TNC Client with PTS-IMC » History » Version 7
Version 6 (Andreas Steffen, 29.11.2011 10:39) → Version 7/69 (Andreas Steffen, 29.11.2011 10:41)
h1. Platform Trust Service Integrity Measurement Collector (PTS-IMC)
The connection between IPsec client *carol* and IPsec gateway *moon* is defined in the /etc/ipsec.conf file:
<pre>
# ipsec.conf - strongSwan IPsec configuration file
config setup
plutostart=no
charonstart=yes
charondebug="tnc 3, imc 3, pts 3"
conn home
left=%any
leftid=carol@strongswan.org
leftauth=eap
right=192.168.0.1
rightid=@moon.strongswan.org
rightsendcert=never
rightsubnet=10.1.0.0/16
auto=start
</pre>
The debug levels for the TNC, IMC, and PTS components are increased to 3, so that HEX dumps of PB-TNC (IF-TNCCS 2.0) messages and PA-TNC (IF-M) attributes will be included in the log file.
The IKEv2 client *carol* is going to use EAP-based authentication with the user credentials being stored in the /etc/ipsec.secrets file:
<pre>
# /etc/ipsec.secrets - strongSwan IPsec secrets file
carol@strongswan.org : EAP "Ar3etTnp"
</pre>
With the command
<pre>
ipsec start
</pre>
the TNC-enabled IPsec client is started:
<pre>
Nov 29 07:39:21 merthyr charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.2dr1)
Nov 29 07:39:21 merthyr charon: 00[KNL] listening on interfaces:
Nov 29 07:39:21 merthyr charon: 00[KNL] wlan0
Nov 29 07:39:21 merthyr charon: 00[KNL] 10.35.167.97
Nov 29 07:39:21 merthyr charon: 00[KNL] fe80::221:6aff:fe06:cf4c
Nov 29 07:39:21 merthyr charon: 00[KNL] umlbr0
Nov 29 07:39:21 merthyr charon: 00[KNL] 192.168.0.254
Nov 29 07:39:21 merthyr charon: 00[KNL] fe80::103c:e8ff:fec0:db34
</pre>
The file /etc/tnc_config
<pre>
IMC configuration file for strongSwan client
IMC "Attestation" /usr/lib/ipsec/imcvs/imc-attestation.so
</pre>
defines which IMCs are loaded by the TNC client:
<pre>
Nov 29 07:39:21 merthyr charon: 00[TNC] loading IMCs from '/etc/tnc_config'
Nov 29 07:39:21 merthyr charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA1[sha1] available
Nov 29 07:39:21 merthyr charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA256[openssl] available
Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS measurement algorithm HASH_SHA384[openssl] available
Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group MODP_2048[gmp] available
Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group MODP_1536[gmp] available
Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group MODP_1024[gmp] available
Nov 29 07:39:21 merthyr charon: 00[PTS] mandatory PTS DH group ECP_256[openssl] available
Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group ECP_384[openssl] available
Nov 29 07:39:21 merthyr charon: 00[TNC] added IETF attributes
Nov 29 07:39:21 merthyr charon: 00[TNC] added ITA-HSR attributes
Nov 29 07:39:21 merthyr charon: 00[LIB] libimcv initialized
Nov 29 07:39:21 merthyr charon: 00[IMC] IMC 1 "Attestation" initialized
Nov 29 07:39:21 merthyr charon: 00[TNC] added TCG attributes
Nov 29 07:39:21 merthyr charon: 00[PTS] added TCG functional component namespace
Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component namespace
Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader'
Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component 'Trusted Boot'
Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component 'Linux IMA'
Nov 29 07:39:21 merthyr charon: 00[LIB] libpts initialized
Nov 29 07:39:21 merthyr charon: 00[IMC] IMC 1 "Attestation" provided with bind function
Nov 29 07:39:21 merthyr charon: 00[TNC] IMC 1 supports 1 message type: 0x00559701
Nov 29 07:39:21 merthyr charon: 00[TNC] IMC 1 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imc-attestation.so'
</pre>
Next the IKEv2 credentials and all necessary plugins are loaded
<pre>
Nov 29 07:39:21 merthyr charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 29 07:39:21 merthyr charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
Nov 29 07:39:21 merthyr charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 29 07:39:21 merthyr charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 29 07:39:21 merthyr charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 29 07:39:21 merthyr charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 29 07:39:21 merthyr charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 29 07:39:21 merthyr charon: 00[CFG] loaded EAP secret for carol@strongswan.org
Nov 29 07:39:21 merthyr charon: 00[DMN] loaded plugins: sha1 random gmp pkcs1 pem x509 pubkey openssl hmac revocation curl kernel-netlink socket-default eap-mschapv2 eap-md5 eap-tls eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 eap-identity resolve stroke
Nov 29 07:39:21 merthyr charon: 00[JOB] spawning 16 worker threads
</pre>
Now the IKEv2 negotiation automatically starts with the IKE_SA_INIT exchange
<pre>
Nov 29 07:39:22 merthyr charon: 04[CFG] received stroke: add connection 'home'
Nov 29 07:39:22 merthyr charon: 04[CFG] left nor right host is our side, assuming left=local
Nov 29 07:39:22 merthyr charon: 04[CFG] added configuration 'home'
Nov 29 07:39:22 merthyr charon: 04[CFG] received stroke: initiate 'home'
Nov 29 07:39:22 merthyr charon: 04[IKE] initiating IKE_SA home[1] to 192.168.0.1
Nov 29 07:39:22 merthyr charon: 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 29 07:39:22 merthyr charon: 04[NET] sending packet: from 192.168.0.254[500] to 192.168.0.1[500]
Nov 29 07:39:22 merthyr charon: 06[NET] received packet: from 192.168.0.1[500] to 192.168.0.254[500]
Nov 29 07:39:22 merthyr charon: 06[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
</pre>
followed by the IKE_AUTH exchange where the IKEv2 gateway proposes a mutual EAP-TTLS only authentication:
<pre>
Nov 29 07:39:22 merthyr charon: 06[IKE] establishing CHILD_SA home
Nov 29 07:39:22 merthyr charon: 06[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]
