Version 13 - History - TNC Client with PTS-IMC - strongSwan

TNC Client with PTS-IMC » History » Version 13

Andreas Steffen, 29.11.2011 15:47
Added subtitles and TOC

-Andreas Steffen
+{{>toc}}
 Andreas Steffen
-Andreas Steffen
+h1. Platform Trust Service Integrity Measurement Collector (PTS-IMC)
 Andreas Steffen
-Andreas Steffen
+h2. Installation and Configuration
 Andreas Steffen
-Andreas Steffen
+The following steps describe the installation of the strongSwan software
-Andreas Steffen
+<pre>
-Andreas Steffen
+  tar xjf strongswan-4.6.2dr1.tar.bz2
-Andreas Steffen
+  cd strongswan-4.6.2dr1
-Andreas Steffen
+  ./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-openssl --enable-curl
-Andreas Steffen
+              --enable-eap --enable-eap-identity --enable-eap-md5 --enable-eap-ttls
-Andreas Steffen
+              --enable-eap-tnc  --enable-tnccs-20 --enable-tnc-imc --enable-imc-attestation
-Andreas Steffen
+  make
-Andreas Steffen
+  [sudo] make install
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+The connection between IPsec client *carol* and IPsec gateway *moon* is defined in the /etc/ipsec.conf file:
-Andreas Steffen
+<pre>
-Andreas Steffen
+# ipsec.conf - strongSwan IPsec configuration file
 Andreas Steffen
-Andreas Steffen
+config setup
-Andreas Steffen
+     charondebug="tnc 3, imc 3, pts 3"
 Andreas Steffen
-Andreas Steffen
+conn home
-Andreas Steffen
+     left=%any
-Andreas Steffen
+     leftid=carol@strongswan.org
-Andreas Steffen
+     leftauth=eap
-Andreas Steffen
+     right=192.168.0.1
-Andreas Steffen
+     rightid=@moon.strongswan.org
-Andreas Steffen
+     rightsendcert=never
-Andreas Steffen
+     rightsubnet=10.1.0.0/16
-Andreas Steffen
+     auto=start
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+The debug levels for the TNC, IMC, and PTS components are increased to 3, so that HEX dumps of PB-TNC (IF-TNCCS 2.0) messages and PA-TNC (IF-M) attributes will be included in the log file.
 Andreas Steffen
-Andreas Steffen
+The IKEv2 client *carol* is going to use EAP-based authentication with the user credentials being stored in the /etc/ipsec.secrets file:
-Andreas Steffen
+<pre>
-Andreas Steffen
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
 Andreas Steffen
-Andreas Steffen
+carol@strongswan.org : EAP "Ar3etTnp"
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+The following IKEv2 charon and Attestation IMC options are defined in the /etc/strongswan.conf file
-Andreas Steffen
+<pre>
-Andreas Steffen
+# strongswan.conf - strongSwan configuration file
 Andreas Steffen
-Andreas Steffen
+charon {
-Andreas Steffen
+  load = sha1 random gmp pkcs1 pem x509 pubkey openssl hmac revocation curl kernel-netlink socket-default eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 eap-identity resolve stroke
-Andreas Steffen
+  plugins {
-Andreas Steffen
+    eap-tnc {
-Andreas Steffen
+      protocol = tnccs-2.0
 Andreas Steffen
-Andreas Steffen
+    tnc-imc {
-Andreas Steffen
+      preferred_language = en
 Andreas Steffen
 Andreas Steffen
 Andreas Steffen
 Andreas Steffen
-Andreas Steffen
+libimcv {
-Andreas Steffen
+  plugins {
-Andreas Steffen
+    imc-attestation {
-Andreas Steffen
+      aik_cert = /home/andi/privacyca/AIK_3_Cert.der
-Andreas Steffen
+      aik_blob = /home/andi/privacyca/AIK_3_Blob.bin
 Andreas Steffen
-Andreas Steffen
+      pcr17_meas   = d537d437f058136eb3d7be517dbe7647b623c619
-Andreas Steffen
+      pcr17_before = 1717171717171717171717171717171717171717
-Andreas Steffen
+      pcr17_after  = ffffffffffffffffffffffffffffffffffffffff
 Andreas Steffen
-Andreas Steffen
+      pcr18_meas   = 160d2b04d11eb225fb148615b699081869e15b6c
-Andreas Steffen
+      pcr18_before = 1818181818181818181818181818181818181818
-Andreas Steffen
+      pcr18_after  = ffffffffffffffffffffffffffffffffffffffff
 Andreas Steffen
 Andreas Steffen
 Andreas Steffen
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+h2. IKEv2 Negotiation
 Andreas Steffen
-Andreas Steffen
+The command
-Andreas Steffen
+<pre>
-Andreas Steffen
+ipsec start
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+starts the TNC-enabled IPsec client:
-Andreas Steffen
+<pre>
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.2dr1)
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[KNL] listening on interfaces:
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[KNL]   wlan0
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[KNL]     10.35.167.97
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[KNL]     fe80::221:6aff:fe06:cf4c
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[KNL]   umlbr0
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[KNL]     192.168.0.254
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[KNL]     fe80::103c:e8ff:fec0:db34
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+The file /etc/tnc_config
-Andreas Steffen
+<pre>
-Andreas Steffen
+IMC configuration file for strongSwan client
 Andreas Steffen
-Andreas Steffen
+IMC "Attestation" /usr/lib/ipsec/imcvs/imc-attestation.so
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+defines which IMCs are loaded by the TNC client:
-Andreas Steffen
+<pre>
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[TNC] loading IMCs from '/etc/tnc_config'
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[PTS]   mandatory PTS measurement algorithm HASH_SHA1[sha1] available
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[PTS]   mandatory PTS measurement algorithm HASH_SHA256[openssl] available
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[PTS]   optional  PTS measurement algorithm HASH_SHA384[openssl] available
