute type 'TCG/SWID Request' 0x005597/0x00000011
02[TNC] => 12 bytes @ 0x732980
02[TNC] 0: 00 00 00 00 00 00 00 0B 00 00 00 00 ............
02[IMV] created PA-TNC message: => 32 bytes @ 0x73a100
02[IMV] 0: 01 00 00 00 FF 7D 72 78 00 00 55 97 00 00 00 11 .....}rx..U.....
02[IMV] 16: 00 00 00 18 00 00 00 00 00 00 00 0B 00 00 00 00 ................
02[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003
</pre>
<pre>
02[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
02[TNC] creating PB-TNC SDATA batch
02[TNC] adding PB-PA message
02[TNC] adding PB-PA message
02[TNC] sending PB-TNC SDATA batch (205 bytes) for Connection ID 2
02[TNC] => 205 bytes @ 0x6f8480
02[TNC] 0: 02 80 00 02 00 00 00 CD 80 00 00 00 00 00 00 01 ................
02[TNC] 16: 00 00 00 8D 00 00 00 00 00 00 00 01 FF FF 00 01 ................
02[TNC] 32: 01 00 00 00 E9 84 5D 2F 00 00 00 00 00 00 00 09 ......]/........
02[TNC] 48: 00 00 00 10 00 00 00 02 00 00 00 00 00 00 00 0A ................
02[TNC] 64: 00 00 00 5D 00 00 00 00 00 00 00 02 00 00 00 42 ...]...........B
02[TNC] 80: 49 50 20 50 61 63 6B 65 74 20 46 6F 72 77 61 72 IP Packet Forwar
02[TNC] 96: 64 69 6E 67 0A 20 20 50 6C 65 61 73 65 20 64 69 ding. Please di
02[TNC] 112: 73 61 62 6C 65 20 74 68 65 20 66 6F 72 77 61 72 sable the forwar
02[TNC] 128: 64 69 6E 67 20 6F 66 20 49 50 20 70 61 63 6B 65 ding of IP packe
02[TNC] 144: 74 73 02 65 6E 80 00 00 00 00 00 00 01 00 00 00 ts.en...........
02[TNC] 160: 38 00 00 55 97 00 00 00 03 FF FF 00 02 01 00 00 8..U............
02[TNC] 176: 00 FF 7D 72 78 00 00 55 97 00 00 00 11 00 00 00 ..}rx..U........
02[TNC] 192: 18 00 00 00 00 00 00 00 0B 00 00 00 00 .............
02[TNC] sending PT-TLS message #3 of type 'PB-TNC Batch' (221 bytes)
02[TLS] sending TLS ApplicationData record (272 bytes)
</pre>
<pre>
01[TLS] processing TLS ApplicationData record (2096 bytes)
01[TNC] received PT-TLS message #3 of type 'PB-TNC Batch' (2051 bytes)
01[TNC] received TNCCS batch (2035 bytes) for Connection ID 2
01[TNC] => 2035 bytes @ 0x73aa90
01[TNC] 0: 02 00 00 01 00 00 07 F3 80 00 00 00 00 00 00 01 ................
01[TNC] 16: 00 00 07 EB 80 00 55 97 00 00 00 03 00 02 00 02 ......U.........
01[TNC] 32: 01 00 00 00 4F 00 C2 7B 00 00 55 97 00 00 00 14 ....O..{..U.....
01[TNC] 48: 00 00 07 CB 00 00 00 02 00 00 00 0B 85 55 48 98 .............UH.
01[TNC] 64: 00 00 00 01 00 00 00 00 03 E4 3C 3F 78 6D 6C 20 ..........<?xml
01[TNC] 80: 76 65 72 73 69 6F 6E 3D 22 31 2E 30 22 20 65 6E version="1.0" en
01[TNC] 96: 63 6F 64 69 6E 67 3D 22 75 74 66 2D 38 22 3F 3E coding="utf-8"?>
01[TNC] 112: 0A 3C 73 6F 66 74 77 61 72 65 5F 69 64 65 6E 74 .<software_ident
01[TNC] 128: 69 66 69 63 61 74 69 6F 6E 5F 74 61 67 20 78 6D ification_tag xm
01[TNC] 144: 6C 6E 73 3D 22 68 74 74 70 3A 2F 2F 73 74 61 6E lns="http://stan
01[TNC] 160: 64 61 72 64 73 2E 69 73 6F 2E 6F 72 67 2F 69 73 dards.iso.org/is
01[TNC] 176: 6F 2F 31 39 37 37 30 2F 2D 32 2F 32 30 30 39 2F o/19770/-2/2009/
01[TNC] 192: 73 63 68 65 6D 61 2E 78 73 64 22 3E 0A 20 20 3C schema.xsd">. <
01[TNC] 208: 65 6E 74 69 74 6C 65 6D 65 6E 74 5F 72 65 71 75 entitlement_requ
01[TNC] 224: 69 72 65 64 5F 69 6E 64 69 63 61 74 6F 72 3E 74 ired_indicator>t
01[TNC] 240: 72 75 65 3C 2F 65 6E 74 69 74 6C 65 6D 65 6E 74 rue</entitlement
01[TNC] 256: 5F 72 65 71 75 69 72 65 64 5F 69 6E 64 69 63 61 _required_indica
01[TNC] 272: 74 6F 72 3E 0A 20 20 3C 70 72 6F 64 75 63 74 5F tor>. <product_
01[TNC] 288: 74 69 74 6C 65 3E 73 74 72 6F 6E 67 53 77 61 6E title>strongSwan
01[TNC] 304: 3C 2F 70 72 6F 64 75 63 74 5F 74 69 74 6C 65 3E </product_title>
01[TNC] 320: 0A 20 20 3C 70 72 6F 64 75 63 74 5F 76 65 72 73 . <product_vers
01[TNC] 336: 69 6F 6E 3E 0A 20 20 20 20 3C 6E 61 6D 65 3E 35 ion>. <name>5
01[TNC] 352: 2E 31 2E 31 64 72 32 3C 2F 6E 61 6D 65 3E 0A 20 .1.1dr2</name>.
01[TNC] 368: 20 20 20 3C 6E 75 6D 65 72 69 63 3E 0A 20 20 20 <numeric>.
01[TNC] 384: 20 20 20 3C 6D 61 6A 6F 72 3E 35 3C 2F 6D 61 6A <major>5</maj
01[TNC] 400: 6F 72 3E 0A 20 20 20 20 20 20 3C 6D 69 6E 6F 72 or>. <minor
01[TNC] 416: 3E 31 3C 2F 6D 69 6E 6F 72 3E 0A 20 20 20 20 20 >1</minor>.
01[TNC] 432: 20 3C 62 75 69 6C 64 3E 31 3C 2F 62 75 69 6C 64 <build>1</build
01[TNC] 448: 3E 0A 20 20 20 20 20 20 3C 72 65 76 69 65 77 3E >. <review>
01[TNC] 464: 64 72 32 3C 2F 72 65 76 69 65 77 3E 0A 20 20 20 dr2</review>.
01[TNC] 480: 20 3C 2F 6E 75 6D 65 72 69 63 3E 0A 20 20 3C 2F </numeric>. </
01[TNC] 496: 70 72 6F 64 75 63 74 5F 76 65 72 73 69 6F 6E 3E product_version>
01[TNC] 512: 0A 20 20 3C 73 6F 66 74 77 61 72 65 5F 63 72 65 . <software_cre
01[TNC] 528: 61 74 6F 72 3E 0A 20 20 20 20 3C 6E 61 6D 65 3E ator>. <name>
01[TNC] 544: 73 74 72 6F 6E 67 53 77 61 6E 20 50 72 6F 6A 65 strongSwan Proje
01[TNC] 560: 63 74 3C 2F 6E 61 6D 65 3E 0A 20 20 20 20 3C 72 ct</name>. <r
01[TNC] 576: 65 67 69 64 3E 72 65 67 69 64 2E 32 30 30 34 2D egid>regid.2004-
01[TNC] 592: 30 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 77 61 03.org.strongswa
01[TNC] 608: 6E 3C 2F 72 65 67 69 64 3E 0A 20 20 3C 2F 73 6F n</regid>. </so
01[TNC] 624: 66 74 77 61 72 65 5F 63 72 65 61 74 6F 72 3E 0A ftware_creator>.
