TNC Server with PTS-IMV » History » Version 10
Version 9 (Andreas Steffen, 30.11.2011 15:24) → Version 10/57 (Andreas Steffen, 30.11.2011 15:38)
h1. TNC Server with PTS-IMV
This HOWTO explains in a step-for-step fashion how a strongSwan IPsec gateway with integrated TNC server functionality and an attached Platform Trust Service Integrity Measurement Verifier (PTS-IMV) can verify remote attestation measurement data provided by a TNC client via the IKEv2 EAP-TTLS protocol.
{{>toc}}
h2. Installation and Configuration
The following steps describe the installation of the strongSwan software
<pre>
wget http://download.strongswan.org/strongswan-4.6.2dr1.tar.bz2
tar xjf strongswan-4.6.2dr1.tar.bz2
cd strongswan-4.6.2dr1
./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-openssl --enable-curl
--enable-eap-identity --enable-eap-md5 --enable-eap-ttls --enable-eap-tnc
--enable-tnccs-20 --enable-tnc-imv --enable-imv-attestation
make
[sudo] make install
</pre>
The /etc/ipsec.conf file defines an IPsec remote access policy either allowing access to the production network (rw-allow) or to a remediation network (rw-isolate):
<pre>
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3, imc 3, pts 3"
conn rw-allow
rightgroups=allow
leftsubnet=10.1.0.0/28
also=rw-eap
auto=add
conn rw-isolate
rightgroups=isolate
leftsubnet=10.1.0.16/28
also=rw-eap
auto=add
conn rw-eap
left=192.168.0.1
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftauth=eap-ttls
rightauth=eap-ttls
rightid=*@strongswan.org
rightsendcert=never
right=%any
</pre>
The following IKEv2 charon and Attestation IMV options, among them an SQLite URI to the PTS measurement database and the patch to the Privacy CA certificates directory, IMC options are defined in the /etc/strongswan.conf file: file
<pre>
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl sha1 pem pkcs1 gmp random pubkey x509 openssl revocation hmac kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 sqlite tnc-imv stroke
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
}
eap-tnc {
protocol = tnccs-2.0
}
}
}
libimcv {
plugins {
imv-attestation {
database = sqlite:///etc/pts/config.db
cadir = /etc/pts/cacerts
hash_algorithm = sha1
}
}
}
</pre>
h2. IKEv2 Negotiation
h3. Startup and Initialization
The command
<pre>
ipsec start
</pre>
starts the TNC-enabled IPsec gateway:
<pre>
Nov 29 07:39:14 moon charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.2dr1)
Nov 29 07:39:15 moon charon: 00[KNL] listening on interfaces:
Nov 29 07:39:15 moon charon: 00[KNL] eth0
Nov 29 07:39:15 moon charon: 00[KNL] 192.168.0.1
Nov 29 07:39:15 moon charon: 00[KNL] fec0::1
Nov 29 07:39:15 moon charon: 00[KNL] fe80::fcfd:c0ff:fea8:1
Nov 29 07:39:15 moon charon: 00[KNL] eth1
Nov 29 07:39:15 moon charon: 00[KNL] 10.1.0.1
Nov 29 07:39:15 moon charon: 00[KNL] fec1::1
Nov 29 07:39:15 moon charon: 00[KNL] fe80::fcfd:aff:fe01:1
</pre>
The file /etc/tnc_config
<pre>
IMV configuration file for strongSwan client
IMV "Attestation" /usr/lib/ipsec/imcvs/imv-attestation.so
</pre>
defines which IMVs are loaded by the TNC server. Also the Privacy CA certificates which are required to establish trust in the AIK certificates are loaded:
<pre>
Nov 29 07:39:15 moon charon: 00[TNC] TNC recommendation policy is 'default'
Nov 29 07:39:15 moon charon: 00[TNC] loading IMVs from '/etc/tnc_config'
Nov 29 07:39:15 moon charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA1[sha1] available
Nov 29 07:39:15 moon charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA256[openssl] available
Nov 29 07:39:15 moon charon: 00[PTS] optional PTS measurement algorithm HASH_SHA384[openssl] available
Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group MODP_2048[gmp] available
Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group MODP_1536[gmp] available
Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group MODP_1024[gmp] available
Nov 29 07:39:15 moon charon: 00[PTS] mandatory PTS DH group ECP_256[openssl] available
Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group ECP_384[openssl] available
Nov 29 07:39:15 moon charon: 00[TNC] added IETF attributes
Nov 29 07:39:15 moon charon: 00[TNC] added ITA-HSR attributes
Nov 29 07:39:15 moon charon: 00[LIB] libimcv initialized
Nov 29 07:39:15 moon charon: 00[IMV] IMV 1 "Attestation" initialized
Nov 29 07:39:15 moon charon: 00[TNC] added TCG attributes
Nov 29 07:39:15 moon charon: 00[PTS] added TCG functional component namespace
Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component namespace
Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader'
Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component 'Trusted Boot'
Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component 'Linux IMA'
Nov 29 07:39:15 moon charon: 00[LIB] libpts initialized
Nov 29 07:39:15 moon charon: 00[PTS] loading PTS ca certificates from '/etc/pts/cacerts'
Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA Root Certificate" from '/etc/pts/cacerts/privacy_ca_root.pem'
Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA Insecure/Unchecked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_0.pem'
Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA EK-Cert-Checked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_1.pem'
Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA EK+Platform-Cert-Checked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_2.pem'
Nov 29 07:39:15 moon charon: 00[IMV] IMV 1 "Attestation" provided with bind function
Nov 29 07:39:15 moon charon: 00[TNC] IMV 1 supports 1 message type: 0x00559701
Nov 29 07:39:15 moon charon: 00[TNC] IMV 1 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imv-attestation.so'
</pre>
Next the IKEv2 credentials, all necessary plugins and the IPsec connection definitions are loaded
<pre>
Nov 29 07:39:15 moon charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 29 07:39:15 moon charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
Nov 29 07:39:15 moon charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 29 07:39:15 moon charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 29 07:39:15 moon charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 29 07:39:15 moon charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 29 07:39:15 moon charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 29 07:39:15 moon charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/moonKey.pem'
Nov 29 07:39:15 moon charon: 00[CFG] loaded EAP secret for carol@strongswan.org
Nov 29 07:39:15 moon charon: 00[CFG] loaded EAP secret for dave@strongswan.org
Nov 29 07:39:15 moon charon: 00[DMN] loaded plugins: curl sha1 pem pkcs1 gmp random pubkey x509 openssl revocation hmac kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnccs-20 sqlite tnc-imv stroke
Nov 29 07:39:16 moon charon: 00[JOB] spawning 16 worker threads
Nov 29 07:39:16 moon charon: 16[CFG] received stroke: add connection 'rw-allow'
Nov 29 07:39:16 moon charon: 16[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem'
Nov 29 07:39:16 moon charon: 16[CFG] added configuration 'rw-allow'
Nov 29 07:39:16 moon charon: 16[CFG] received stroke: add connection 'rw-isolate'
Nov 29 07:39:16 moon charon: 16[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem'
Nov 29 07:39:16 moon charon: 16[CFG] added configuration 'rw-isolate'
</pre>
h3. IKEv2 Exchanges
The IPsec gateway *moon* is passively waiting for IPsec clients to initiate an IKEv2 negotiation starting with an IKE_SA_INIT exchange:
<pre>
Nov 29 07:39:22 moon charon: 16[NET] received packet: from 192.168.0.254[500] to 192.168.0.1[500]
Nov 29 07:39:22 moon charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 29 07:39:22 moon charon: 16[IKE] 192.168.0.254 is initiating an IKE_SA
Nov 29 07:39:22 moon charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 29 07:39:22 moon charon: 16[NET] sending packet: from 192.168.0.1[500] to 192.168.0.254[500]
</pre>
followed by the IKE_AUTH exchange where the IKEv2 gateway proposes a mutual IKEv2 EAP-TTLS only authentication:
<pre>
Nov 29 07:39:22 moon charon: 08[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]
Nov 29 07:39:22 moon charon: 08[CFG] looking for peer configs matching 192.168.0.1[moon.strongswan.org]...192.168.0.254[carol@strongswan.org]
Nov 29 07:39:22 moon charon: 08[CFG] selected peer config 'rw-allow'
Nov 29 07:39:22 moon charon: 08[IKE] initiating EAP_TTLS method (id 0xA8)
Nov 29 07:39:22 moon charon: 08[IKE] peer supports MOBIKE
Nov 29 07:39:22 moon charon: 08[ENC] generating IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 08[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
h3. IKEv2 EAP-TTLS Tunnel
The IKEv2 EAP-TTLS tunnel is set up with certificate-based server authentication
<pre>
Nov 29 07:39:22 moon charon: 09[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 09[ENC] parsed IKE_AUTH request 2 [ EAP/RES/TTLS ]
Nov 29 07:39:22 moon charon: 09[TLS] received TLS 'signature algorithms' extension
Nov 29 07:39:22 moon charon: 09[TLS] received TLS 'elliptic curves' extension
Nov 29 07:39:22 moon charon: 09[TLS] received TLS 'ec point formats' extension
Nov 29 07:39:22 moon charon: 09[TLS] received TLS 'server name' extension
Nov 29 07:39:22 moon charon: 09[TLS] negotiated TLS version TLS 1.2 with suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Nov 29 07:39:22 moon charon: 09[TLS] sending TLS server certificate 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org'