Nov 29 07:39:22 merthyr charon: 06[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 merthyr charon: 10[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 merthyr charon: 10[ENC] parsed IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ]
Nov 29 07:39:22 merthyr charon: 10[IKE] server requested EAP_TTLS authentication (id 0xA8)
Nov 29 07:39:22 merthyr charon: 10[TLS] EAP_TTLS version is v0
Nov 29 07:39:22 merthyr charon: 10[IKE] allow mutual EAP-only authentication
</pre>
The IKEv2 EAP-TLS tunnel is set up with certificate-based server authentication
<pre>
Nov 29 07:39:22 merthyr charon: 10[ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ]
Nov 29 07:39:22 merthyr charon: 10[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 merthyr charon: 05[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 merthyr charon: 05[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 merthyr charon: 05[ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ]
Nov 29 07:39:22 merthyr charon: 05[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 merthyr charon: 15[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 merthyr charon: 15[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 merthyr charon: 15[TLS] negotiated TLS version TLS 1.2 with suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Nov 29 07:39:22 merthyr charon: 15[TLS] received TLS server certificate 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org'
Nov 29 07:39:22 merthyr charon: 15[CFG] using certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
Nov 29 07:39:22 merthyr charon: 15[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 29 07:39:22 merthyr charon: 15[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
Nov 29 07:39:22 merthyr charon: 15[CFG] fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
Nov 29 07:39:22 merthyr charon: 15[CFG] using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 29 07:39:22 merthyr charon: 15[CFG] crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 29 07:39:22 merthyr charon: 15[CFG] crl is valid: until Dec 02 09:19:24 2011
Nov 29 07:39:22 merthyr charon: 15[CFG] certificate status is good
Nov 29 07:39:22 merthyr charon: 15[CFG] reached self-signed root ca with a path length of 0
Nov 29 07:39:22 merthyr charon: 15[ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ]
Nov 29 07:39:22 merthyr charon: 15[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
Via the IKEv2 EAP-TTLS tunnel the server requests the EAP client identity
<pre>
Nov 29 07:39:23 merthyr charon: 14[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:23 merthyr charon: 14[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ]
Nov 29 07:39:23 merthyr charon: 14[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/ID]
Nov 29 07:39:23 merthyr charon: 14[IKE] server requested EAP_IDENTITY authentication (id 0x00)
Nov 29 07:39:23 merthyr charon: 14[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID]
Nov 29 07:39:23 merthyr charon: 14[ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ]
Nov 29 07:39:23 merthyr charon: 14[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
followed by an EAP-MD5 client authentication
<pre>
Nov 29 07:39:23 merthyr charon: 03[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:23 merthyr charon: 03[ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ]
Nov 29 07:39:23 merthyr charon: 03[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/MD5]
Nov 29 07:39:23 merthyr charon: 03[IKE] server requested EAP_MD5 authentication (id 0x36)
Nov 29 07:39:23 merthyr charon: 03[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/MD5]
Nov 29 07:39:23 merthyr charon: 03[ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ]
Nov 29 07:39:23 merthyr charon: 03[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
Now the EAP-TNC transport protocol connecting the TNC client with the TNC server is started:
<pre>
Nov 29 07:39:23 merthyr charon: 02[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:23 merthyr charon: 02[ENC] parsed IKE_AUTH response 6 [ EAP/REQ/TTLS ]
Nov 29 07:39:23 merthyr charon: 02[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Nov 29 07:39:23 merthyr charon: 02[IKE] server requested EAP_TNC authentication (id 0x84)
Nov 29 07:39:23 merthyr charon: 02[TLS] EAP_TNC version is v1
Nov 29 07:39:23 merthyr charon: 02[TNC] assigned TNCCS Connection ID 1
</pre>
A first PB-TNC CDATA (IF-TNCCS 2.0 ClientData) batch is prepared
<pre>
Nov 29 07:39:23 merthyr charon: 02[TNC] creating PB-TNC CDATA batch
Nov 29 07:39:23 merthyr charon: 02[TNC] adding PB-Language-Preference message
</pre>
An instance of the Attestation PTS-IMC is created which in a first step determines the client operating systen
<pre>
Nov 29 07:39:23 merthyr charon: 02[PTS] platform is 'Ubuntu 11.10 i686'
</pre>
and then loads the private AIK key in the form of a TPM-encrypted binary blob
<pre>
Nov 29 07:39:23 merthyr charon: 02[PTS] loaded AIK certificate from '/home/andi/privacyca/AIK_3_Cert.der'
Nov 29 07:39:23 merthyr charon: 02[PTS] loaded AIK Blob from '/home/andi/privacyca/AIK_3_Blob.bin'
Nov 29 07:39:23 merthyr charon: 02[PTS] AIK Blob: => 559 bytes @ 0x8266b24
Nov 29 07:39:23 merthyr charon: 02[PTS] 0: 01 01 00 00 00 12 00 00 00 04 00 00 00 00 01 00 ................
Nov 29 07:39:23 merthyr charon: 02[PTS] 16: 01 00 02 00 00 00 0C 00 00 08 00 00 00 00 02 00 ................
Nov 29 07:39:23 merthyr charon: 02[PTS] 32: 00 00 00 00 00 00 00 00 00 01 00 E9 1C 5F 57 5B ............._W[
Nov 29 07:39:23 merthyr charon: 02[PTS] 48: 73 5F 35 15 BD AF 29 89 13 F1 F9 8D 83 62 6C 73 s_5...)......bls
Nov 29 07:39:23 merthyr charon: 02[PTS] 64: C0 5F 8B 90 5A B8 1A 72 B9 D2 51 F8 DC 24 CF 0D ._..Z..r..Q..$..
Nov 29 07:39:23 merthyr charon: 02[PTS] 80: 9E E2 0B F8 8D 11 CD B2 E5 6B CB C2 AB FA BD F4 .........k......
Nov 29 07:39:23 merthyr charon: 02[PTS] 96: 74 D2 25 B3 AE CE 47 66 58 A6 65 A4 CA 36 24 1E t.%...GfX.e..6$.