01[TNC] 640: 20 20 3C 73 6F 66 74 77 61 72 65 5F 6C 69 63 65 <software_lice
01[TNC] 656: 6E 73 6F 72 3E 0A 20 20 20 20 3C 6E 61 6D 65 3E nsor>. <name>
01[TNC] 672: 73 74 72 6F 6E 67 53 77 61 6E 20 50 72 6F 6A 65 strongSwan Proje
01[TNC] 688: 63 74 3C 2F 6E 61 6D 65 3E 0A 20 20 20 20 3C 72 ct</name>. <r
01[TNC] 704: 65 67 69 64 3E 72 65 67 69 64 2E 32 30 30 34 2D egid>regid.2004-
01[TNC] 720: 30 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 77 61 03.org.strongswa
01[TNC] 736: 6E 3C 2F 72 65 67 69 64 3E 0A 20 20 3C 2F 73 6F n</regid>. </so
01[TNC] 752: 66 74 77 61 72 65 5F 6C 69 63 65 6E 73 6F 72 3E ftware_licensor>
01[TNC] 768: 0A 20 20 3C 73 6F 66 74 77 61 72 65 5F 69 64 3E . <software_id>
01[TNC] 784: 0A 20 20 20 20 3C 75 6E 69 71 75 65 5F 69 64 3E . <unique_id>
01[TNC] 800: 73 74 72 6F 6E 67 53 77 61 6E 2D 35 2D 31 2D 31 strongSwan-5-1-1
01[TNC] 816: 2D 64 72 32 3C 2F 75 6E 69 71 75 65 5F 69 64 3E -dr2</unique_id>
01[TNC] 832: 0A 20 20 20 20 3C 74 61 67 5F 63 72 65 61 74 6F . <tag_creato
01[TNC] 848: 72 5F 72 65 67 69 64 3E 72 65 67 69 64 2E 32 30 r_regid>regid.20
01[TNC] 864: 30 34 2D 30 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 04-03.org.strong
01[TNC] 880: 73 77 61 6E 3C 2F 74 61 67 5F 63 72 65 61 74 6F swan</tag_creato
01[TNC] 896: 72 5F 72 65 67 69 64 3E 0A 20 20 3C 2F 73 6F 66 r_regid>. [ Incomplete diff, document too large... ]
{{>toc}}
h2. Starting the strongSwan Policy Decision Point (PDP)
The strongSwan PDP starts and loads its server certificate and the client credentials
<pre>
00[DMN] Starting IKE charon daemon (strongSwan 5.2.0dr1, Linux 3.13.5, x86_64)
00[LIB] openssl FIPS mode(0) - disabled
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG] loaded RSA private key from '/etc/ipsec.d/private/aaaKey.pem'
00[CFG] loaded EAP secret for carol
00[CFG] loaded EAP secret for dave
</pre>
Next the OS and SWID IMVs are loaded
<pre>
00[TNC] TNC recommendation policy is 'default'
00[TNC] loading IMVs from '/etc/tnc_config'
00[TNC] added IETF attributes
00[TNC] added ITA-HSR attributes
00[LIB] libimcv initialized
00[IMV] IMV 1 "OS" initialized
00[TNC] IMV 1 supports 1 message type: 'IETF/Operating System' 0x000000/0x00000001
00[TNC] IMV 1 "OS" loaded from '/usr/local/lib/ipsec/imcvs/imv-os.so'
00[IMV] IMV 2 "SWID" initialized
00[TNC] added TCG attributes
00[LIB] libpts initialized
00[TNC] IMV 2 supports 1 message type: 'TCG/SWID' 0x005597/0x00000003
00[TNC] IMV 2 "SWID" loaded from '/usr/local/lib/ipsec/imcvs/imv-swid.so'
</pre> 0</pre>
The PDP loads all plugins needed to communicate via its EAP-RADIUS and PT-TLS interfaces and spawns 16 worker threads
<pre>
00[IKE] eap method EAP_TTLS selected
00[LIB] loaded plugins: charon curl pem pkcs1 nonce x509 revocation constraints openssl socket-default kernel-netlink stroke tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
00[JOB] spawning 16 worker threads
09[CFG] received stroke: add connection 'aaa'
09[CFG] left nor right host is our side, assuming left=local
09[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" from 'aaaCert.pem'
09[CFG] added configuration 'aaa'
</pre>
h2. PT-TLS Connection by Access Requestor "carol"
<pre>
04[TNC] accepting PT-TLS stream from 192.168.0.100
</pre>
h3. Supported TLS 1.0, 1.1 and or 1.2 Cipher Suites
<pre>
04[TLS] 36 supported TLS cipher suites:
04[TLS] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
04[TLS] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
04[TLS] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
04[TLS] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
04[TLS] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
04[TLS] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
04[TLS] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
04[TLS] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
04[TLS] TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
04[TLS] TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
04[TLS] TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
04[TLS] TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
04[TLS] TLS_DHE_RSA_WITH_AES_128_CBC_SHA
04[TLS] TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
04[TLS] TLS_DHE_RSA_WITH_AES_256_CBC_SHA
04[TLS] TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
04[TLS] TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
04[TLS] TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
04[TLS] TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
04[TLS] TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
04[TLS] TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
04[TLS] TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
04[TLS] TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
04[TLS] TLS_RSA_WITH_AES_128_CBC_SHA
04[TLS] TLS_RSA_WITH_AES_128_CBC_SHA256
04[TLS] TLS_RSA_WITH_AES_256_CBC_SHA
04[TLS] TLS_RSA_WITH_AES_256_CBC_SHA256
04[TLS] TLS_RSA_WITH_AES_128_GCM_SHA256
04[TLS] TLS_RSA_WITH_AES_256_GCM_SHA384
04[TLS] TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
04[TLS] TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
04[TLS] TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
04[TLS] TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
04[TLS] TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
04[TLS] TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
04[TLS] TLS_RSA_WITH_3DES_EDE_CBC_SHA
</pre>
h3. TLS Connection Setup
<pre>
03[TNC] entering PT-TLS negotiation phase
03[TLS] processing TLS Handshake record (124 bytes)
03[TLS] received TLS ClientHello handshake (120 bytes)
03[TLS] received TLS 'signature algorithms' extension
03[TLS] received TLS 'elliptic curves' extension
03[TLS] received TLS 'ec point formats' extension
03[TLS] received TLS 'server name' extension
03[TLS] received 2 TLS cipher suites:
03[TLS] TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
03[TLS] TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
03[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
03[TLS] sending TLS ServerHello handshake (54 bytes)
03[TLS] sending TLS server certificate 'C=CH, O=Linux strongSwan, CN=aaa.strongswan.org'
03[TLS] sending TLS Certificate handshake (1066 bytes)
03[TLS] selected ECDH group SECP256R1
03[TLS] created signature with SHA256/RSA
03[TLS] sending TLS ServerKeyExchange handshake (329 bytes)
03[TLS] sending TLS cert request for 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA'
03[TLS] sending TLS CertificateRequest handshake (102 bytes)
03[TLS] sending TLS ServerHelloDone handshake (0 bytes)
03[TLS] sending TLS Handshake record (1571 bytes)
03[TLS] processing TLS Handshake record (77 bytes)
03[TLS] received TLS Certificate handshake (3 bytes)
03[TLS] received TLS ClientKeyExchange handshake (66 bytes)
03[TLS] processing TLS ChangeCipherSpec record (1 bytes)
03[TLS] processing TLS Handshake record (40 bytes)
03[TLS] received TLS Finished handshake (12 bytes)
03[TLS] sending TLS ChangeCipherSpec record (1 bytes)
03[TLS] sending TLS Finished handshake (12 bytes)
03[TLS] sending TLS Handshake record (40 bytes)
</pre>
h3. PT-TLS Negotiation
<pre>
03[TLS] processing TLS ApplicationData record (44 bytes)
03[TNC] received PT-TLS message #0 of type 'Version Request' (20 bytes)
03[TNC] sending PT-TLS message #0 of type 'Version Response' (20 bytes)
03[TLS] sending TLS ApplicationData record (44 bytes)
03[TNC] negotiated PT-TLS version 1
</pre>
h3. SASL Password-based Client Authentication
<pre>
03[TNC] doing SASL client authentication
03[TNC] offering SASL PLAIN
03[TNC] sending PT-TLS message #1 of type 'SASL Mechanisms' (22 bytes)
03[TLS] sending TLS ApplicationData record (46 bytes)
03[TLS] processing TLS ApplicationData record (61 bytes)
03[TNC] received PT-TLS message #1 of type 'SASL Mechanism Selection' (37 bytes)
03[TNC] client starts SASL PLAIN authentication
03[TNC] SASL PLAIN authentication successful
03[TNC] SASL client identity is 'carol'
03[TNC] sending PT-TLS message #2 of type 'SASL Result' (17 bytes)
03[TLS] sending TLS ApplicationData record (41 bytes)
03[TNC] sending PT-TLS message #3 of type 'SASL Mechanisms' (16 bytes)
03[TLS] sending TLS ApplicationData record (40 bytes)
</pre>
h3. PT-TLS Transport Phase
<pre>
03[TNC] entering PT-TLS data transport phase
</pre>
h3. IF-IMV 1.4 AR Identity
<pre>
11[TLS] processing TLS ApplicationData record (299 bytes)
11[TNC] received PT-TLS message #2 of type 'PB-TNC Batch' (275 bytes)
11[TNC] assigned TNCCS Connection ID 1
11[IMV] IMV 1 "OS" created a state for IF-TNCCS 2.0 Connection ID 1: +long +excl -soh
11[IMV] over IF-T for TLS 2.0 with maximum PA-TNC message size of 131024 bytes
11[IMV] user AR identity 'carol' authenticated by password
11[IMV] IMV 2 "SWID" created a state for IF-TNCCS 2.0 Connection ID 1: +long +excl -soh
11[IMV] over IF-T for TLS 2.0 with maximum PA-TNC message size of 131024 bytes
11[IMV] user AR identity 'carol' authenticated by password
11[IMV] IMV 1 "OS" changed state of Connection ID 1 to 'Handshake'
11[IMV] IMV 2 "SWID" changed state of Connection ID 1 to 'Handshake'
</pre>
<pre>
11[TNC] received TNCCS batch (259 bytes) for Connection ID 1
11[TNC] PB-TNC state transition from 'Init' to 'Server Working'
11[TNC] processing PB-TNC CDATA batch
11[TNC] processing IETF/PB-Language-Preference message (31 bytes)
11[TNC] processing IETF/PB-PA message (220 bytes)
11[TNC] setting language preference to 'en'
</pre>
<pre>
11[TNC] handling PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
11[IMV] IMV 1 "OS" received message for Connection ID 1 from IMC 1
11[IMV] => 196 bytes @ 0x6f09d0
11[IMV] 0: 01 00 00 00 B4 0C 4B 59 00 00 00 00 00 00 00 02 ......KY........