Nov 29 07:39:22 moon charon: 09[ENC] generating IKE_AUTH response 2 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 09[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 moon charon: 06[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 06[ENC] parsed IKE_AUTH request 3 [ EAP/RES/TTLS ]
Nov 29 07:39:22 moon charon: 06[ENC] generating IKE_AUTH response 3 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 06[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 moon charon: 05[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 05[ENC] parsed IKE_AUTH request 4 [ EAP/RES/TTLS ]
</pre>
h3. Tunneled EAP-Identity
Via the IKEv2 EAP-TTLS tunnel the server requests the EAP client identity
<pre>
Nov 29 07:39:22 moon charon: 05[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/ID]
Nov 29 07:39:22 moon charon: 05[ENC] generating IKE_AUTH response 4 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 05[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 moon charon: 04[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 04[ENC] parsed IKE_AUTH request 5 [ EAP/RES/TTLS ]
Nov 29 07:39:22 moon charon: 04[IKE] received tunneled EAP-TTLS AVP [EAP/RES/ID]
Nov 29 07:39:22 moon charon: 04[IKE] received EAP identity 'carol@strongswan.org'
</pre>
h3. Tunneled EAP-MD5 Client Authentication
Next follows an EAP-MD5 client authentication
<pre>
Nov 29 07:39:22 moon charon: 04[IKE] phase2 method EAP_MD5 selected
Nov 29 07:39:22 moon charon: 04[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/MD5]
Nov 29 07:39:22 moon charon: 04[ENC] generating IKE_AUTH response 5 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 04[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 moon charon: 03[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 03[ENC] parsed IKE_AUTH request 6 [ EAP/RES/TTLS ]
Nov 29 07:39:22 moon charon: 03[IKE] received tunneled EAP-TTLS AVP [EAP/RES/MD5]
Nov 29 07:39:22 moon charon: 03[IKE] EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful
</pre>
h3. Tunneled EAP-TNC Transport
Now the EAP-TNC transport protocol connecting the TNC client with the TNC server is started:
<pre>
Nov 29 07:39:22 moon charon: 03[IKE] phase2 method EAP_TNC selected
Nov 29 07:39:22 moon charon: 03[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Nov 29 07:39:22 moon charon: 03[ENC] generating IKE_AUTH response 6 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 03[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
h2. PB-TNC/IF-TNCCS 2.0 Connection
A first PB-TNC CDATA (IF-TNCCS 2.0 ClientData) batch from the TNC client is received
<pre>
Nov 29 07:39:23 moon charon: 02[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:23 moon charon: 02[ENC] parsed IKE_AUTH request 7 [ EAP/RES/TTLS ]
Nov 29 07:39:23 moon charon: 02[IKE] received tunneled EAP-TTLS AVP [EAP/RES/TNC]
Nov 29 07:39:23 moon charon: 02[TNC] assigned TNCCS Connection ID 1
Nov 29 07:39:23 moon charon: 02[IMV] IMV 1 "Attestation" created a state for Connection ID 1
Nov 29 07:39:23 moon charon: 02[IMV] IMV 1 "Attestation" changed state of Connection ID 1 to 'Handshake'
Nov 29 07:39:23 moon charon: 02[TNC] received TNCCS batch (105 bytes) for Connection ID 1
Nov 29 07:39:23 moon charon: 02[TNC] => 105 bytes @ 0x80ba6b6
Nov 29 07:39:23 moon charon: 02[TNC] 0: 02 00 00 01 00 00 00 69 00 00 00 00 00 00 00 06 .......i........
Nov 29 07:39:23 moon charon: 02[TNC] 16: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67 75 ....Accept-Langu
Nov 29 07:39:23 moon charon: 02[TNC] 32: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01 00 age: en.........
Nov 29 07:39:23 moon charon: 02[TNC] 48: 00 00 42 00 00 55 97 00 00 00 01 00 01 FF FF 01 ..B..U..........
Nov 29 07:39:23 moon charon: 02[TNC] 64: 00 00 00 56 9E 52 8E 00 00 00 00 00 00 00 02 00 ...V.R..........
Nov 29 07:39:23 moon charon: 02[TNC] 80: 00 00 22 00 00 00 00 00 55 62 75 6E 74 75 20 31 ..".....Ubuntu 1
Nov 29 07:39:23 moon charon: 02[TNC] 96: 31 2E 31 30 20 69 36 38 36 1.10 i686
Nov 29 07:39:23 moon charon: 02[TNC] PB-TNC state transition from 'Init' to 'Server Working'
Nov 29 07:39:23 moon charon: 02[TNC] processing PB-TNC CDATA batch
</pre>
containing a 'PB-Language-Preference' and a 'PB-PA' message
<pre>
Nov 29 07:39:23 moon charon: 02[TNC] processing PB-Language-Preference message (31 bytes)
Nov 29 07:39:23 moon charon: 02[TNC] processing PB-PA message (66 bytes)
</pre>
This causes a new TNCCS connection to be instantiated on the TNC server. Its IF-TNCCS 2.0 state machine immediately transitions from the Init to the ServerWorking state.