Nov 29 07:39:23 merthyr charon: 02[PTS] 112: 6E 22 A4 9F 88 C5 63 78 AD 53 33 90 22 91 6F 83 n"....cx.S3.".o.
Nov 29 07:39:23 merthyr charon: 02[PTS] 128: 8F 2A A8 98 0C 15 3E 89 19 48 63 BE 4C 35 02 F4 .*....>..Hc.L5..
Nov 29 07:39:23 merthyr charon: 02[PTS] 144: 03 7E 10 8E 4D DB 5A D1 63 9A 3C D9 63 F5 7B C6 .~..M.Z.c.<.c.{.
Nov 29 07:39:23 merthyr charon: 02[PTS] 160: 73 0F 23 05 B6 00 30 3B 34 6C 3C 10 A9 A5 4A 79 s.#...0;4l<...Jy
Nov 29 07:39:23 merthyr charon: 02[PTS] 176: 2E 62 88 E3 CC 7F 7B A7 5A E3 6F 13 7A BD BF 86 .b....{.Z.o.z...
Nov 29 07:39:23 merthyr charon: 02[PTS] 192: 1D 3C E3 12 3A 8C 0E 7D 47 55 C6 76 A9 D3 61 16 .<..:..}GU.v..a.
Nov 29 07:39:23 merthyr charon: 02[PTS] 208: 22 8A 32 C5 E7 CD 17 DB 5F A1 67 CC 1D F5 D9 25 ".2....._.g....%
Nov 29 07:39:23 merthyr charon: 02[PTS] 224: 51 01 33 1E 05 45 85 53 2E 2C 2B 1D 59 E5 FE C2 Q.3..E.S.,+.Y...
Nov 29 07:39:23 merthyr charon: 02[PTS] 240: 61 26 36 12 05 F2 5C 95 F8 70 E6 6A DB BF 30 1E a&6...\..p.j..0.
Nov 29 07:39:23 merthyr charon: 02[PTS] 256: 46 05 E6 0E 94 3C 0C C6 1C 96 B4 59 AC 5C 63 15 F....<.....Y.\c.
Nov 29 07:39:23 merthyr charon: 02[PTS] 272: 8C 77 E8 45 91 6B 8B B1 0D DB 26 3C E5 34 1C E8 .w.E.k....&<.4..
Nov 29 07:39:23 merthyr charon: 02[PTS] 288: B9 B5 6E 7F 9B 6E 7D 24 82 6E 2B 00 00 01 00 22 ..n..n}$.n+...."
Nov 29 07:39:23 merthyr charon: 02[PTS] 304: 35 22 CB 61 E6 28 B9 53 4A EB 52 10 A9 CD 5A 2A 5".a.(.SJ.R...Z*
Nov 29 07:39:23 merthyr charon: 02[PTS] 320: 23 3A DD 32 77 53 44 8D 94 40 7E 6A 28 83 9D 9D #:.2wSD..@~j(...
Nov 29 07:39:23 merthyr charon: 02[PTS] 336: 1E 1B CE 7C CE D2 8A C9 04 BE 66 A5 A1 CA E3 03 ...|......f.....
Nov 29 07:39:23 merthyr charon: 02[PTS] 352: 7F 33 97 AD EF A8 E8 83 C9 65 CA 38 27 22 8A 26 .3.......e.8'".&
Nov 29 07:39:23 merthyr charon: 02[PTS] 368: 90 B1 1E B0 AE F6 B3 77 5E E3 C8 C2 C6 49 DC 74 .......w^....I.t
Nov 29 07:39:23 merthyr charon: 02[PTS] 384: EF 6E A4 31 DF 13 12 F0 4B 53 3D 85 5C 4F 98 C3 .n.1....KS=.\O..
Nov 29 07:39:23 merthyr charon: 02[PTS] 400: 32 7D 05 EB C1 D6 2A AC 6A 38 B8 C4 D4 B7 FE B7 2}....*.j8......
Nov 29 07:39:23 merthyr charon: 02[PTS] 416: 11 39 AD 14 39 EE C2 38 4D 31 86 D9 6F 10 85 90 .9..9..8M1..o...
Nov 29 07:39:23 merthyr charon: 02[PTS] 432: 07 43 AA DF AA 25 84 79 5D 01 7B 2B B1 DB 3D CA .C...%.y].{+..=.
Nov 29 07:39:23 merthyr charon: 02[PTS] 448: 34 A5 94 B6 35 3B 87 EC 77 56 8E B4 13 DD 3F 25 4...5;..wV....?%
Nov 29 07:39:23 merthyr charon: 02[PTS] 464: 12 F9 97 CB 23 CF B8 AB D5 1C 2A D6 2D 13 85 3B ....#.....*.-..;
Nov 29 07:39:23 merthyr charon: 02[PTS] 480: D3 77 48 B8 A4 C0 31 C6 68 C0 92 33 7C 5B AA 8E .wH...1.h..3|[..
Nov 29 07:39:23 merthyr charon: 02[PTS] 496: A5 86 05 EF 99 0D CA 02 5F 96 9A 68 C3 DA A2 A8 ........_..h....
Nov 29 07:39:23 merthyr charon: 02[PTS] 512: B7 4C C6 EC 09 98 45 E7 E6 E5 DC A6 E3 B3 54 2A .L....E.......T*
Nov 29 07:39:23 merthyr charon: 02[PTS] 528: F5 5A 94 78 3C 26 5B FD D0 01 4B A4 5D B2 C2 EC .Z.x<&[...K.]...
Nov 29 07:39:23 merthyr charon: 02[PTS] 544: B6 56 A0 DB EC C8 BA 0D E9 56 EC F0 77 7A AB .V.......V..wz.