11[IMV] 16: 00 00 00 17 00 25 72 00 00 44 65 62 69 61 6E 00 .....%r..Debian.
11[IMV] 32: 00 00 00 00 00 00 04 00 00 00 19 0A 37 2E 34 20 ............7.4
11[IMV] 48: 78 38 36 5F 36 34 00 00 00 00 00 00 00 00 00 03 x86_64..........
11[IMV] 64: 00 00 00 1C 00 00 00 07 00 00 00 04 00 00 00 00 ................
11[IMV] 80: 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 24 ...............$
11[IMV] 96: 03 01 00 00 32 30 31 34 2D 30 34 2D 31 30 54 30 ....2014-04-10T0
11[IMV] 112: 38 3A 31 32 3A 31 33 5A 00 00 00 00 00 00 00 0B 8:12:13Z........
11[IMV] 128: 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 0C ................
11[IMV] 144: 00 00 00 10 00 00 00 00 00 00 90 2A 00 00 00 08 ...........*....
11[IMV] 160: 00 00 00 2C 65 64 33 32 64 63 37 63 31 65 62 33 ...,ed32dc7c1eb3
11[IMV] 176: 32 38 65 66 30 61 63 63 30 65 34 63 35 33 34 35 28ef0acc0e4c5345
11[IMV] 192: 62 38 65 34 b8e4
11[TNC] processing PA-TNC message with ID 0xb40c4b59
11[TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002
11[TNC] processing PA-TNC attribute type 'IETF/String Version' 0x000000/0x00000004
11[TNC] processing PA-TNC attribute type 'IETF/Numeric Version' 0x000000/0x00000003
11[TNC] processing PA-TNC attribute type 'IETF/Operational Status' 0x000000/0x00000005
11[TNC] processing PA-TNC attribute type 'IETF/Forwarding Enabled' 0x000000/0x0000000b
11[TNC] processing PA-TNC attribute type 'IETF/Factory Default Password Enabled' 0x000000/0x0000000c
11[TNC] processing PA-TNC attribute type 'ITA-HSR/Device ID' 0x00902a/0x00000008
</pre>
h3. Operating System Information
<pre>
11[IMV] operating system name is 'Debian' from vendor Debian Project
11[IMV] operating system version is '7.4 x86_64'
11[IMV] operating system numeric version is 7.4
11[IMV] operational status: operational, result: successful
11[IMV] last boot: Apr 10 08:12:13 UTC 2014
11[IMV] IPv4 forwarding is disabled
11[IMV] factory default password is disabled
</pre>
h3. Device Identity
<pre>
11[IMV] device ID is ed32dc7c1eb328ef0acc0e4c5345b8e4
</pre>
h3. Policy Manager generating Workitem List
This is strongSwan's proprietary Configuration Management Database (CMDB) interface. Based on historical client measurement data and a set of group policies the start script generates a list of measurement workitems. In our scenario only IPv4 forwarding and SWID tags are checked.
<pre>
11[IMV] assigned session ID 2 to Connection ID 1
11[IMV] running policy script: 2>&1 TNC_SESSION_ID='2' ipsec imv_policy_manager start
11[IMV] policy: imv_policy_manager start successful
11[IMV] policy: No leaks detected, 11 suppressed by whitelist
</pre>
Available workitems generated by the Policy Manager
<pre> </pre>
11[IMV] FMEAS workitem 1
11[IMV] FMEAS workitem 2
11[IMV] FWDEN workitem 3
11[IMV] FMEAS workitem 4
11[IMV] FMETA workitem 5
11[IMV] SWIDT workitem 6
11[IMV] TCPOP workitem 7
11[IMV] UDPOP workitem 8
</pre>
Assessment Result generated by the OS IMV
<pre>
111[IMV] IMV 1 handles FWDEN workitem 3
11[IMV] IMV 1 handled FWDEN workitem 3: allow - forwarding not enabled
11[TNC] creating PA-TNC message with ID 0x4abaf071
11[TNC] creating PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009
11[IMV] created PA-TNC message: => 24 bytes @ 0x729180
11[IMV] 0: 01 00 00 00 4A BA F0 71 00 00 00 00 00 00 00 09 ....J..q........
11[IMV] 16: 00 00 00 10 00 00 00 00 ........
11[TNC] creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
11[TNC] IMV 1 provides recommendation 'allow' and evaluation 'compliant'
</pre>
h3. Sending SWID Request
<pre>
11[IMV] IMV 2 handles SWIDT workitem 6
11[IMV] IMV 2 issues SWID request 6
11[TNC] creating PA-TNC message with ID 0x551f2e1f
11[TNC] creating PA-TNC attribute type 'TCG/SWID Request' 0x005597/0x00000011
11[IMV] created PA-TNC message: => 32 bytes @ 0x6efce0
11[IMV] 0: 01 00 00 00 55 1F 2E 1F 00 00 55 97 00 00 00 11 ....U.....U.....
11[IMV] 16: 00 00 00 18 01 00 00 00 00 00 00 06 00 00 00 00 ................
11[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003
11[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
11[TNC] creating PB-TNC SDATA batch
11[TNC] adding IETF/PB-PA message
11[TNC] adding IETF/PB-PA message
11[TNC] sending PB-TNC SDATA batch (112 bytes) for Connection ID 1
11[TNC] sending PT-TLS message #4 of type 'PB-TNC Batch' (128 bytes)
11[TLS] sending TLS ApplicationData record (152 bytes)
</pre>
h3. Receiving SWID Tag Identifier Inventory
<pre>
12[TLS] 13[TLS] processing buffered TLS ApplicationData record (16408 (224 bytes)
12[TNC] 13[TNC] received PT-TLS message #3 of type 'PB-TNC Batch' (27320 (183 bytes)
12[TLS] processing buffered TLS ApplicationData record (10960 bytes)
12[TNC] 13[TNC] received TNCCS batch (27304 (167 bytes) for Connection ID 1
12[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
12[TNC] processing PB-TNC CDATA batch
12[TNC] processing IETF/PB-PA message (27296 bytes)
</pre>
<pre>
12[TNC] handling PB-PA message type 'TCG/SWID' 0x005597/0x00000003
12[IMV] IMV 2 "SWID" received message for Connection ID 1 from IMC 2 to IMV 2
12[IMV] 13[TNC] => 27272 167 bytes @ 0x753db0 0x6f1f30
12[IMV] 13[TNC] 0: 02 00 00 01 00 00 00 4A AA D6 A9 A7 80 00 00 55 97 00 00 00 12 00 01 ....J.....U..... ................
12[IMV] 13[TNC] 16: 00 00 6A 00 9F 80 00 55 97 00 00 00 03 00 02 00 02 ......U.........
13[TNC] 32: 01 6A 00 00 00 DC 86 EF 69 00 00 55 97 00 00 00 12 .......i..U.....
13[TNC] 48: 00 00 00 7F 00 00 00 02 00 00 00 06 07 D2 01 F4 71 43 2A 93 ..j....j........ ............qC*.
12[IMV] 13[TNC] 32: 64: 00 00 00 01 00 1C 72 65 67 69 64 2E 32 30 30 34 ......regid.2004
12[IMV] 13[TNC] 48: 80: 2D 30 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 77 -03.org.strongsw
12[IMV] 13[TNC] 64: 96: 61 6E 00 2B 64 65 62 69 61 6E 5F 37 2E 34 2D 78 an.+debian_7.4-x
12[IMV] 80: 38 36 5F 36 34 2D 61 63 70 69 2D 14 73 75 70 70 6F 86_64-acpi-suppo
12[IMV] 96: 72 74 2D 62 61 73 65 2D 30 2E 31 34 30 2D 35 00 rt-base-0.140-5.
12[IMV] 112: 00 00 1C 72 65 67 69 64 2E 32 30 30 34 2D 30 33 ...regid.2004-03
12[IMV] 128: 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 53 77 61 6E 00 .org.strongswan.