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[PTS]   optional  PTS DH group MODP_2048[gmp] available
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[PTS]   optional  PTS DH group MODP_1536[gmp] available
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[PTS]   optional  PTS DH group MODP_1024[gmp] available
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[PTS]   mandatory PTS DH group ECP_256[openssl] available
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[PTS]   optional  PTS DH group ECP_384[openssl] available
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[TNC] added IETF attributes
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[TNC] added ITA-HSR attributes
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[LIB] libimcv initialized
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[IMC] IMC 1 "Attestation" initialized
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[TNC] added TCG attributes
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[PTS] added TCG functional component namespace
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component namespace
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader'
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component 'Trusted Boot'
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component 'Linux IMA'
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[LIB] libpts initialized
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[IMC] IMC 1 "Attestation" provided with bind function
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[TNC] IMC 1 supports 1 message type: 0x00559701
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[TNC] IMC 1 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imc-attestation.so'
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+Next the IKEv2 credentials and all necessary plugins are loaded
-Andreas Steffen
+<pre>
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[CFG]   loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[CFG]   loaded EAP secret for carol@strongswan.org
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[DMN] loaded plugins: sha1 random gmp pkcs1 pem x509 pubkey openssl hmac revocation curl kernel-netlink socket-default eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 eap-identity resolve stroke
-Andreas Steffen
+Nov 29 07:39:21 merthyr charon: 00[JOB] spawning 16 worker threads
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+Now the IKEv2 negotiation automatically starts with the IKE_SA_INIT exchange
-Andreas Steffen
+<pre>
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 04[CFG] received stroke: add connection 'home'
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 04[CFG] left nor right host is our side, assuming left=local
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 04[CFG] added configuration 'home'
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 04[CFG] received stroke: initiate 'home'
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 04[IKE] initiating IKE_SA home[1] to 192.168.0.1
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 04[NET] sending packet: from 192.168.0.254[500] to 192.168.0.1[500]
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 06[NET] received packet: from 192.168.0.1[500] to 192.168.0.254[500]
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 06[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+followed by the IKE_AUTH exchange where the IKEv2 gateway proposes a mutual EAP-TTLS only authentication:
-Andreas Steffen
+<pre>
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 06[IKE] establishing CHILD_SA home
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 06[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 06[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 10[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 10[ENC] parsed IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ]
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 10[IKE] server requested EAP_TTLS authentication (id 0xA8)
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 10[TLS] EAP_TTLS version is v0
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 10[IKE] allow mutual EAP-only authentication
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+The IKEv2 EAP-TLS tunnel is set up with certificate-based server authentication
-Andreas Steffen
+<pre>
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 10[ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ]
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 10[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 05[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 05[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ]
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 05[ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ]
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 05[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 15[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 15[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ]
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 15[TLS] negotiated TLS version TLS 1.2 with suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 15[TLS] received TLS server certificate 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org'