Nov 29 07:39:23 merthyr charon: 02[IMC] IMC 1 "Attestation" created a state for Connection ID 1
</pre>
Via the IF-IMC interface the PTS-IMC receives a 'Handshake' state change from the TNC client
<pre>
Nov 29 07:39:23 merthyr charon: 02[IMC] IMC 1 "Attestation" changed state of Connection ID 1 to 'Handshake'
</pre>
The PTS-IMC generates a PA-TNC message of type TCG/PTS targeted at the remote PTS-IMV, containing a single PA-TNC attribute of type 'IETF/Product Information' with the client operating system information:
<pre>
Nov 29 07:39:23 merthyr charon: 02[TNC] creating PA-TNC message with ID 0x569e528e
Nov 29 07:39:23 merthyr charon: 02[TNC] creating PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002
Nov 29 07:39:23 merthyr charon: 02[TNC] => 22 bytes @ 0x82452bc
Nov 29 07:39:23 merthyr charon: 02[TNC] 0: 00 00 00 00 00 55 62 75 6E 74 75 20 31 31 2E 31 .....Ubuntu 11.1
Nov 29 07:39:23 merthyr charon: 02[TNC] 16: 30 20 69 36 38 36 0 i686
Nov 29 07:39:23 merthyr charon: 02[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x01
Nov 29 07:39:23 merthyr charon: 02[TNC] adding PB-PA message
</pre>
The PA-TNC message is received by the TNC client via the IF-IMC SendMessage call and is inserted together with the
PB-Language-Preference message into the PB-TNC CDATA batch which is then sent via the IKEv2 EAP-TTLS tunnel to the TNC server.
<pre>
Nov 29 07:39:23 merthyr charon: 02[TNC] PB-TNC state transition from 'Init' to 'Server Working'
Nov 29 07:39:23 merthyr charon: 02[TNC] sending PB-TNC CDATA batch (105 bytes) for Connection ID 1
Nov 29 07:39:23 merthyr charon: 02[TNC] => 105 bytes @ 0x82669a4
Nov 29 07:39:23 merthyr charon: 02[TNC] 0: 02 00 00 01 00 00 00 69 00 00 00 00 00 00 00 06 .......i........
Nov 29 07:39:23 merthyr charon: 02[TNC] 16: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67 75 ....Accept-Langu
Nov 29 07:39:23 merthyr charon: 02[TNC] 32: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01 00 age: en.........
Nov 29 07:39:23 merthyr charon: 02[TNC] 48: 00 00 42 00 00 55 97 00 00 00 01 00 01 FF FF 01 ..B..U..........
Nov 29 07:39:23 merthyr charon: 02[TNC] 64: 00 00 00 56 9E 52 8E 00 00 00 00 00 00 00 02 00 ...V.R..........
Nov 29 07:39:23 merthyr charon: 02[TNC] 80: 00 00 22 00 00 00 00 00 55 62 75 6E 74 75 20 31 ..".....Ubuntu 1
Nov 29 07:39:23 merthyr charon: 02[TNC] 96: 31 2E 31 30 20 69 36 38 36 1.10 i686
Nov 29 07:39:23 merthyr charon: 02[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/TNC]
Nov 29 07:39:23 merthyr charon: 02[ENC] generating IKE_AUTH request 7 [ EAP/RES/TTLS ]
Nov 29 07:39:23 merthyr charon: 02[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
As a response a PB-TNC SDATA (IF-TNCCS 2.0 ServerData) batch ServerBatch is received from the TNC server
<pre>
Nov 29 07:39:23 merthyr charon: 13[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:23 merthyr charon: 13[ENC] parsed IKE_AUTH response 7 [ EAP/REQ/TTLS ]
Nov 29 07:39:23 merthyr charon: 13[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Nov 29 07:39:23 merthyr charon: 13[TNC] received TNCCS batch (72 bytes) for Connection ID 1
Nov 29 07:39:23 merthyr charon: 13[TNC] => 72 bytes @ 0x826212e
Nov 29 07:39:23 merthyr charon: 13[TNC] 0: 02 80 00 02 00 00 00 48 80 00 00 00 00 00 00 01 .......H........
Nov 29 07:39:23 merthyr charon: 13[TNC] 16: 00 00 00 40 00 00 55 97 00 00 00 01 FF FF 00 01 ...@..U.........
Nov 29 07:39:23 merthyr charon: 13[TNC] 32: 01 00 00 00 10 FB C9 31 80 00 55 97 01 00 00 00 .......1..U.....
Nov 29 07:39:23 merthyr charon: 13[TNC] 48: 00 00 00 10 00 00 00 0E 80 00 55 97 06 00 00 00 ..........U.....
Nov 29 07:39:23 merthyr charon: 13[TNC] 64: 00 00 00 10 00 00 80 00 ........
Nov 29 07:39:23 merthyr charon: 13[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
Nov 29 07:39:23 merthyr charon: 13[TNC] processing PB-TNC SDATA batch
</pre>
containing a PB-PA message of type TCG/PTS to which the PTS-IMC is subscribed:
<pre>
Nov 29 07:39:23 merthyr charon: 13[TNC] processing PB-PA message (64 bytes)
Nov 29 07:39:23 merthyr charon: 13[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x01
Nov 29 07:39:23 merthyr charon: 13[TNC] processing PA-TNC message with ID 0x10fbc931
</pre>
The PA-TNC message transferred via the IF-IMC interface to the PTS-IMC contains two PA-TNC attributes from the TCG/PTS namespace:
<pre>
Nov 29 07:39:23 merthyr charon: 13[TNC] processing PA-TNC attribute type 'TCG/Request PTS Protocol Capabilities' 0x005597/0x01000000
Nov 29 07:39:23 merthyr charon: 13[TNC] => 4 bytes @ 0x8268da0
Nov 29 07:39:23 merthyr charon: 13[TNC] 0: 00 00 00 0E ....
Nov 29 07:39:23 merthyr charon: 13[TNC] processing PA-TNC attribute type 'TCG/PTS Measurement Algorithm Request' 0x005597/0x06000000
Nov 29 07:39:23 merthyr charon: 13[TNC] => 4 bytes @ 0x8268db0
Nov 29 07:39:23 merthyr charon: 13[TNC] 0: 00 00 80 00 ....
</pre>
requesting the 'PTS Protocol Capabilities' and the preferred 'PTS Measurement Algorithm'.