12[IMV] 144: 29 64 65 62 69 61 6E 5F 37 2E 34 2D 78 38 36 5F 35 )debian_7.4-x86_ an..strongSwan-5
12[IMV] 13[TNC] 160: 36 34 112: 2D 61 63 70 69 64 31 2D 31 3A 32 2E 30 2E 31 64-acpid-1:2.0.1
12[IMV] 176: 36 2D 31 2B 64 65 62 37 75 31 72 32 00 00 00 1C 18 72 65 67 69 6-1+deb7u1....re -1-1-dr2....regi
12[IMV] 13[TNC] 192: 67 69 128: 64 2E 32 30 30 34 31 39 39 39 2D 30 33 2E 6F 72 67 2E 64 65 gid.2004-03.org. d.1999-03.org.de
12[IMV] 13[TNC] 208: 73 74 72 6F 6E 67 73 77 144: 62 69 61 6E 00 24 64 0F 73 71 6C 69 74 65 62 69 strongswan.$debi
12[IMV] 224: 61 6E 5F 37 2E 34 2D 78 38 36 5F 36 34 33 2D 61 64 37 an_7.4-x86_64-ad bian..sqlite-3-7
12[IMV] 13[TNC] 240: 64 75 73 65 72 160: 2D 31 33 2E 2D 31 31 33 2B 6E 6D 75 33 duser-3.113+nmu3
12[IMV] 256: 00 00 00 1C 72 65 67 69 64 2E 32 30 30 34 2D 30 ....regid.2004-0 -13-1..
12[IMV] 272: 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 77 61 6E 3.org.strongswan 13[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
12[IMV] 288: 00 2A 64 65 62 69 61 6E 5F 37 2E 34 2D 78 38 36 .*debian_7.4-x86 13[TNC] processing PB-TNC CDATA batch
12[IMV] 304: 5F 36 34 2D 61 70 61 63 68 65 32 2D 32 2E 32 2E _64-apache2-2.2. 13[TNC] processing PB-PA message (159 bytes)
12[IMV] 320: 32 32 2D 31 33 2B 64 65 62 37 75 31 </pre>
<pre>
13[TNC] handling PB-PA message type 'TCG/SWID' 0x005597/0x00000003
13[IMV] IMV 2 "SWID" received message for Connection ID 1 from IMC 2 to IMV 2
13[IMV] => 135 bytes @ 0x6f4780
13[IMV] 0: 01 00 00 00 1C 22-13+deb7u1....
12[IMV] 336: 72 65 67 DC 86 EF 69 64 2E 32 30 30 34 2D 30 33 2E 6F 72 00 00 55 97 00 00 00 12 regid.2004-03.or .......i..U.....
12[IMV] 352: 67 2E 73 74 72 6F 6E 67 73 77 61 6E 13[IMV] 16: 00 35 64 65 00 00 7F 00 00 00 02 00 00 00 06 71 43 2A 93 g.strongswan.5de ............qC*.
12[IMV] 368: 62 69 61 6E 5F 37 2E 34 2D 78 38 36 5F 36 34 2D bian_7.4-x86_64-
12[IMV] 384: 61 70 61 63 68 65 32 2D 6D 70 6D 2D 77 6F 72 6B apache2-mpm-work
12[IMV] 400: 65 72 2D 32 2E 32 2E 32 32 2D 31 33 2B 64 65 62 er-2.2.22-13+deb
12[IMV] 416: 37 75 31 13[IMV] 32: 00 00 00 01 00 1C 72 65 67 69 64 2E 32 30 30 34 7u1....regid.200 ......regid.2004
12[IMV] 432: 34 13[IMV] 48: 2D 30 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 77 4-03.org.strongs -03.org.strongsw
12[IMV] 448: 77 13[IMV] 64: 61 6E 00 30 64 65 62 69 61 6E 5F 37 2E 34 2D wan.0debian_7.4-
12[IMV] 464: 78 38 36 5F 36 34 2D 61 70 61 63 68 65 32 2D 75 x86_64-apache2-u
12[IMV] 480: 74 69 6C 14 73 2D 32 2E 32 2E 32 32 2D 31 33 2B 64 tils-2.2.22-13+d
12[IMV] 496: 65 62 37 75 31 00 00 00 1C 72 65 67 69 64 2E 32 eb7u1....regid.2
12[IMV] 512: 30 30 34 2D 30 33 2E 6F 72 67 2E 73 74 72 6F 6E 004-03.org.stron
12[IMV] 528: 67 73 53 77 61 6E 00 30 64 65 62 69 61 6E 5F 37 2E gswan.0debian_7.
12[IMV] 544: 34 2D 78 38 36 5F 36 34 2D 61 70 61 63 68 65 32 35 4-x86_64-apache2 an..strongSwan-5
12[IMV] 560: 2E 32 13[IMV] 80: 2D 62 69 6E 31 2D 32 2E 32 2E 32 32 31 2D 31 33 .2-bin-2.2.22-13
12[IMV] 576: 2B 64 65 62 37 75 31 72 32 00 00 00 1C 18 72 65 67 69 64 +deb7u1....regid -1-1-dr2....regi
12[IMV] 592: 13[IMV] 96: 64 2E 32 30 30 34 31 39 39 39 2D 30 33 2E 6F 72 67 2E 73 74 72 64 65 .2004-03.org.str d.1999-03.org.de
12[IMV] 13[IMV] 608: 6F 6E 67 73 77 112: 62 69 61 6E 00 33 64 65 62 0F 73 71 6C 69 61 6E 5F ongswan.3debian_
12[IMV] 624: 37 2E 34 2D 78 38 36 5F 36 34 2D 61 70 61 63 68 7.4-x86_64-apach
12[IMV] 640: 74 65 32 2E 32 2D 63 6F 6D 6D 6F 6E 33 2D 32 2E 32 2E 37 e2.2-common-2.2. bian..sqlite-3-7
12[IMV] 13[IMV] 656: 32 32 128: 2D 31 33 2B 64 65 62 37 75 2D 31 00 00 00 1C 22-13+deb7u1.... -13-1..
... 13[TNC] processing PA-TNC message with ID 0xdc86ef69
12[IMV] 26736: 13[TNC] processing PA-TNC attribute type 'TCG/SWID Tag Identifier Inventory' 0x005597/0x00000012
13[TNC] => 115 bytes @ 0x6f4794
13[TNC] 0: 00 00 00 1C 72 65 67 69 64 2E 32 30 30 34 2D 30 ....regid.2004-0
12[IMV] 26752: 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 77 61 6E 3.org.strongswan
12[IMV] 26768: 02 00 26 64 65 62 69 61 6E 5F 37 2E 34 2D 78 38 36 00 00 06 71 43 2A 93 00 00 00 01 .&debian_7.4-x86 ........qC*.....
12[IMV] 26784: 5F 36 34 2D 77 67 65 74 2D 31 2E 31 33 2E 34 2D _64-wget-1.13.4-
12[IMV] 26800: 33 2B 64 65 62 37 75 31 13[TNC] 16: 00 00 00 1C 72 65 67 69 3+deb7u1....regi
12[IMV] 26816: 64 2E 32 30 30 34 2D 30 33 2E ..regid.2004-03.
13[TNC] 32: 6F 72 67 2E 73 74 d.2004-03.org.st
12[IMV] 26832: 72 6F 6E 67 73 77 61 6E 00 27 64 65 62 69 61 6E 14 rongswan.'debian org.strongswan..
12[IMV] 26848: 5F 37 2E 34 2D 78 38 36 5F 36 34 2D 77 68 69 70 _7.4-x86_64-whip
12[IMV] 26864: 74 61 69 6C 2D 30 2E 35 32 2E 31 34 2D 31 31 2E tail-0.52.14-11.
12[IMV] 26880: 31 00 00 00 1C 72 65 67 69 64 2E 32 30 30 34 2D 1....regid.2004-
12[IMV] 26896: 30 33 2E 6F 72 67 2E 13[TNC] 48: 73 74 72 6F 6E 67 73 53 77 61 03.org.strongswa
12[IMV] 26912: 6E 00 30 64 65 62 69 61 6E 5F 37 2E 34 2D 78 38 n.0debian_7.4-x8
12[IMV] 26928: 36 5F 36 34 35 2D 78 7A 31 2D 75 74 69 6C 73 2D 35 2E 6_64-xz-utils-5.
12[IMV] 26944: 31 2E 31 61 6C 70 68 61 2B 32 30 31 32 30 36 31 1.1alpha+2012061 strongSwan-5-1-1
12[IMV] 26960: 34 13[TNC] 64: 2D 64 72 32 00 00 00 1C 18 72 65 67 69 64 2E 32 30 30 31 39 4-2....regid.200 -dr2....regid.19
12[IMV] 26976: 34 13[TNC] 80: 39 39 2D 30 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 4-03.org.strongs
12[IMV] 26992: 77 61 6E 00 28 64 65 62 69 61 6E 5F 37 2E 34 2D wan.(debian_7.4- 99-03.org.debian
12[IMV] 27008: 78 38 36 5F 36 34 2D 7A 13[TNC] 96: 00 0F 73 71 6C 69 62 31 67 2D 31 3A x86_64-zlib1g-1:
12[IMV] 27024: 31 2E 32 2E 37 2E 64 66 73 67 2D 31 33 00 00 00 1.2.7.dfsg-13...