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 15[CFG]   using certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 15[CFG]   using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 15[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 15[CFG]   fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 15[CFG]   using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 15[CFG]   crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 15[CFG]   crl is valid: until Dec 02 09:19:24 2011
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 15[CFG] certificate status is good
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 15[CFG]   reached self-signed root ca with a path length of 0
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 15[ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ]
-Andreas Steffen
+Nov 29 07:39:22 merthyr charon: 15[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+Via the IKEv2 EAP-TTLS tunnel the server requests the EAP client identity
-Andreas Steffen
+<pre>
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 14[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 14[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ]
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 14[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/ID]
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 14[IKE] server requested EAP_IDENTITY authentication (id 0x00)
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 14[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID]
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 14[ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ]
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 14[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+followed by an EAP-MD5 client authentication
-Andreas Steffen
+<pre>
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 03[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 03[ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ]
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 03[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/MD5]
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 03[IKE] server requested EAP_MD5 authentication (id 0x36)
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 03[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/MD5]
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 03[ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ]
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 03[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+Now the EAP-TNC transport protocol connecting the TNC client with the TNC server is started:
-Andreas Steffen
+<pre>
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[ENC] parsed IKE_AUTH response 6 [ EAP/REQ/TTLS ]
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/TNC]
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[IKE] server requested EAP_TNC authentication (id 0x84)
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[TLS] EAP_TNC version is v1
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[TNC] assigned TNCCS Connection ID 1
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+h2. PB-TNC Connection
 Andreas Steffen
-Andreas Steffen
+!IF-TNCCS-20-State-Diagram.png!
 Andreas Steffen
-Andreas Steffen
+The IF-TNCCS 2.0 state machine is started in the Init state, a first PB-TNC CDATA (IF-TNCCS 2.0 ClientData) batch is prepared and a PB-Language-Preference message for Englisch (en) is added:
-Andreas Steffen
+<pre>
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[TNC] creating PB-TNC CDATA batch
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[TNC] adding PB-Language-Preference message
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+An instance of the Attestation PTS-IMC is created which in a first step determines the client operating systen
-Andreas Steffen
+<pre>
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS] platform is 'Ubuntu 11.10 i686'
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+and then loads the AIK certificate and the matching AIK private key, the latter in the form of a TPM-encrypted binary blob
-Andreas Steffen
+<pre>
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS] loaded AIK certificate from '/home/andi/privacyca/AIK_3_Cert.der'
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS] loaded AIK Blob from '/home/andi/privacyca/AIK_3_Blob.bin'
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS] AIK Blob: => 559 bytes @ 0x8266b24
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]    0: 01 01 00 00 00 12 00 00 00 04 00 00 00 00 01 00  ................
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]   16: 01 00 02 00 00 00 0C 00 00 08 00 00 00 00 02 00  ................
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]   32: 00 00 00 00 00 00 00 00 00 01 00 E9 1C 5F 57 5B  ............._W[
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]   48: 73 5F 35 15 BD AF 29 89 13 F1 F9 8D 83 62 6C 73  s_5...)......bls
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]   64: C0 5F 8B 90 5A B8 1A 72 B9 D2 51 F8 DC 24 CF 0D  ._..Z..r..Q..$..
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]   80: 9E E2 0B F8 8D 11 CD B2 E5 6B CB C2 AB FA BD F4  .........k......
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]   96: 74 D2 25 B3 AE CE 47 66 58 A6 65 A4 CA 36 24 1E  t.%...GfX.e..6$.
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]  112: 6E 22 A4 9F 88 C5 63 78 AD 53 33 90 22 91 6F 83  n"....cx.S3.".o.
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]  128: 8F 2A A8 98 0C 15 3E 89 19 48 63 BE 4C 35 02 F4  .*....>..Hc.L5..
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]  144: 03 7E 10 8E 4D DB 5A D1 63 9A 3C D9 63 F5 7B C6  .~..M.Z.c.<.c.{.