The connection between IPsec client *carol* and IPsec gateway *moon* is defined in the /etc/ipsec.conf file:
<pre>
# ipsec.conf - strongSwan IPsec configuration file
config setup
plutostart=no
charonstart=yes
charondebug="tnc 3, imc 3, pts 3"
conn home
left=%any
leftid=carol@strongswan.org
leftauth=eap
right=192.168.0.1
rightid=@moon.strongswan.org
rightsendcert=never
rightsubnet=10.1.0.0/16
auto=start
</pre>
The debug levels for the TNC, IMC, and PTS components are increased to 3, so that HEX dumps of PB-TNC (IF-TNCCS 2.0) messages and PA-TNC (IF-M) attributes will be included in the log file.
The IKEv2 client *carol* is going to use EAP-based authentication with the user credentials being stored in the /etc/ipsec.secrets file:
<pre>
# /etc/ipsec.secrets - strongSwan IPsec secrets file
carol@strongswan.org : EAP "Ar3etTnp"
</pre>
With the command
<pre>
ipsec start
</pre>
the TNC-enabled IPsec client is started:
<pre>
Nov 29 07:39:21 merthyr charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.2dr1)
Nov 29 07:39:21 merthyr charon: 00[KNL] listening on interfaces:
Nov 29 07:39:21 merthyr charon: 00[KNL] wlan0
Nov 29 07:39:21 merthyr charon: 00[KNL] 10.35.167.97
Nov 29 07:39:21 merthyr charon: 00[KNL] fe80::221:6aff:fe06:cf4c
Nov 29 07:39:21 merthyr charon: 00[KNL] umlbr0
Nov 29 07:39:21 merthyr charon: 00[KNL] 192.168.0.254
Nov 29 07:39:21 merthyr charon: 00[KNL] fe80::103c:e8ff:fec0:db34
</pre>
The file /etc/tnc_config
<pre>
IMC configuration file for strongSwan client
IMC "Attestation" /usr/lib/ipsec/imcvs/imc-attestation.so
</pre>
defines which IMCs are loaded by the TNC client:
<pre>
Nov 29 07:39:21 merthyr charon: 00[TNC] loading IMCs from '/etc/tnc_config'
Nov 29 07:39:21 merthyr charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA1[sha1] available
Nov 29 07:39:21 merthyr charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA256[openssl] available
Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS measurement algorithm HASH_SHA384[openssl] available
Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group MODP_2048[gmp] available
Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group MODP_1536[gmp] available
Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group MODP_1024[gmp] available
Nov 29 07:39:21 merthyr charon: 00[PTS] mandatory PTS DH group ECP_256[openssl] available
Nov 29 07:39:21 merthyr charon: 00[PTS] optional PTS DH group ECP_384[openssl] available
Nov 29 07:39:21 merthyr charon: 00[TNC] added IETF attributes
Nov 29 07:39:21 merthyr charon: 00[TNC] added ITA-HSR attributes
Nov 29 07:39:21 merthyr charon: 00[LIB] libimcv initialized
Nov 29 07:39:21 merthyr charon: 00[IMC] IMC 1 "Attestation" initialized
Nov 29 07:39:21 merthyr charon: 00[TNC] added TCG attributes
Nov 29 07:39:21 merthyr charon: 00[PTS] added TCG functional component namespace
Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component namespace
Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader'
Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component 'Trusted Boot'
Nov 29 07:39:21 merthyr charon: 00[PTS] added ITA-HSR functional component 'Linux IMA'
Nov 29 07:39:21 merthyr charon: 00[LIB] libpts initialized
Nov 29 07:39:21 merthyr charon: 00[IMC] IMC 1 "Attestation" provided with bind function
Nov 29 07:39:21 merthyr charon: 00[TNC] IMC 1 supports 1 message type: 0x00559701
Nov 29 07:39:21 merthyr charon: 00[TNC] IMC 1 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imc-attestation.so'
</pre>
Next the IKEv2 credentials and all necessary plugins are loaded
<pre>
Nov 29 07:39:21 merthyr charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 29 07:39:21 merthyr charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
Nov 29 07:39:21 merthyr charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 29 07:39:21 merthyr charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 29 07:39:21 merthyr charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 29 07:39:21 merthyr charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 29 07:39:21 merthyr charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 29 07:39:21 merthyr charon: 00[CFG] loaded EAP secret for carol@strongswan.org
Nov 29 07:39:21 merthyr charon: 00[DMN] loaded plugins: sha1 random gmp pkcs1 pem x509 pubkey openssl hmac revocation curl kernel-netlink socket-default eap-mschapv2 eap-md5 eap-tls eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 eap-identity resolve stroke
Nov 29 07:39:21 merthyr charon: 00[JOB] spawning 16 worker threads
</pre>
Now the IKEv2 negotiation automatically starts with the IKE_SA_INIT exchange
<pre>
Nov 29 07:39:22 merthyr charon: 04[CFG] received stroke: add connection 'home'
Nov 29 07:39:22 merthyr charon: 04[CFG] left nor right host is our side, assuming left=local
Nov 29 07:39:22 merthyr charon: 04[CFG] added configuration 'home'
Nov 29 07:39:22 merthyr charon: 04[CFG] received stroke: initiate 'home'
Nov 29 07:39:22 merthyr charon: 04[IKE] initiating IKE_SA home[1] to 192.168.0.1
Nov 29 07:39:22 merthyr charon: 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 29 07:39:22 merthyr charon: 04[NET] sending packet: from 192.168.0.254[500] to 192.168.0.1[500]
Nov 29 07:39:22 merthyr charon: 06[NET] received packet: from 192.168.0.1[500] to 192.168.0.254[500]
Nov 29 07:39:22 merthyr charon: 06[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
</pre>
followed by the IKE_AUTH exchange where the IKEv2 gateway proposes a mutual EAP-TTLS only authentication:
<pre>
Nov 29 07:39:22 merthyr charon: 06[IKE] establishing CHILD_SA home
Nov 29 07:39:22 merthyr charon: 06[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]
Nov 29 07:39:22 merthyr charon: 06[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 merthyr charon: 10[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 merthyr charon: 10[ENC] parsed IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ]