12[IMV] 27040: 1C 72 74 65 67 69 64 2E 32 30 30 34 2D 30 33 2E 6F .regid.2004-03.o
12[IMV] 27056: 72 67 2E 73 74 72 6F 6E 67 73 77 61 6E 00 2C 64 rg.strongswan.,d
12[IMV] 27072: 65 62 69 61 6E 5F 37 2E 34 2D 78 38 36 5F 36 34 ebian_7.4-x86_64
12[IMV] 27088: 2D 7A 6C 69 62 31 67 2D 64 65 76 2D 31 3A 31 2E -zlib1g-dev-1:1.
12[IMV] 27104: 32 2E 37 2E 64 66 73 67 2D 31 33 00 00 00 1C 72 2.7.dfsg-13....r
12[IMV] 27120: 65 67 69 64 2E 32 30 30 34 2D 30 33 2E 6F 72 67 egid.2004-03.org ..sqlite-3-7-13-
12[IMV] 27136: 2E 73 74 72 6F 6E 67 73 77 61 6E 00 13 73 74 72 13[TNC] .strongswan..str
12[IMV] 27152: 6F 6E 67 53 77 61 6E 2D 35 2D 32 2D 30 64 72 112: 31 ongSwan-5-2-0dr1
12[IMV] 27168: 00 66 2F 75 73 72 2F 6C 6F 63 61 6C 2F 73 68 61 .f/usr/local/sha 00 1..
12[IMV] 27184: 72 65 2F 72 65 67 69 64 2E 32 30 30 34 2D 30 33 re/regid.2004-03
12[IMV] 27200: 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 77 61 6E 2F .org.strongswan/
12[IMV] 27216: 72 65 67 69 64 2E 32 30 30 34 2D 30 33 2E 6F 72 regid.2004-03.or
12[IMV] 27232: 67 2E 73 74 72 6F 6E 67 73 77 61 6E 5F 73 74 72 g.strongswan_str
12[IMV] 27248: 6F 6E 67 53 77 61 6E 2D 35 2D 32 2D 30 64 72 31 ongSwan-5-2-0dr1
12[IMV] 27264: 2E 73 77 69 64 74 61 67 .swidtag
12[TNC] processing PA-TNC message with ID 0x4aaad6a9
12[TNC] processing PA-TNC attribute type 'TCG/SWID Tag Identifier Inventory' 0x005597/0x00000012
</pre>
h3. Human-Readable SWID Tag Identifiers
<pre>
12[IMV] 13[IMV] received SWID tag ID inventory for request 6 at eid 1 of epoch 0x07d201f4 0x71432a93
12[IMV] 13[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-acpi-support-base-0.140-5 regid.2004-03.org.strongswan_strongSwan-5-1-1-dr2.swidtag
12[IMV] 13[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-acpid-1:2.0.16-1+deb7u1 regid.1999-03.org.debian_sqlite-3-7-13-1.swidtag
12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-adduser-3.113+nmu3
12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-apache2-2.2.22-13+deb7u1
12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-apache2-mpm-worker-2.2.22-13+deb7u1
12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-apache2-utils-2.2.22-13+deb7u1
12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-apache2.2-bin-2.2.22-13+deb7u1
12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-apache2.2-common-2.2.22-13+deb7u1
...
12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-wget-1.13.4-3+deb7u1
12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-whiptail-0.52.14-11.1
12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-xz-utils-5.1.1alpha+20120614-2
12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-zlib1g-1:1.2.7.dfsg-13
12[IMV] regid.2004-03.org.strongswan_debian_7.4-x86_64-zlib1g-dev-1:1.2.7.dfsg-13
12[IMV] regid.2004-03.org.strongswan_strongSwan-5-2-0dr1
</pre>
<pre>
112[IMV] 13[IMV] IMV 2 handled SWIDT workitem 6: allow - received inventory of 362 2 SWID tag IDs
12[TNC] 13[TNC] creating PA-TNC message with ID 0x6dd65b3a 0x85fed4ee
12[TNC] 13[TNC] creating PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009
12[IMV] 13[TNC] => 4 bytes @ 0x6e3220
13[TNC] 0: 00 00 00 00 ....
13[IMV] created PA-TNC message: => 24 bytes @ 0x730390 0x6ecdc0
12[IMV] 13[IMV] 0: 01 00 00 00 6D D6 5B 3A 85 FE D4 EE 00 00 00 00 00 00 00 09 ....m.[:........ ................
12[IMV] 13[IMV] 16: 00 00 00 10 00 00 00 00 ........
12[TNC] 13[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003
12[TNC] 13[TNC] IMV 2 provides recommendation 'allow' and evaluation 'compliant'
</pre>
h3. Policy Manager integrating Measurement Results
<pre>
12[IMV] 13[IMV] running policy script: 2>&1 TNC_SESSION_ID='2' ipsec imv_policy_manager stop
12[IMV] 13[IMV] policy: imv_policy_manager stop successful
</pre>
<pre>
12[IMV] 13[IMV] IMV 1 "OS" changed state of Connection ID 1 to 'Allowed'
12[IMV] 13[IMV] IMV 2 "SWID" changed state of Connection ID 1 to 'Allowed'
12[TNC] 13[TNC] PB-TNC state transition from 'Server Working' to 'Decided'
12[TNC] 13[TNC] creating PB-TNC RESULT batch
12[TNC] 13[TNC] adding IETF/PB-PA PB-PA message
12[TNC] 13[TNC] adding IETF/PB-Assessment-Result PB-Assessment-Result message
12[TNC] 13[TNC] adding IETF/PB-Access-Recommendation PB-Access-Recommendation message
12[TNC] 13[TNC] sending PB-TNC RESULT batch (88 bytes) for Connection ID 1
12[TNC] 13[TNC] => 88 bytes @ 0x6ee0a0
13[TNC] 0: 02 80 00 03 00 00 00 58 80 00 00 00 00 00 00 01 .......X........
13[TNC] 16: 00 00 00 30 00 00 55 97 00 00 00 03 FF FF 00 02 ...0..U.........
13[TNC] 32: 01 00 00 00 85 FE D4 EE 00 00 00 00 00 00 00 09 ................
13[TNC] 48: 00 00 00 10 00 00 00 00 80 00 00 00 00 00 00 02 ................
13[TNC] 64: 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 03 ................
13[TNC] 80: 00 00 00 10 00 00 00 01 ........
13[TNC] sending PT-TLS message #5 of type 'PB-TNC Batch' (104 bytes)
12[TLS] 13[TLS] sending TLS ApplicationData record (128 (144 bytes)
</pre>
h3. Closing PT-TLS Connection
<pre>
13[TLS] 14[TLS] processing TLS ApplicationData record (48 (64 bytes)
13[TNC] 14[TNC] received PT-TLS message #4 of type 'PB-TNC Batch' (24 bytes)
13[TNC] 14[TNC] received TNCCS batch (8 bytes) for Connection ID 1
13[TNC] 14[TNC] => 8 bytes @ 0x6ef420
14[TNC] 0: 02 00 00 06 00 00 00 08 ........