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]  160: 73 0F 23 05 B6 00 30 3B 34 6C 3C 10 A9 A5 4A 79  s.#...0;4l<...Jy
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]  176: 2E 62 88 E3 CC 7F 7B A7 5A E3 6F 13 7A BD BF 86  .b....{.Z.o.z...
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]  192: 1D 3C E3 12 3A 8C 0E 7D 47 55 C6 76 A9 D3 61 16  .<..:..}GU.v..a.
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]  208: 22 8A 32 C5 E7 CD 17 DB 5F A1 67 CC 1D F5 D9 25  ".2....._.g....%
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]  224: 51 01 33 1E 05 45 85 53 2E 2C 2B 1D 59 E5 FE C2  Q.3..E.S.,+.Y...
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]  240: 61 26 36 12 05 F2 5C 95 F8 70 E6 6A DB BF 30 1E  a&6...\..p.j..0.
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]  256: 46 05 E6 0E 94 3C 0C C6 1C 96 B4 59 AC 5C 63 15  F....<.....Y.\c.
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]  272: 8C 77 E8 45 91 6B 8B B1 0D DB 26 3C E5 34 1C E8  .w.E.k....&<.4..
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]  288: B9 B5 6E 7F 9B 6E 7D 24 82 6E 2B 00 00 01 00 22  ..n..n}$.n+...."
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]  304: 35 22 CB 61 E6 28 B9 53 4A EB 52 10 A9 CD 5A 2A  5".a.(.SJ.R...Z*
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]  320: 23 3A DD 32 77 53 44 8D 94 40 7E 6A 28 83 9D 9D  #:.2wSD..@~j(...
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]  336: 1E 1B CE 7C CE D2 8A C9 04 BE 66 A5 A1 CA E3 03  ...|......f.....
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]  352: 7F 33 97 AD EF A8 E8 83 C9 65 CA 38 27 22 8A 26  .3.......e.8'".&
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]  368: 90 B1 1E B0 AE F6 B3 77 5E E3 C8 C2 C6 49 DC 74  .......w^....I.t
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]  384: EF 6E A4 31 DF 13 12 F0 4B 53 3D 85 5C 4F 98 C3  .n.1....KS=.\O..
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]  400: 32 7D 05 EB C1 D6 2A AC 6A 38 B8 C4 D4 B7 FE B7  2}....*.j8......
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]  416: 11 39 AD 14 39 EE C2 38 4D 31 86 D9 6F 10 85 90  .9..9..8M1..o...
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]  432: 07 43 AA DF AA 25 84 79 5D 01 7B 2B B1 DB 3D CA  .C...%.y].{+..=.
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]  448: 34 A5 94 B6 35 3B 87 EC 77 56 8E B4 13 DD 3F 25  4...5;..wV....?%
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]  464: 12 F9 97 CB 23 CF B8 AB D5 1C 2A D6 2D 13 85 3B  ....#.....*.-..;
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]  480: D3 77 48 B8 A4 C0 31 C6 68 C0 92 33 7C 5B AA 8E  .wH...1.h..3|[..
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]  496: A5 86 05 EF 99 0D CA 02 5F 96 9A 68 C3 DA A2 A8  ........_..h....
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]  512: B7 4C C6 EC 09 98 45 E7 E6 E5 DC A6 E3 B3 54 2A  .L....E.......T*
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]  528: F5 5A 94 78 3C 26 5B FD D0 01 4B A4 5D B2 C2 EC  .Z.x<&[...K.]...
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[PTS]  544: B6 56 A0 DB EC C8 BA 0D E9 56 EC F0 77 7A AB     .V.......V..wz.