Nov 29 07:39:22 merthyr charon: 10[IKE] server requested EAP_TTLS authentication (id 0xA8)
Nov 29 07:39:22 merthyr charon: 10[TLS] EAP_TTLS version is v0
Nov 29 07:39:22 merthyr charon: 10[IKE] allow mutual EAP-only authentication
</pre>
The IKEv2 EAP-TLS tunnel is set up with certificate-based server authentication
<pre>
Nov 29 07:39:22 merthyr charon: 10[ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ]
Nov 29 07:39:22 merthyr charon: 10[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 merthyr charon: 05[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 merthyr charon: 05[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 merthyr charon: 05[ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ]
Nov 29 07:39:22 merthyr charon: 05[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 merthyr charon: 15[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 merthyr charon: 15[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 merthyr charon: 15[TLS] negotiated TLS version TLS 1.2 with suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Nov 29 07:39:22 merthyr charon: 15[TLS] received TLS server certificate 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org'
Nov 29 07:39:22 merthyr charon: 15[CFG] using certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
Nov 29 07:39:22 merthyr charon: 15[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 29 07:39:22 merthyr charon: 15[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
Nov 29 07:39:22 merthyr charon: 15[CFG] fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
Nov 29 07:39:22 merthyr charon: 15[CFG] using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 29 07:39:22 merthyr charon: 15[CFG] crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 29 07:39:22 merthyr charon: 15[CFG] crl is valid: until Dec 02 09:19:24 2011
Nov 29 07:39:22 merthyr charon: 15[CFG] certificate status is good
Nov 29 07:39:22 merthyr charon: 15[CFG] reached self-signed root ca with a path length of 0
Nov 29 07:39:22 merthyr charon: 15[ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ]
Nov 29 07:39:22 merthyr charon: 15[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
Via the IKEv2 EAP-TTLS tunnel the server requests the EAP client identity
<pre>
Nov 29 07:39:23 merthyr charon: 14[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:23 merthyr charon: 14[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/TTLS ]
Nov 29 07:39:23 merthyr charon: 14[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/ID]
Nov 29 07:39:23 merthyr charon: 14[IKE] server requested EAP_IDENTITY authentication (id 0x00)
Nov 29 07:39:23 merthyr charon: 14[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/ID]
Nov 29 07:39:23 merthyr charon: 14[ENC] generating IKE_AUTH request 5 [ EAP/RES/TTLS ]
Nov 29 07:39:23 merthyr charon: 14[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
followed by an EAP-MD5 client authentication
<pre>
Nov 29 07:39:23 merthyr charon: 03[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:23 merthyr charon: 03[ENC] parsed IKE_AUTH response 5 [ EAP/REQ/TTLS ]
Nov 29 07:39:23 merthyr charon: 03[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/MD5]
Nov 29 07:39:23 merthyr charon: 03[IKE] server requested EAP_MD5 authentication (id 0x36)
Nov 29 07:39:23 merthyr charon: 03[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/MD5]
Nov 29 07:39:23 merthyr charon: 03[ENC] generating IKE_AUTH request 6 [ EAP/RES/TTLS ]
Nov 29 07:39:23 merthyr charon: 03[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
Now the EAP-TNC transport protocol connecting the TNC client with the TNC server is started:
<pre>
Nov 29 07:39:23 merthyr charon: 02[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:23 merthyr charon: 02[ENC] parsed IKE_AUTH response 6 [ EAP/REQ/TTLS ]
Nov 29 07:39:23 merthyr charon: 02[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Nov 29 07:39:23 merthyr charon: 02[IKE] server requested EAP_TNC authentication (id 0x84)
Nov 29 07:39:23 merthyr charon: 02[TLS] EAP_TNC version is v1
Nov 29 07:39:23 merthyr charon: 02[TNC] assigned TNCCS Connection ID 1
</pre>
A first PB-TNC CDATA (IF-TNCCS 2.0 ClientData) batch is prepared
<pre>
Nov 29 07:39:23 merthyr charon: 02[TNC] creating PB-TNC CDATA batch
Nov 29 07:39:23 merthyr charon: 02[TNC] adding PB-Language-Preference message
</pre>
An instance of the Attestation PTS-IMC is created which in a first step determines the client operating systen
<pre>
Nov 29 07:39:23 merthyr charon: 02[PTS] platform is 'Ubuntu 11.10 i686'
</pre>
and then loads the private AIK key in the form of a TPM-encrypted binary blob
<pre>
Nov 29 07:39:23 merthyr charon: 02[PTS] loaded AIK certificate from '/home/andi/privacyca/AIK_3_Cert.der'
Nov 29 07:39:23 merthyr charon: 02[PTS] loaded AIK Blob from '/home/andi/privacyca/AIK_3_Blob.bin'
Nov 29 07:39:23 merthyr charon: 02[PTS] AIK Blob: => 559 bytes @ 0x8266b24
Nov 29 07:39:23 merthyr charon: 02[PTS] 0: 01 01 00 00 00 12 00 00 00 04 00 00 00 00 01 00 ................
Nov 29 07:39:23 merthyr charon: 02[PTS] 16: 01 00 02 00 00 00 0C 00 00 08 00 00 00 00 02 00 ................
Nov 29 07:39:23 merthyr charon: 02[PTS] 32: 00 00 00 00 00 00 00 00 00 01 00 E9 1C 5F 57 5B ............._W[
Nov 29 07:39:23 merthyr charon: 02[PTS] 48: 73 5F 35 15 BD AF 29 89 13 F1 F9 8D 83 62 6C 73 s_5...)......bls
Nov 29 07:39:23 merthyr charon: 02[PTS] 64: C0 5F 8B 90 5A B8 1A 72 B9 D2 51 F8 DC 24 CF 0D ._..Z..r..Q..$..
Nov 29 07:39:23 merthyr charon: 02[PTS] 80: 9E E2 0B F8 8D 11 CD B2 E5 6B CB C2 AB FA BD F4 .........k......
Nov 29 07:39:23 merthyr charon: 02[PTS] 96: 74 D2 25 B3 AE CE 47 66 58 A6 65 A4 CA 36 24 1E t.%...GfX.e..6$.