!IF-TNCCS-20-State-Diagram.png!
The language preference is set to English (en) and the PB-PA message is forwarded to the PTS-IMV which subscribed to this PA message type:
<pre>
Nov 29 07:39:23 moon charon: 02[TNC] setting language preference to 'en'
Nov 29 07:39:23 moon charon: 02[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x01
</pre>
The PA-TNC message contains an 'IETF/Product Information' attribute which carries information about the operating system the PTS-IMC is running on:
<pre>
Nov 29 07:39:23 moon charon: 02[IMV] IMV 1 "Attestation" received message type 0x00559701 for Connection ID 1
Nov 29 07:39:23 moon charon: 02[TNC] processing PA-TNC message with ID 0x569e528e
Nov 29 07:39:23 moon charon: 02[TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002
Nov 29 07:39:23 moon charon: 02[TNC] => 22 bytes @ 0x80b4d20
Nov 29 07:39:23 moon charon: 02[TNC] 0: 00 00 00 00 00 55 62 75 6E 74 75 20 31 31 2E 31 .....Ubuntu 11.1
Nov 29 07:39:23 moon charon: 02[TNC] 16: 30 20 69 36 38 36 0 i686
</pre>
h3. PTS Capability Discovery
The PTS-IMV creates a PA-TNC message containing a 'Request PTS Protocol Capabilities' and a 'PTS Measurement Algorithm Request' attribute from the TCG namespace. SHA-1 is the only PTS measurement algorithm proposed by the PTS-IMV.
namespace:
<pre>
Nov 29 07:39:23 moon charon: 02[TNC] creating PA-TNC message with ID 0x10fbc931
Nov 29 07:39:23 moon charon: 02[TNC] creating PA-TNC attribute type 'TCG/Request PTS Protocol Capabilities' 0x005597/0x01000000
Nov 29 07:39:23 moon charon: 02[TNC] => 4 bytes @ 0x80bfd54
Nov 29 07:39:23 moon charon: 02[TNC] 0: 00 00 00 0E ....
Nov 29 07:39:23 moon charon: 02[TNC] creating PA-TNC attribute type 'TCG/PTS Measurement Algorithm Request' 0x005597/0x06000000
Nov 29 07:39:23 moon charon: 02[TNC] => 4 bytes @ 0x80bfe3c
Nov 29 07:39:23 moon charon: 02[TNC] 0: 00 00 80 00 ....
</pre>
The PB-PA message is sent in a PB-TNC SDATA (IF-TNCCS 2.0 ServerData) (ServerData) batch to the TNC client:
<pre>
Nov 29 07:39:23 moon charon: 02[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x01
Nov 29 07:39:23 moon charon: 02[TNC] creating PB-TNC SDATA batch
Nov 29 07:39:23 moon charon: 02[TNC] adding PB-PA message
Nov 29 07:39:23 moon charon: 02[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
Nov 29 07:39:23 moon charon: 02[TNC] sending PB-TNC SDATA batch (72 bytes) for Connection ID 1
Nov 29 07:39:23 moon charon: 02[TNC] => 72 bytes @ 0x80b65c4
Nov 29 07:39:23 moon charon: 02[TNC] 0: 02 80 00 02 00 00 00 48 80 00 00 00 00 00 00 01 .......H........
Nov 29 07:39:23 moon charon: 02[TNC] 16: 00 00 00 40 00 00 55 97 00 00 00 01 FF FF 00 01 ...@..U.........
Nov 29 07:39:23 moon charon: 02[TNC] 32: 01 00 00 00 10 FB C9 31 80 00 55 97 01 00 00 00 .......1..U.....
Nov 29 07:39:23 moon charon: 02[TNC] 48: 00 00 00 10 00 00 00 0E 80 00 55 97 06 00 00 00 ..........U.....
Nov 29 07:39:23 moon charon: 02[TNC] 64: 00 00 00 10 00 00 80 00 ........
Nov 29 07:39:23 moon charon: 02[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Nov 29 07:39:23 moon charon: 02[ENC] generating IKE_AUTH response 7 [ EAP/REQ/TTLS ]
Nov 29 07:39:23 moon charon: 02[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
As a response a PB-TNC CDATA batch is received from the TNC client
<pre>
Nov 29 07:39:23 moon charon: 01[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:23 moon charon: 01[ENC] parsed IKE_AUTH request 8 [ EAP/RES/TTLS ]
Nov 29 07:39:23 moon charon: 01[IKE] received tunneled EAP-TTLS AVP [EAP/RES/TNC]
Nov 29 07:39:23 moon charon: 01[TNC] received TNCCS batch (72 bytes) for Connection ID 1
Nov 29 07:39:23 moon charon: 01[TNC] => 72 bytes @ 0x80be80e
Nov 29 07:39:23 moon charon: 01[TNC] 0: 02 00 00 01 00 00 00 48 80 00 00 00 00 00 00 01 .......H........