14[TNC] PB-TNC state transition from 'Decided' to 'End'
13[TNC] 14[TNC] processing PB-TNC CLOSE batch
13[TNC] 14[TNC] final recommendation is 'allow' and evaluation is 'compliant'
13[TNC] 14[TNC] PT-TLS connection terminates
13[IMV] 14[IMV] IMV 1 "OS" deleted the state of Connection ID 1
13[IMV] 14[IMV] IMV 2 "SWID" deleted the state of Connection ID 1
13[TNC] 14[TNC] removed TNCCS Connection ID 1
13[TLS] 14[TLS] sending TLS close notify
13[TLS] 14[TLS] sending TLS Alert record (26 (48 bytes)
</pre>
h2. PT-TLS Connection by Access Requestor "dave"
<pre>
15[TNC] accepting PT-TLS stream from 192.168.0.200
</pre>
h3. TLS Connection Setup
<pre>
03[TNC] entering PT-TLS negotiation phase
03[TLS] processing TLS Handshake record (176 bytes)
03[TLS] received TLS ClientHello handshake (172 bytes)
03[TLS] received TLS 'signature algorithms' extension
03[TLS] received TLS 'elliptic curves' extension
03[TLS] received TLS 'ec point formats' extension
03[TLS] received TLS 'server name' extension
03[TLS] received 28 TLS cipher suites:
03[TLS] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
03[TLS] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
03[TLS] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
03[TLS] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
03[TLS] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
03[TLS] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
03[TLS] TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
03[TLS] TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
03[TLS] TLS_DHE_RSA_WITH_AES_128_CBC_SHA
03[TLS] TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
03[TLS] TLS_DHE_RSA_WITH_AES_256_CBC_SHA
03[TLS] TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
03[TLS] TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
03[TLS] TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
03[TLS] TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
03[TLS] TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
03[TLS] TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
03[TLS] TLS_RSA_WITH_AES_128_CBC_SHA
03[TLS] TLS_RSA_WITH_AES_128_CBC_SHA256
03[TLS] TLS_RSA_WITH_AES_256_CBC_SHA
03[TLS] TLS_RSA_WITH_AES_256_CBC_SHA256
03[TLS] TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
03[TLS] TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
03[TLS] TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
03[TLS] TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
03[TLS] TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
03[TLS] TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
03[TLS] TLS_RSA_WITH_3DES_EDE_CBC_SHA
03[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
03[TLS] sending TLS ServerHello handshake (54 bytes)
03[TLS] sending TLS server certificate 'C=CH, O=Linux strongSwan, CN=aaa.strongswan.org'
03[TLS] sending TLS Certificate handshake (1066 bytes)
03[TLS] selected ECDH group SECP256R1
03[TLS] created signature with MD5/RSA
03[TLS] sending TLS ServerKeyExchange handshake (329 bytes)
03[TLS] sending TLS cert request for 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA'
03[TLS] sending TLS CertificateRequest handshake (102 bytes)
03[TLS] sending TLS ServerHelloDone handshake (0 bytes)
03[TLS] sending TLS Handshake record (1571 bytes)
03[TLS] processing TLS Handshake record (1406 bytes)
03[TLS] received TLS Certificate handshake (1068 bytes)
03[TLS] received TLS peer certificate 'C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org'
03[TLS] received TLS ClientKeyExchange handshake (66 bytes)
03[TLS] received TLS CertificateVerify handshake (260 bytes)
03[CFG] using certificate "C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org"
03[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
03[CFG] checking certificate status of "C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org"
03[CFG] fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
03[CFG] using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
03[CFG] crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
03[CFG] crl is valid: until Sep 29 14:02:30 2013
03[CFG] certificate status is good
03[CFG] reached self-signed root ca with a path length of 0
03[TLS] verified signature with SHA1/RSA
03[TLS] processing TLS ChangeCipherSpec record (1 bytes)
03[TLS] buffering 31 bytes, 31 bytes of 69 byte TLS record received
03[TLS] buffering 38 bytes, 69 bytes of 69 byte TLS record received
03[TLS] processing buffered TLS Handshake record (64 bytes)
03[TLS] received TLS Finished handshake (12 bytes)
03[TLS] sending TLS ChangeCipherSpec record (1 bytes)
03[TLS] sending TLS Finished handshake (12 bytes)
03[TLS] sending TLS Handshake record (64 bytes)
</pre>
h3. PT-TLS Negotiation
<pre>
03[TLS] processing TLS ApplicationData record (64 bytes)
03[TNC] received PT-TLS message #0 of type 'Version Request' (20 bytes)
03[TNC] sending PT-TLS message #0 of type 'Version Response' (20 bytes)
03[TLS] sending TLS ApplicationData record (64 bytes)
03[TNC] negotiated PT-TLS version 1
</pre>
h3. TLS Certificate-based Client Authentication
<pre>
03[TNC] doing SASL client authentication
03[TNC] skipping SASL, client already authenticated by TLS certificate
03[TNC] sending PT-TLS message #1 of type 'SASL Mechanisms' (16 bytes)
03[TLS] sending TLS ApplicationData record (64 bytes)
</pre>
h3. PT-TLS Transport Phase
<pre>
03[TNC] entering PT-TLS data transport phase
</pre>
h3. IF-IMV 1.4 AR Identity
<pre>
16[TLS] processing TLS ApplicationData record (320 bytes)
16[TNC] received PT-TLS message #1 of type 'PB-TNC Batch' (275 bytes)
16[TNC] assigned TNCCS Connection ID 2
16[IMV] IMV 1 "OS" created a state for IF-TNCCS 2.0 Connection ID 2: +long +excl -soh
16[IMV] over IF-T for TLS 2.0 with maximum PA-TNC message size of 131024 bytes
16[IMV] user AR identity 'C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org' authenticated by certificate
16[IMV] assigned session ID 3
16[IMV] IMV 2 "SWID" created a state for IF-TNCCS 2.0 Connection ID 2: +long +excl -soh
16[IMV] over IF-T for TLS 2.0 with maximum PA-TNC message size of 131024 bytes
16[IMV] user AR identity 'C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org' authenticated by certificate
16[IMV] assigned session ID 3
16[IMV] IMV 1 "OS" changed state of Connection ID 2 to 'Handshake'
16[IMV] IMV 2 "SWID" changed state of Connection ID 2 to 'Handshake'
</pre>
<pre>
16[TNC] received TNCCS batch (39 bytes) for Connection ID 2
16[TNC] => 39 bytes @ 0x72d800
16[TNC] 0: 02 00 00 01 00 00 00 27 00 00 00 00 00 00 00 06 .......'........
16[TNC] 16: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67 75 ....Accept-Langu
16[TNC] 32: 61 67 65 3A 20 65 6E age: en
16[TNC] PB-TNC state transition from 'Init' to 'Server Working'
16[TNC] processing PB-TNC CDATA batch
16[TNC] processing PB-Language-Preference message (31 bytes)
16[TNC] setting language preference to 'en'
</pre>
<pre>
16[TNC] creating PA-TNC message with ID 0x252361d0
16[TNC] creating PA-TNC attribute type 'IETF/Attribute Request' 0x000000/0x00000001
16[TNC] => 56 bytes @ 0x738320
16[TNC] 0: 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 04 ................
16[TNC] 16: 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 05 ................
16[TNC] 32: 00 00 00 00 00 00 00 0B 00 00 00 00 00 00 00 0C ................
16[TNC] 48: 00 00 90 2A 00 00 00 08 ...*....
16[IMV] created PA-TNC message: => 76 bytes @ 0x73b3b0
16[IMV] 0: 01 00 00 00 25 23 61 D0 00 00 00 00 00 00 00 01 ....%#a.........
16[IMV] 16: 00 00 00 44 00 00 00 00 00 00 00 02 00 00 00 00 ...D............
16[IMV] 32: 00 00 00 04 00 00 00 00 00 00 00 03 00 00 00 00 ................
16[IMV] 48: 00 00 00 05 00 00 00 00 00 00 00 0B 00 00 00 00 ................
16[IMV] 64: 00 00 00 0C 00 00 90 2A 00 00 00 08 .......*....
16[TNC] creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
16[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
16[TNC] creating PB-TNC SDATA batch
16[TNC] adding PB-PA message
16[TNC] sending PB-TNC SDATA batch (108 bytes) for Connection ID 2
16[TNC] => 108 bytes @ 0x725950
16[TNC] 0: 02 80 00 02 00 00 00 6C 80 00 00 00 00 00 00 01 .......l........
16[TNC] 16: 00 00 00 64 00 00 00 00 00 00 00 01 FF FF 00 01 ...d............
16[TNC] 32: 01 00 00 00 25 23 61 D0 00 00 00 00 00 00 00 01 ....%#a.........
16[TNC] 48: 00 00 00 44 00 00 00 00 00 00 00 02 00 00 00 00 ...D............
16[TNC] 64: 00 00 00 04 00 00 00 00 00 00 00 03 00 00 00 00 ................
16[TNC] 80: 00 00 00 05 00 00 00 00 00 00 00 0B 00 00 00 00 ................
16[TNC] 96: 00 00 00 0C 00 00 90 2A 00 00 00 08 .......*....
16[TNC] sending PT-TLS message #2 of type 'PB-TNC Batch' (124 bytes)
16[TLS] sending TLS ApplicationData record (176 bytes)
</pre>
<pre>
02[TLS] processing TLS ApplicationData record (288 bytes)
02[TNC] received PT-TLS message #2 of type 'PB-TNC Batch' (244 bytes)
02[TNC] received TNCCS batch (228 bytes) for Connection ID 2
02[TNC] => 228 bytes @ 0x70b060
02[TNC] 0: 02 00 00 01 00 00 00 E4 80 00 00 00 00 00 00 01 ................
02[TNC] 16: 00 00 00 DC 80 00 00 00 00 00 00 01 00 01 00 01 ................
02[TNC] 32: 01 00 00 00 26 B5 99 EA 00 00 00 00 00 00 00 02 ....&...........
02[TNC] 48: 00 00 00 17 00 25 72 00 00 44 65 62 69 61 6E 00 .....%r..Debian.
02[TNC] 64: 00 00 00 00 00 00 04 00 00 00 19 0A 37 2E 30 20 ............7.0
02[TNC] 80: 78 38 36 5F 36 34 00 00 00 00 00 00 00 00 00 03 x86_64..........
02[TNC] 96: 00 00 00 1C 00 00 00 07 00 00 00 00 00 00 00 00 ................
02[TNC] 112: 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 24 ...............$
02[TNC] 128: 03 01 00 00 32 30 31 33 2D 30 38 2D 33 30 54 31 ....2013-08-30T1
02[TNC] 144: 34 3A 30 32 3A 33 37 5A 00 00 00 00 00 00 00 0B 4:02:37Z........
02[TNC] 160: 00 00 00 10 00 00 00 01 00 00 00 00 00 00 00 0C ................
02[TNC] 176: 00 00 00 10 00 00 00 00 00 00 90 2A 00 00 00 08 ...........*....