Nov 29 07:39:23 merthyr charon: 02[PTS] 112: 6E 22 A4 9F 88 C5 63 78 AD 53 33 90 22 91 6F 83 n"....cx.S3.".o.
Nov 29 07:39:23 merthyr charon: 02[PTS] 128: 8F 2A A8 98 0C 15 3E 89 19 48 63 BE 4C 35 02 F4 .*....>..Hc.L5..
Nov 29 07:39:23 merthyr charon: 02[PTS] 144: 03 7E 10 8E 4D DB 5A D1 63 9A 3C D9 63 F5 7B C6 .~..M.Z.c.<.c.{.
Nov 29 07:39:23 merthyr charon: 02[PTS] 160: 73 0F 23 05 B6 00 30 3B 34 6C 3C 10 A9 A5 4A 79 s.#...0;4l<...Jy
Nov 29 07:39:23 merthyr charon: 02[PTS] 176: 2E 62 88 E3 CC 7F 7B A7 5A E3 6F 13 7A BD BF 86 .b....{.Z.o.z...
Nov 29 07:39:23 merthyr charon: 02[PTS] 192: 1D 3C E3 12 3A 8C 0E 7D 47 55 C6 76 A9 D3 61 16 .<..:..}GU.v..a.
Nov 29 07:39:23 merthyr charon: 02[PTS] 208: 22 8A 32 C5 E7 CD 17 DB 5F A1 67 CC 1D F5 D9 25 ".2....._.g....%
Nov 29 07:39:23 merthyr charon: 02[PTS] 224: 51 01 33 1E 05 45 85 53 2E 2C 2B 1D 59 E5 FE C2 Q.3..E.S.,+.Y...
Nov 29 07:39:23 merthyr charon: 02[PTS] 240: 61 26 36 12 05 F2 5C 95 F8 70 E6 6A DB BF 30 1E a&6...\..p.j..0.
Nov 29 07:39:23 merthyr charon: 02[PTS] 256: 46 05 E6 0E 94 3C 0C C6 1C 96 B4 59 AC 5C 63 15 F....<.....Y.\c.
Nov 29 07:39:23 merthyr charon: 02[PTS] 272: 8C 77 E8 45 91 6B 8B B1 0D DB 26 3C E5 34 1C E8 .w.E.k....&<.4..
Nov 29 07:39:23 merthyr charon: 02[PTS] 288: B9 B5 6E 7F 9B 6E 7D 24 82 6E 2B 00 00 01 00 22 ..n..n}$.n+...."
Nov 29 07:39:23 merthyr charon: 02[PTS] 304: 35 22 CB 61 E6 28 B9 53 4A EB 52 10 A9 CD 5A 2A 5".a.(.SJ.R...Z*
Nov 29 07:39:23 merthyr charon: 02[PTS] 320: 23 3A DD 32 77 53 44 8D 94 40 7E 6A 28 83 9D 9D #:.2wSD..@~j(...
Nov 29 07:39:23 merthyr charon: 02[PTS] 336: 1E 1B CE 7C CE D2 8A C9 04 BE 66 A5 A1 CA E3 03 ...|......f.....
Nov 29 07:39:23 merthyr charon: 02[PTS] 352: 7F 33 97 AD EF A8 E8 83 C9 65 CA 38 27 22 8A 26 .3.......e.8'".&
Nov 29 07:39:23 merthyr charon: 02[PTS] 368: 90 B1 1E B0 AE F6 B3 77 5E E3 C8 C2 C6 49 DC 74 .......w^....I.t
Nov 29 07:39:23 merthyr charon: 02[PTS] 384: EF 6E A4 31 DF 13 12 F0 4B 53 3D 85 5C 4F 98 C3 .n.1....KS=.\O..
Nov 29 07:39:23 merthyr charon: 02[PTS] 400: 32 7D 05 EB C1 D6 2A AC 6A 38 B8 C4 D4 B7 FE B7 2}....*.j8......
Nov 29 07:39:23 merthyr charon: 02[PTS] 416: 11 39 AD 14 39 EE C2 38 4D 31 86 D9 6F 10 85 90 .9..9..8M1..o...
Nov 29 07:39:23 merthyr charon: 02[PTS] 432: 07 43 AA DF AA 25 84 79 5D 01 7B 2B B1 DB 3D CA .C...%.y].{+..=.
Nov 29 07:39:23 merthyr charon: 02[PTS] 448: 34 A5 94 B6 35 3B 87 EC 77 56 8E B4 13 DD 3F 25 4...5;..wV....?%
Nov 29 07:39:23 merthyr charon: 02[PTS] 464: 12 F9 97 CB 23 CF B8 AB D5 1C 2A D6 2D 13 85 3B ....#.....*.-..;
Nov 29 07:39:23 merthyr charon: 02[PTS] 480: D3 77 48 B8 A4 C0 31 C6 68 C0 92 33 7C 5B AA 8E .wH...1.h..3|[..
Nov 29 07:39:23 merthyr charon: 02[PTS] 496: A5 86 05 EF 99 0D CA 02 5F 96 9A 68 C3 DA A2 A8 ........_..h....
Nov 29 07:39:23 merthyr charon: 02[PTS] 512: B7 4C C6 EC 09 98 45 E7 E6 E5 DC A6 E3 B3 54 2A .L....E.......T*
Nov 29 07:39:23 merthyr charon: 02[PTS] 528: F5 5A 94 78 3C 26 5B FD D0 01 4B A4 5D B2 C2 EC .Z.x<&[...K.]...
Nov 29 07:39:23 merthyr charon: 02[PTS] 544: B6 56 A0 DB EC C8 BA 0D E9 56 EC F0 77 7A AB .V.......V..wz.