Nov 29 07:39:23 moon charon: 01[TNC] 16: 00 00 00 40 00 00 55 97 00 00 00 01 00 01 FF FF ...@..U.........
Nov 29 07:39:23 moon charon: 01[TNC] 32: 01 00 00 00 0E D3 F1 F3 00 00 55 97 02 00 00 00 ..........U.....
Nov 29 07:39:23 moon charon: 01[TNC] 48: 00 00 00 10 00 00 00 0E 00 00 55 97 07 00 00 00 ..........U.....
Nov 29 07:39:23 moon charon: 01[TNC] 64: 00 00 00 10 00 00 80 00 ........
Nov 29 07:39:23 moon charon: 01[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
Nov 29 07:39:23 moon charon: 01[TNC] processing PB-TNC CDATA batch
</pre>
containing a PB-PA message with a PA message of type TCG/PTS to which the PTS-IMV is subscribed:
<pre>
Nov 29 07:39:23 moon charon: 01[TNC] processing PB-PA message (64 bytes)
Nov 29 07:39:23 moon charon: 01[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x01
</pre>
The PA-TNC message contains a 'PTS Protocol Capabilities' and a 'PTS Measurement Algorithm' attribute from the TCG namespace:
<pre>
Nov 29 07:39:23 moon charon: 01[IMV] IMV 1 "Attestation" received message type 0x00559701 for Connection ID 1
Nov 29 07:39:23 moon charon: 01[TNC] processing PA-TNC message with ID 0x0ed3f1f3
Nov 29 07:39:23 moon charon: 01[TNC] processing PA-TNC attribute type 'TCG/PTS Protocol Capabilities' 0x005597/0x02000000
Nov 29 07:39:23 moon charon: 01[TNC] => 4 bytes @ 0x80be670
Nov 29 07:39:23 moon charon: 01[TNC] 0: 00 00 00 0E ....
Nov 29 07:39:23 moon charon: 01[TNC] processing PA-TNC attribute type 'TCG/PTS Measurement Algorithm' 0x005597/0x07000000
Nov 29 07:39:23 moon charon: 01[TNC] => 4 bytes @ 0x80be680
Nov 29 07:39:23 moon charon: 01[TNC] 0: 00 00 80 00 ....
</pre>
The PTS-IMC supports the Verification (V), DH Nonce Negotiation (D) and Trusted Platform Evidence (T) PTS protocol capabilities all of which the PTS-IMV proposed in the capabilities request. Also SHA-1 is confirmed by the PTS-IMC to be used as PTS measurement algorithm.
<pre>
Nov 29 07:39:23 moon charon: 01[PTS] supported PTS protocol capabilities: .VDT.
Nov 29 07:39:23 moon charon: 01[PTS] selected PTS measurement algorithm is HASH_SHA1
</pre>
h3. DH Nonce Parameters
<pre>
Nov 29 07:39:23 moon charon: 01[TNC] creating PA-TNC message with ID 0xc2d18ef1
Nov 29 07:39:23 moon charon: 01[TNC] creating PA-TNC attribute type 'TCG/DH Nonce Parameters Request' 0x005597/0x03000000
Nov 29 07:39:23 moon charon: 01[TNC] => 4 bytes @ 0x80bdf9c
Nov 29 07:39:23 moon charon: 01[TNC] 0: 00 00 F0 00 ....
</pre>
<pre>
Nov 29 07:39:23 moon charon: 01[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x01
Nov 29 07:39:23 moon charon: 01[TNC] creating PB-TNC SDATA batch
Nov 29 07:39:23 moon charon: 01[TNC] adding PB-PA message
Nov 29 07:39:23 moon charon: 01[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
Nov 29 07:39:23 moon charon: 01[TNC] sending PB-TNC SDATA batch (56 bytes) for Connection ID 1
Nov 29 07:39:23 moon charon: 01[TNC] => 56 bytes @ 0x80a30fc
Nov 29 07:39:23 moon charon: 01[TNC] 0: 02 80 00 02 00 00 00 38 80 00 00 00 00 00 00 01 .......8........
Nov 29 07:39:23 moon charon: 01[TNC] 16: 00 00 00 30 00 00 55 97 00 00 00 01 FF FF 00 01 ...0..U.........
Nov 29 07:39:23 moon charon: 01[TNC] 32: 01 00 00 00 C2 D1 8E F1 80 00 55 97 03 00 00 00 ..........U.....
Nov 29 07:39:23 moon charon: 01[TNC] 48: 00 00 00 10 00 00 F0 00 ........