02[TNC] 192: 00 00 00 2C 61 61 62 62 63 63 64 64 65 65 66 66 ...,aabbccddeeff
02[TNC] 208: 31 31 32 32 33 33 34 34 35 35 36 36 37 37 38 38 1122334455667788
02[TNC] 224: 39 39 30 30 9900
02[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
02[TNC] processing PB-TNC CDATA batch
02[TNC] processing PB-PA message (220 bytes)
02[TNC] handling PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
02[IMV] IMV 1 "OS" received message for Connection ID 2 from IMC 1 to IMV 1
02[IMV] => 196 bytes @ 0x73a420
02[IMV] 0: 01 00 00 00 26 B5 99 EA 00 00 00 00 00 00 00 02 ....&...........
02[IMV] 16: 00 00 00 17 00 25 72 00 00 44 65 62 69 61 6E 00 .....%r..Debian.
02[IMV] 32: 00 00 00 00 00 00 04 00 00 00 19 0A 37 2E 30 20 ............7.0
02[IMV] 48: 78 38 36 5F 36 34 00 00 00 00 00 00 00 00 00 03 x86_64..........
02[IMV] 64: 00 00 00 1C 00 00 00 07 00 00 00 00 00 00 00 00 ................
02[IMV] 80: 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 24 ...............$
02[IMV] 96: 03 01 00 00 32 30 31 33 2D 30 38 2D 33 30 54 31 ....2013-08-30T1
02[IMV] 112: 34 3A 30 32 3A 33 37 5A 00 00 00 00 00 00 00 0B 4:02:37Z........
02[IMV] 128: 00 00 00 10 00 00 00 01 00 00 00 00 00 00 00 0C ................
02[IMV] 144: 00 00 00 10 00 00 00 00 00 00 90 2A 00 00 00 08 ...........*....
02[IMV] 160: 00 00 00 2C 61 61 62 62 63 63 64 64 65 65 66 66 ...,aabbccddeeff
02[IMV] 176: 31 31 32 32 33 33 34 34 35 35 36 36 37 37 38 38 1122334455667788
02[IMV] 192: 39 39 30 30 9900
02[TNC] processing PA-TNC message with ID 0x26b599ea
02[TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002
02[TNC] => 11 bytes @ 0x73a434
02[TNC] 0: 00 25 72 00 00 44 65 62 69 61 6E .%r..Debian
02[TNC] processing PA-TNC attribute type 'IETF/String Version' 0x000000/0x00000004
02[TNC] => 13 bytes @ 0x73a44b
02[TNC] 0: 0A 37 2E 30 20 78 38 36 5F 36 34 00 00 .7.0 x86_64..
02[TNC] processing PA-TNC attribute type 'IETF/Numeric Version' 0x000000/0x00000003
02[TNC] => 16 bytes @ 0x73a464
02[TNC] 0: 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00 00 ................
02[TNC] processing PA-TNC attribute type 'IETF/Operational Status' 0x000000/0x00000005
02[TNC] => 24 bytes @ 0x73a480
02[TNC] 0: 03 01 00 00 32 30 31 33 2D 30 38 2D 33 30 54 31 ....2013-08-30T1
02[TNC] 16: 34 3A 30 32 3A 33 37 5A 4:02:37Z
02[TNC] processing PA-TNC attribute type 'IETF/Forwarding Enabled' 0x000000/0x0000000b
02[TNC] => 4 bytes @ 0x73a4a4
02[TNC] 0: 00 00 00 01 ....
02[TNC] processing PA-TNC attribute type 'IETF/Factory Default Password Enabled' 0x000000/0x0000000c
02[TNC] => 4 bytes @ 0x73a4b4
02[TNC] 0: 00 00 00 00 ....
02[TNC] processing PA-TNC attribute type 'ITA-HSR/Device ID' 0x00902a/0x00000008
02[TNC] => 32 bytes @ 0x73a4c4
02[TNC] 0: 61 61 62 62 63 63 64 64 65 65 66 66 31 31 32 32 aabbccddeeff1122
02[TNC] 16: 33 33 34 34 35 35 36 36 37 37 38 38 39 39 30 30 3344556677889900
</pre>
h3. Operating System Information
<pre>
02[IMV] operating system name is 'Debian' from vendor Debian Project
02[IMV] operating system version is '7.0 x86_64'
02[IMV] operating system numeric version is 7.0
02[IMV] operational status: operational, result: successful
02[IMV] last boot: Aug 30 14:02:37 UTC 2013
02[IMV] IPv4 forwarding is enabled
02[IMV] factory default password is disabled
</pre>
h3. Device Identity
<pre>
02[IMV] device ID is aabbccddeeff11223344556677889900
</pre>
h3. Policy Manager generating Workitem List
This is strongSwan's proprietary Configuration Management Database (CMDB) interface. Based on historical client measurement data and a set of group policies the start script generates a list of measurement workitems. In our scenario only IPv4 forwarding and SWID tags are checked.
<pre>
02[IMV] running policy script: 2>&1 TNC_SESSION_ID='3' ipsec imv_policy_manager start
02[IMV] policy: imv_policy_manager start successful
</pre>
<pre>
02[IMV] IMV 1 handles FWDEN workitem 9
02[IMV] IMV 1 handled FWDEN workitem 9: isolate - forwarding enabled
02[TNC] creating PA-TNC message with ID 0xe9845d2f
02[TNC] creating PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009
02[TNC] => 4 bytes @ 0x710b30
02[TNC] 0: 00 00 00 02 ....
02[TNC] creating PA-TNC attribute type 'IETF/Remediation Instructions' 0x000000/0x0000000a
02[TNC] => 81 bytes @ 0x73c150
02[TNC] 0: 00 00 00 00 00 00 00 02 00 00 00 42 49 50 20 50 ...........BIP P
02[TNC] 16: 61 63 6B 65 74 20 46 6F 72 77 61 72 64 69 6E 67 acket Forwarding
02[TNC] 32: 0A 20 20 50 6C 65 61 73 65 20 64 69 73 61 62 6C . Please disabl
02[TNC] 48: 65 20 74 68 65 20 66 6F 72 77 61 72 64 69 6E 67 e the forwarding
02[TNC] 64: 20 6F 66 20 49 50 20 70 61 63 6B 65 74 73 02 65 of IP packets.e
02[TNC] 80: 6E n
02[IMV] created PA-TNC message: => 117 bytes @ 0x738c40
02[IMV] 0: 01 00 00 00 E9 84 5D 2F 00 00 00 00 00 00 00 09 ......]/........
02[IMV] 16: 00 00 00 10 00 00 00 02 00 00 00 00 00 00 00 0A ................
02[IMV] 32: 00 00 00 5D 00 00 00 00 00 00 00 02 00 00 00 42 ...]...........B
02[IMV] 48: 49 50 20 50 61 63 6B 65 74 20 46 6F 72 77 61 72 IP Packet Forwar
02[IMV] 64: 64 69 6E 67 0A 20 20 50 6C 65 61 73 65 20 64 69 ding. Please di
02[IMV] 80: 73 61 62 6C 65 20 74 68 65 20 66 6F 72 77 61 72 sable the forwar
02[IMV] 96: 64 69 6E 67 20 6F 66 20 49 50 20 70 61 63 6B 65 ding of IP packe
02[IMV] 112: 74 73 02 65 6E ts.en
02[TNC] creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
02[TNC] IMV 1 is setting reason string to 'Improper OS settings were detected'
02[TNC] IMV 1 is setting reason language to 'en'
02[TNC] IMV 1 provides recommendation 'isolate' and evaluation 'non-compliant major'
</pre>
h3. Sending SWID Request
<pre>
02[IMV] IMV 2 handles SWIDT workitem 11
02[IMV] IMV 2 issues SWID request 11
02[TNC] creating PA-TNC message with ID 0xff7d7278
02[TNC] creating PA-TNC attribute type 'TCG/SWID Request' 0x005597/0x00000011
02[TNC] => 12 bytes @ 0x732980
02[TNC] 0: 00 00 00 00 00 00 00 0B 00 00 00 00 ............
02[IMV] created PA-TNC message: => 32 bytes @ 0x73a100
02[IMV] 0: 01 00 00 00 FF 7D 72 78 00 00 55 97 00 00 00 11 .....}rx..U.....
02[IMV] 16: 00 00 00 18 00 00 00 00 00 00 00 0B 00 00 00 00 ................
02[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003
</pre>
<pre>
02[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
02[TNC] creating PB-TNC SDATA batch
02[TNC] adding PB-PA message
02[TNC] adding PB-PA message
02[TNC] sending PB-TNC SDATA batch (205 bytes) for Connection ID 2
02[TNC] => 205 bytes @ 0x6f8480
02[TNC] 0: 02 80 00 02 00 00 00 CD 80 00 00 00 00 00 00 01 ................
02[TNC] 16: 00 00 00 8D 00 00 00 00 00 00 00 01 FF FF 00 01 ................
02[TNC] 32: 01 00 00 00 E9 84 5D 2F 00 00 00 00 00 00 00 09 ......]/........
02[TNC] 48: 00 00 00 10 00 00 00 02 00 00 00 00 00 00 00 0A ................