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[IMC] IMC 1 "Attestation" created a state for Connection ID 1
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+Via the IF-IMC interface the PTS-IMC receives a 'Handshake' state change from the TNC client
-Andreas Steffen
+<pre>
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[IMC] IMC 1 "Attestation" changed state of Connection ID 1 to 'Handshake'
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+The PTS-IMC generates a PA-TNC message of type TCG/PTS targeted at the remote PTS-IMV, containing a single PA-TNC attribute of type 'IETF/Product Information' with the client operating system information:
-Andreas Steffen
+<pre>
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[TNC] creating PA-TNC message with ID 0x569e528e
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[TNC] creating PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[TNC] => 22 bytes @ 0x82452bc
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[TNC]    0: 00 00 00 00 00 55 62 75 6E 74 75 20 31 31 2E 31  .....Ubuntu 11.1
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[TNC]   16: 30 20 69 36 38 36                                0 i686
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x01
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[TNC] adding PB-PA message
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+The PA-TNC message is received by the TNC client via the IF-IMC SendMessage call and is inserted together with the
-Andreas Steffen
+PB-Language-Preference message into the PB-TNC CDATA batch which is then sent via the IKEv2 EAP-TTLS tunnel to the TNC server.
-Andreas Steffen
+<pre>
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[TNC] PB-TNC state transition from 'Init' to 'Server Working'
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[TNC] sending PB-TNC CDATA batch (105 bytes) for Connection ID 1
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[TNC] => 105 bytes @ 0x82669a4
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[TNC]    0: 02 00 00 01 00 00 00 69 00 00 00 00 00 00 00 06  .......i........
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[TNC]   16: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67 75  ....Accept-Langu
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[TNC]   32: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01 00  age: en.........
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[TNC]   48: 00 00 42 00 00 55 97 00 00 00 01 00 01 FF FF 01  ..B..U..........
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[TNC]   64: 00 00 00 56 9E 52 8E 00 00 00 00 00 00 00 02 00  ...V.R..........
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[TNC]   80: 00 00 22 00 00 00 00 00 55 62 75 6E 74 75 20 31  ..".....Ubuntu 1
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[TNC]   96: 31 2E 31 30 20 69 36 38 36                       1.10 i686
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/TNC]
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[ENC] generating IKE_AUTH request 7 [ EAP/RES/TTLS ]
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 02[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+As a response a PB-TNC SDATA (IF-TNCCS 2.0 ServerData) batch is received from the TNC server
-Andreas Steffen
+<pre>
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 13[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 13[ENC] parsed IKE_AUTH response 7 [ EAP/REQ/TTLS ]
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 13[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/TNC]
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 13[TNC] received TNCCS batch (72 bytes) for Connection ID 1
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 13[TNC] => 72 bytes @ 0x826212e
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 13[TNC]    0: 02 80 00 02 00 00 00 48 80 00 00 00 00 00 00 01  .......H........
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 13[TNC]   16: 00 00 00 40 00 00 55 97 00 00 00 01 FF FF 00 01  ...@..U.........
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 13[TNC]   32: 01 00 00 00 10 FB C9 31 80 00 55 97 01 00 00 00  .......1..U.....
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 13[TNC]   48: 00 00 00 10 00 00 00 0E 80 00 55 97 06 00 00 00  ..........U.....
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 13[TNC]   64: 00 00 00 10 00 00 80 00                          ........
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 13[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 13[TNC] processing PB-TNC SDATA batch
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+containing a PB-PA message of type TCG/PTS to which the PTS-IMC is subscribed:
-Andreas Steffen
+<pre>
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 13[TNC] processing PB-PA message (64 bytes)
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 13[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x01
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 13[TNC] processing PA-TNC message with ID 0x10fbc931
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+The PA-TNC message transferred via the IF-IMC interface to the PTS-IMC contains two PA-TNC attributes from the TCG/PTS namespace:
-Andreas Steffen
+<pre>
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 13[TNC] processing PA-TNC attribute type 'TCG/Request PTS Protocol Capabilities' 0x005597/0x01000000
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 13[TNC] => 4 bytes @ 0x8268da0
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 13[TNC]    0: 00 00 00 0E                                      ....
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 13[TNC] processing PA-TNC attribute type 'TCG/PTS Measurement Algorithm Request' 0x005597/0x06000000
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 13[TNC] => 4 bytes @ 0x8268db0
-Andreas Steffen
+Nov 29 07:39:23 merthyr charon: 13[TNC]    0: 00 00 80 00                                      ....
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+requesting the 'PTS Protocol Capabilities' and the preferred 'PTS Measurement Algorithm'.

Project

General

Profile

strongSwan

TNC Client with PTS-IMC » History » Version 13