Nov 29 07:39:23 moon charon: 01[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Nov 29 07:39:23 moon charon: 01[ENC] generating IKE_AUTH response 8 [ EAP/REQ/TTLS ]
Nov 29 07:39:23 moon charon: 01[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
<pre>
Nov 29 07:39:23 moon charon: 13[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:23 moon charon: 13[ENC] parsed IKE_AUTH request 9 [ EAP/RES/TTLS ]
Nov 29 07:39:23 moon charon: 13[IKE] received tunneled EAP-TTLS AVP [EAP/RES/TNC]
Nov 29 07:39:23 moon charon: 13[TNC] received TNCCS batch (144 bytes) for Connection ID 1
Nov 29 07:39:23 moon charon: 13[TNC] => 144 bytes @ 0x80bb0e6
Nov 29 07:39:23 moon charon: 13[TNC] 0: 02 00 00 01 00 00 00 90 80 00 00 00 00 00 00 01 ................
Nov 29 07:39:23 moon charon: 13[TNC] 16: 00 00 00 88 00 00 55 97 00 00 00 01 00 01 FF FF ......U.........
Nov 29 07:39:23 moon charon: 13[TNC] 32: 01 00 00 00 A6 9F 8B 02 00 00 55 97 04 00 00 00 ..........U.....
Nov 29 07:39:23 moon charon: 13[TNC] 48: 00 00 00 68 00 00 00 14 10 00 E0 00 AA B1 9A 5C ...h...........\
Nov 29 07:39:23 moon charon: 13[TNC] 64: 9B 47 D0 0D EF 3B F4 48 7A 55 EF DA 89 55 D3 74 .G...;.HzU...U.t
Nov 29 07:39:23 moon charon: 13[TNC] 80: DF CE B2 FB 44 16 FD 98 44 1D 79 1F 36 7A A5 67 ....D...D.y.6z.g
Nov 29 07:39:23 moon charon: 13[TNC] 96: 94 30 81 C8 38 A8 1A AD 99 55 0E 91 2F E4 36 62 .0..8....U../.6b
Nov 29 07:39:23 moon charon: 13[TNC] 112: FA C2 08 63 88 69 41 79 35 D4 64 8C 4C D4 CB E9 ...c.iAy5.d.L...
Nov 29 07:39:23 moon charon: 13[TNC] 128: 7B 5E CF 0A E0 E9 74 66 4C BB 06 3B F8 DE 96 2E {^....tfL..;....
Nov 29 07:39:23 moon charon: 13[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
Nov 29 07:39:23 moon charon: 13[TNC] processing PB-TNC CDATA batch
</pre>
<pre>
Nov 29 07:39:23 moon charon: 13[TNC] processing PB-PA message (136 bytes)
Nov 29 07:39:23 moon charon: 13[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x01
</pre>
<pre>
Nov 29 07:39:23 moon charon: 13[IMV] IMV 1 "Attestation" received message type 0x00559701 for Connection ID 1
Nov 29 07:39:23 moon charon: 13[TNC] processing PA-TNC message with ID 0xa69f8b02
Nov 29 07:39:23 moon charon: 13[TNC] processing PA-TNC attribute type 'TCG/DH Nonce Parameters Response' 0x005597/0x04000000
Nov 29 07:39:23 moon charon: 13[TNC] => 92 bytes @ 0x80b4c38
Nov 29 07:39:23 moon charon: 13[TNC] 0: 00 00 00 14 10 00 E0 00 AA B1 9A 5C 9B 47 D0 0D ...........\.G..
Nov 29 07:39:23 moon charon: 13[TNC] 16: EF 3B F4 48 7A 55 EF DA 89 55 D3 74 DF CE B2 FB .;.HzU...U.t....
Nov 29 07:39:23 moon charon: 13[TNC] 32: 44 16 FD 98 44 1D 79 1F 36 7A A5 67 94 30 81 C8 D...D.y.6z.g.0..
Nov 29 07:39:23 moon charon: 13[TNC] 48: 38 A8 1A AD 99 55 0E 91 2F E4 36 62 FA C2 08 63 8....U../.6b...c
Nov 29 07:39:23 moon charon: 13[TNC] 64: 88 69 41 79 35 D4 64 8C 4C D4 CB E9 7B 5E CF 0A .iAy5.d.L...{^..
Nov 29 07:39:23 moon charon: 13[TNC] 80: E0 E9 74 66 4C BB 06 3B F8 DE 96 2E ..tfL..;....
</pre>
<pre>
Nov 29 07:39:23 moon charon: 13[PTS] selected DH hash algorithm is HASH_SHA1
Nov 29 07:39:23 moon charon: 13[PTS] selected PTS DH group is ECP_256
Nov 29 07:39:23 moon charon: 13[PTS] nonce length is 20
Nov 29 07:39:23 moon charon: 13[PTS] initiator nonce: => 20 bytes @ 0x80be424
Nov 29 07:39:23 moon charon: 13[PTS] 0: 46 C4 11 FB 33 64 F3 27 1D 62 3D C4 83 73 AE AE F...3d.'.b=..s..