Nov 29 07:39:23 merthyr charon: 02[IMC] IMC 1 "Attestation" created a state for Connection ID 1
</pre>
Via the IF-IMC interface the PTS-IMC receives a 'Handshake' state change from the TNC client
<pre>
Nov 29 07:39:23 merthyr charon: 02[IMC] IMC 1 "Attestation" changed state of Connection ID 1 to 'Handshake'
</pre>
The PTS-IMC generates a PA-TNC message of type TCG/PTS targeted at the remote PTS-IMV, containing a single PA-TNC attribute of type 'IETF/Product Information' with the client operating system information:
<pre>
Nov 29 07:39:23 merthyr charon: 02[TNC] creating PA-TNC message with ID 0x569e528e
Nov 29 07:39:23 merthyr charon: 02[TNC] creating PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002
Nov 29 07:39:23 merthyr charon: 02[TNC] => 22 bytes @ 0x82452bc
Nov 29 07:39:23 merthyr charon: 02[TNC] 0: 00 00 00 00 00 55 62 75 6E 74 75 20 31 31 2E 31 .....Ubuntu 11.1
Nov 29 07:39:23 merthyr charon: 02[TNC] 16: 30 20 69 36 38 36 0 i686
Nov 29 07:39:23 merthyr charon: 02[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x01
Nov 29 07:39:23 merthyr charon: 02[TNC] adding PB-PA message
</pre>
The PA-TNC message is received by the TNC client via the IF-IMC SendMessage call and is inserted together with the
PB-Language-Preference message into the PB-TNC CDATA batch which is then sent via the IKEv2 EAP-TTLS tunnel to the TNC server.
<pre>
Nov 29 07:39:23 merthyr charon: 02[TNC] PB-TNC state transition from 'Init' to 'Server Working'
Nov 29 07:39:23 merthyr charon: 02[TNC] sending PB-TNC CDATA batch (105 bytes) for Connection ID 1
Nov 29 07:39:23 merthyr charon: 02[TNC] => 105 bytes @ 0x82669a4
Nov 29 07:39:23 merthyr charon: 02[TNC] 0: 02 00 00 01 00 00 00 69 00 00 00 00 00 00 00 06 .......i........
Nov 29 07:39:23 merthyr charon: 02[TNC] 16: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67 75 ....Accept-Langu
Nov 29 07:39:23 merthyr charon: 02[TNC] 32: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01 00 age: en.........
Nov 29 07:39:23 merthyr charon: 02[TNC] 48: 00 00 42 00 00 55 97 00 00 00 01 00 01 FF FF 01 ..B..U..........
Nov 29 07:39:23 merthyr charon: 02[TNC] 64: 00 00 00 56 9E 52 8E 00 00 00 00 00 00 00 02 00 ...V.R..........
Nov 29 07:39:23 merthyr charon: 02[TNC] 80: 00 00 22 00 00 00 00 00 55 62 75 6E 74 75 20 31 ..".....Ubuntu 1
Nov 29 07:39:23 merthyr charon: 02[TNC] 96: 31 2E 31 30 20 69 36 38 36 1.10 i686
Nov 29 07:39:23 merthyr charon: 02[IKE] sending tunneled EAP-TTLS AVP [EAP/RES/TNC]
Nov 29 07:39:23 merthyr charon: 02[ENC] generating IKE_AUTH request 7 [ EAP/RES/TTLS ]
Nov 29 07:39:23 merthyr charon: 02[NET] sending packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
</pre>
As a response a PB-TNC SDATA (IF-TNCCS 2.0 ServerData) batch ServerBatch is received from the TNC server
<pre>
Nov 29 07:39:23 merthyr charon: 13[NET] received packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:23 merthyr charon: 13[ENC] parsed IKE_AUTH response 7 [ EAP/REQ/TTLS ]
Nov 29 07:39:23 merthyr charon: 13[IKE] received tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Nov 29 07:39:23 merthyr charon: 13[TNC] received TNCCS batch (72 bytes) for Connection ID 1
Nov 29 07:39:23 merthyr charon: 13[TNC] => 72 bytes @ 0x826212e
Nov 29 07:39:23 merthyr charon: 13[TNC] 0: 02 80 00 02 00 00 00 48 80 00 00 00 00 00 00 01 .......H........
Nov 29 07:39:23 merthyr charon: 13[TNC] 16: 00 00 00 40 00 00 55 97 00 00 00 01 FF FF 00 01 ...@..U.........
Nov 29 07:39:23 merthyr charon: 13[TNC] 32: 01 00 00 00 10 FB C9 31 80 00 55 97 01 00 00 00 .......1..U.....
Nov 29 07:39:23 merthyr charon: 13[TNC] 48: 00 00 00 10 00 00 00 0E 80 00 55 97 06 00 00 00 ..........U.....
Nov 29 07:39:23 merthyr charon: 13[TNC] 64: 00 00 00 10 00 00 80 00 ........
Nov 29 07:39:23 merthyr charon: 13[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
Nov 29 07:39:23 merthyr charon: 13[TNC] processing PB-TNC SDATA batch
</pre>
containing a PB-PA message of type TCG/PTS to which the PTS-IMC is subscribed:
<pre>
Nov 29 07:39:23 merthyr charon: 13[TNC] processing PB-PA message (64 bytes)
Nov 29 07:39:23 merthyr charon: 13[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x01
Nov 29 07:39:23 merthyr charon: 13[TNC] processing PA-TNC message with ID 0x10fbc931
</pre>
The PA-TNC message transferred via the IF-IMC interface to the PTS-IMC contains two PA-TNC attributes from the TCG/PTS namespace:
<pre>
Nov 29 07:39:23 merthyr charon: 13[TNC] processing PA-TNC attribute type 'TCG/Request PTS Protocol Capabilities' 0x005597/0x01000000
Nov 29 07:39:23 merthyr charon: 13[TNC] => 4 bytes @ 0x8268da0
Nov 29 07:39:23 merthyr charon: 13[TNC] 0: 00 00 00 0E ....
Nov 29 07:39:23 merthyr charon: 13[TNC] processing PA-TNC attribute type 'TCG/PTS Measurement Algorithm Request' 0x005597/0x06000000
Nov 29 07:39:23 merthyr charon: 13[TNC] => 4 bytes @ 0x8268db0
Nov 29 07:39:23 merthyr charon: 13[TNC] 0: 00 00 80 00 ....
</pre>
requesting the 'PTS Protocol Capabilities' and the preferred 'PTS Measurement Algorithm'.