02[TNC] 64: 00 00 00 5D 00 00 00 00 00 00 00 02 00 00 00 42 ...]...........B
02[TNC] 80: 49 50 20 50 61 63 6B 65 74 20 46 6F 72 77 61 72 IP Packet Forwar
02[TNC] 96: 64 69 6E 67 0A 20 20 50 6C 65 61 73 65 20 64 69 ding. Please di
02[TNC] 112: 73 61 62 6C 65 20 74 68 65 20 66 6F 72 77 61 72 sable the forwar
02[TNC] 128: 64 69 6E 67 20 6F 66 20 49 50 20 70 61 63 6B 65 ding of IP packe
02[TNC] 144: 74 73 02 65 6E 80 00 00 00 00 00 00 01 00 00 00 ts.en...........
02[TNC] 160: 38 00 00 55 97 00 00 00 03 FF FF 00 02 01 00 00 8..U............
02[TNC] 176: 00 FF 7D 72 78 00 00 55 97 00 00 00 11 00 00 00 ..}rx..U........
02[TNC] 192: 18 00 00 00 00 00 00 00 0B 00 00 00 00 .............
02[TNC] sending PT-TLS message #3 of type 'PB-TNC Batch' (221 bytes)
02[TLS] sending TLS ApplicationData record (272 bytes)
</pre>
<pre>
01[TLS] processing TLS ApplicationData record (2096 bytes)
01[TNC] received PT-TLS message #3 of type 'PB-TNC Batch' (2051 bytes)
01[TNC] received TNCCS batch (2035 bytes) for Connection ID 2
01[TNC] => 2035 bytes @ 0x73aa90
01[TNC] 0: 02 00 00 01 00 00 07 F3 80 00 00 00 00 00 00 01 ................
01[TNC] 16: 00 00 07 EB 80 00 55 97 00 00 00 03 00 02 00 02 ......U.........
01[TNC] 32: 01 00 00 00 4F 00 C2 7B 00 00 55 97 00 00 00 14 ....O..{..U.....
01[TNC] 48: 00 00 07 CB 00 00 00 02 00 00 00 0B 85 55 48 98 .............UH.
01[TNC] 64: 00 00 00 01 00 00 00 00 03 E4 3C 3F 78 6D 6C 20 ..........<?xml
01[TNC] 80: 76 65 72 73 69 6F 6E 3D 22 31 2E 30 22 20 65 6E version="1.0" en
01[TNC] 96: 63 6F 64 69 6E 67 3D 22 75 74 66 2D 38 22 3F 3E coding="utf-8"?>
01[TNC] 112: 0A 3C 73 6F 66 74 77 61 72 65 5F 69 64 65 6E 74 .<software_ident
01[TNC] 128: 69 66 69 63 61 74 69 6F 6E 5F 74 61 67 20 78 6D ification_tag xm
01[TNC] 144: 6C 6E 73 3D 22 68 74 74 70 3A 2F 2F 73 74 61 6E lns="http://stan
01[TNC] 160: 64 61 72 64 73 2E 69 73 6F 2E 6F 72 67 2F 69 73 dards.iso.org/is
01[TNC] 176: 6F 2F 31 39 37 37 30 2F 2D 32 2F 32 30 30 39 2F o/19770/-2/2009/
01[TNC] 192: 73 63 68 65 6D 61 2E 78 73 64 22 3E 0A 20 20 3C schema.xsd">. <
01[TNC] 208: 65 6E 74 69 74 6C 65 6D 65 6E 74 5F 72 65 71 75 entitlement_requ
01[TNC] 224: 69 72 65 64 5F 69 6E 64 69 63 61 74 6F 72 3E 74 ired_indicator>t
01[TNC] 240: 72 75 65 3C 2F 65 6E 74 69 74 6C 65 6D 65 6E 74 rue</entitlement
01[TNC] 256: 5F 72 65 71 75 69 72 65 64 5F 69 6E 64 69 63 61 _required_indica
01[TNC] 272: 74 6F 72 3E 0A 20 20 3C 70 72 6F 64 75 63 74 5F tor>. <product_
01[TNC] 288: 74 69 74 6C 65 3E 73 74 72 6F 6E 67 53 77 61 6E title>strongSwan
01[TNC] 304: 3C 2F 70 72 6F 64 75 63 74 5F 74 69 74 6C 65 3E </product_title>
01[TNC] 320: 0A 20 20 3C 70 72 6F 64 75 63 74 5F 76 65 72 73 . <product_vers
01[TNC] 336: 69 6F 6E 3E 0A 20 20 20 20 3C 6E 61 6D 65 3E 35 ion>. <name>5
01[TNC] 352: 2E 31 2E 31 64 72 32 3C 2F 6E 61 6D 65 3E 0A 20 .1.1dr2</name>.
01[TNC] 368: 20 20 20 3C 6E 75 6D 65 72 69 63 3E 0A 20 20 20 <numeric>.
01[TNC] 384: 20 20 20 3C 6D 61 6A 6F 72 3E 35 3C 2F 6D 61 6A <major>5</maj
01[TNC] 400: 6F 72 3E 0A 20 20 20 20 20 20 3C 6D 69 6E 6F 72 or>. <minor
01[TNC] 416: 3E 31 3C 2F 6D 69 6E 6F 72 3E 0A 20 20 20 20 20 >1</minor>.
01[TNC] 432: 20 3C 62 75 69 6C 64 3E 31 3C 2F 62 75 69 6C 64 <build>1</build
01[TNC] 448: 3E 0A 20 20 20 20 20 20 3C 72 65 76 69 65 77 3E >. <review>
01[TNC] 464: 64 72 32 3C 2F 72 65 76 69 65 77 3E 0A 20 20 20 dr2</review>.
01[TNC] 480: 20 3C 2F 6E 75 6D 65 72 69 63 3E 0A 20 20 3C 2F </numeric>. </
01[TNC] 496: 70 72 6F 64 75 63 74 5F 76 65 72 73 69 6F 6E 3E product_version>
01[TNC] 512: 0A 20 20 3C 73 6F 66 74 77 61 72 65 5F 63 72 65 . <software_cre
01[TNC] 528: 61 74 6F 72 3E 0A 20 20 20 20 3C 6E 61 6D 65 3E ator>. <name>
01[TNC] 544: 73 74 72 6F 6E 67 53 77 61 6E 20 50 72 6F 6A 65 strongSwan Proje
01[TNC] 560: 63 74 3C 2F 6E 61 6D 65 3E 0A 20 20 20 20 3C 72 ct</name>. <r
01[TNC] 576: 65 67 69 64 3E 72 65 67 69 64 2E 32 30 30 34 2D egid>regid.2004-
01[TNC] 592: 30 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 77 61 03.org.strongswa
01[TNC] 608: 6E 3C 2F 72 65 67 69 64 3E 0A 20 20 3C 2F 73 6F n</regid>. </so
01[TNC] 624: 66 74 77 61 72 65 5F 63 72 65 61 74 6F 72 3E 0A ftware_creator>.
01[TNC] 640: 20 20 3C 73 6F 66 74 77 61 72 65 5F 6C 69 63 65 <software_lice
01[TNC] 656: 6E 73 6F 72 3E 0A 20 20 20 20 3C 6E 61 6D 65 3E nsor>. <name>
01[TNC] 672: 73 74 72 6F 6E 67 53 77 61 6E 20 50 72 6F 6A 65 strongSwan Proje
01[TNC] 688: 63 74 3C 2F 6E 61 6D 65 3E 0A 20 20 20 20 3C 72 ct</name>. <r
01[TNC] 704: 65 67 69 64 3E 72 65 67 69 64 2E 32 30 30 34 2D egid>regid.2004-
01[TNC] 720: 30 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 77 61 03.org.strongswa
01[TNC] 736: 6E 3C 2F 72 65 67 69 64 3E 0A 20 20 3C 2F 73 6F n</regid>. </so
01[TNC] 752: 66 74 77 61 72 65 5F 6C 69 63 65 6E 73 6F 72 3E ftware_licensor>
01[TNC] 768: 0A 20 20 3C 73 6F 66 74 77 61 72 65 5F 69 64 3E . <software_id>
01[TNC] 784: 0A 20 20 20 20 3C 75 6E 69 71 75 65 5F 69 64 3E . <unique_id>
01[TNC] 800: 73 74 72 6F 6E 67 53 77 61 6E 2D 35 2D 31 2D 31 strongSwan-5-1-1
01[TNC] 816: 2D 64 72 32 3C 2F 75 6E 69 71 75 65 5F 69 64 3E -dr2</unique_id>
01[TNC] 832: 0A 20 20 20 20 3C 74 61 67 5F 63 72 65 61 74 6F . <tag_creato
01[TNC] 848: 72 5F 72 65 67 69 64 3E 72 65 67 69 64 2E 32 30 r_regid>regid.20
01[TNC] 864: 30 34 2D 30 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 04-03.org.strong
01[TNC] 880: 73 77 61 6E 3C 2F 74 61 67 5F 63 72 65 61 74 6F swan</tag_creato
01[TNC] 896: 72 5F 72 65 67 69 64 3E 0A 20 20 3C 2F 73 6F 66 r_regid>. [ Incomplete diff, document too large... ]