Nov 29 07:39:23 moon charon: 13[PTS] 16: 8B 36 E4 F5 .6..
Nov 29 07:39:23 moon charon: 13[PTS] responder nonce: => 20 bytes @ 0x80bbd24
Nov 29 07:39:23 moon charon: 13[PTS] 0: AA B1 9A 5C 9B 47 D0 0D EF 3B F4 48 7A 55 EF DA ...\.G...;.HzU..
Nov 29 07:39:23 moon charon: 13[PTS] 16: 89 55 D3 74 .U.t
Nov 29 07:39:23 moon charon: 13[PTS] shared DH secret: => 32 bytes @ 0x80c1f84
Nov 29 07:39:23 moon charon: 13[PTS] 0: 61 E8 7D D7 8C C8 DF 4E 5C 5A B7 48 75 38 0C B8 a.}....N\Z.Hu8..
Nov 29 07:39:23 moon charon: 13[PTS] 16: 2D 23 08 8E E2 D5 B9 25 04 F8 03 BA 35 9F 3A 52 -#.....%....5.:R
Nov 29 07:39:23 moon charon: 13[PTS] secret assessment value: => 20 bytes @ 0x80b2afc
Nov 29 07:39:23 moon charon: 13[PTS] 0: E1 1B 01 B4 FF 2B 56 83 24 AD AD AD 8B 7B 36 B7 .....+V.$....{6.
Nov 29 07:39:23 moon charon: 13[PTS] 16: FF CA D9 59 ...Y
</pre>
This HOWTO explains in a step-for-step fashion how a strongSwan IPsec gateway with integrated TNC server functionality and an attached Platform Trust Service Integrity Measurement Verifier (PTS-IMV) can verify remote attestation measurement data provided by a TNC client via the IKEv2 EAP-TTLS protocol.
{{>toc}}
h2. Installation and Configuration
The following steps describe the installation of the strongSwan software
<pre>
wget http://download.strongswan.org/strongswan-4.6.2dr1.tar.bz2
tar xjf strongswan-4.6.2dr1.tar.bz2
cd strongswan-4.6.2dr1
./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-openssl --enable-curl
--enable-eap-identity --enable-eap-md5 --enable-eap-ttls --enable-eap-tnc
--enable-tnccs-20 --enable-tnc-imv --enable-imv-attestation
make
[sudo] make install
</pre>
The /etc/ipsec.conf file defines an IPsec remote access policy either allowing access to the production network (rw-allow) or to a remediation network (rw-isolate):
<pre>
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3, imc 3, pts 3"
conn rw-allow
rightgroups=allow
leftsubnet=10.1.0.0/28
also=rw-eap
auto=add
conn rw-isolate
rightgroups=isolate
leftsubnet=10.1.0.16/28
also=rw-eap
auto=add
conn rw-eap
left=192.168.0.1
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftauth=eap-ttls
rightauth=eap-ttls
rightid=*@strongswan.org
rightsendcert=never
right=%any
</pre>
The following IKEv2 charon and Attestation IMV options, among them an SQLite URI to the PTS measurement database and the patch to the Privacy CA certificates directory, IMC options are defined in the /etc/strongswan.conf file: file
<pre>
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl sha1 pem pkcs1 gmp random pubkey x509 openssl revocation hmac kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 sqlite tnc-imv stroke
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
}
eap-tnc {
protocol = tnccs-2.0
}
}
}
libimcv {
plugins {
imv-attestation {
database = sqlite:///etc/pts/config.db
cadir = /etc/pts/cacerts
hash_algorithm = sha1
}
}
}
</pre>
h2. IKEv2 Negotiation
h3. Startup and Initialization
The command
<pre>
ipsec start
</pre>
starts the TNC-enabled IPsec gateway:
<pre>
Nov 29 07:39:14 moon charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.2dr1)
Nov 29 07:39:15 moon charon: 00[KNL] listening on interfaces:
Nov 29 07:39:15 moon charon: 00[KNL] eth0
Nov 29 07:39:15 moon charon: 00[KNL] 192.168.0.1
Nov 29 07:39:15 moon charon: 00[KNL] fec0::1
Nov 29 07:39:15 moon charon: 00[KNL] fe80::fcfd:c0ff:fea8:1
Nov 29 07:39:15 moon charon: 00[KNL] eth1
Nov 29 07:39:15 moon charon: 00[KNL] 10.1.0.1
Nov 29 07:39:15 moon charon: 00[KNL] fec1::1
Nov 29 07:39:15 moon charon: 00[KNL] fe80::fcfd:aff:fe01:1
</pre>
The file /etc/tnc_config
<pre>
IMV configuration file for strongSwan client
IMV "Attestation" /usr/lib/ipsec/imcvs/imv-attestation.so
</pre>
defines which IMVs are loaded by the TNC server. Also the Privacy CA certificates which are required to establish trust in the AIK certificates are loaded:
<pre>
Nov 29 07:39:15 moon charon: 00[TNC] TNC recommendation policy is 'default'
Nov 29 07:39:15 moon charon: 00[TNC] loading IMVs from '/etc/tnc_config'
Nov 29 07:39:15 moon charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA1[sha1] available
Nov 29 07:39:15 moon charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA256[openssl] available
Nov 29 07:39:15 moon charon: 00[PTS] optional PTS measurement algorithm HASH_SHA384[openssl] available
Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group MODP_2048[gmp] available
Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group MODP_1536[gmp] available
Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group MODP_1024[gmp] available
Nov 29 07:39:15 moon charon: 00[PTS] mandatory PTS DH group ECP_256[openssl] available
Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group ECP_384[openssl] available
Nov 29 07:39:15 moon charon: 00[TNC] added IETF attributes
Nov 29 07:39:15 moon charon: 00[TNC] added ITA-HSR attributes
Nov 29 07:39:15 moon charon: 00[LIB] libimcv initialized
Nov 29 07:39:15 moon charon: 00[IMV] IMV 1 "Attestation" initialized
Nov 29 07:39:15 moon charon: 00[TNC] added TCG attributes
Nov 29 07:39:15 moon charon: 00[PTS] added TCG functional component namespace
Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component namespace
Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader'
Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component 'Trusted Boot'
Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component 'Linux IMA'
Nov 29 07:39:15 moon charon: 00[LIB] libpts initialized
Nov 29 07:39:15 moon charon: 00[PTS] loading PTS ca certificates from '/etc/pts/cacerts'
Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA Root Certificate" from '/etc/pts/cacerts/privacy_ca_root.pem'
Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA Insecure/Unchecked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_0.pem'
Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA EK-Cert-Checked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_1.pem'
Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA EK+Platform-Cert-Checked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_2.pem'
Nov 29 07:39:15 moon charon: 00[IMV] IMV 1 "Attestation" provided with bind function
Nov 29 07:39:15 moon charon: 00[TNC] IMV 1 supports 1 message type: 0x00559701
Nov 29 07:39:15 moon charon: 00[TNC] IMV 1 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imv-attestation.so'
</pre>
Next the IKEv2 credentials, all necessary plugins and the IPsec connection definitions are loaded
<pre>
Nov 29 07:39:15 moon charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 29 07:39:15 moon charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
Nov 29 07:39:15 moon charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 29 07:39:15 moon charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 29 07:39:15 moon charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 29 07:39:15 moon charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 29 07:39:15 moon charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 29 07:39:15 moon charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/moonKey.pem'
Nov 29 07:39:15 moon charon: 00[CFG] loaded EAP secret for carol@strongswan.org
Nov 29 07:39:15 moon charon: 00[CFG] loaded EAP secret for dave@strongswan.org
Nov 29 07:39:15 moon charon: 00[DMN] loaded plugins: curl sha1 pem pkcs1 gmp random pubkey x509 openssl revocation hmac kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnccs-20 sqlite tnc-imv stroke
Nov 29 07:39:16 moon charon: 00[JOB] spawning 16 worker threads
Nov 29 07:39:16 moon charon: 16[CFG] received stroke: add connection 'rw-allow'
Nov 29 07:39:16 moon charon: 16[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem'
Nov 29 07:39:16 moon charon: 16[CFG] added configuration 'rw-allow'
Nov 29 07:39:16 moon charon: 16[CFG] received stroke: add connection 'rw-isolate'
Nov 29 07:39:16 moon charon: 16[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem'
Nov 29 07:39:16 moon charon: 16[CFG] added configuration 'rw-isolate'
</pre>
h3. IKEv2 Exchanges
The IPsec gateway *moon* is passively waiting for IPsec clients to initiate an IKEv2 negotiation starting with an IKE_SA_INIT exchange:
<pre>
Nov 29 07:39:22 moon charon: 16[NET] received packet: from 192.168.0.254[500] to 192.168.0.1[500]
Nov 29 07:39:22 moon charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 29 07:39:22 moon charon: 16[IKE] 192.168.0.254 is initiating an IKE_SA
Nov 29 07:39:22 moon charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 29 07:39:22 moon charon: 16[NET] sending packet: from 192.168.0.1[500] to 192.168.0.254[500]
</pre>
followed by the IKE_AUTH exchange where the IKEv2 gateway proposes a mutual IKEv2 EAP-TTLS only authentication:
<pre>
Nov 29 07:39:22 moon charon: 08[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]
Nov 29 07:39:22 moon charon: 08[CFG] looking for peer configs matching 192.168.0.1[moon.strongswan.org]...192.168.0.254[carol@strongswan.org]
Nov 29 07:39:22 moon charon: 08[CFG] selected peer config 'rw-allow'
Nov 29 07:39:22 moon charon: 08[IKE] initiating EAP_TTLS method (id 0xA8)
Nov 29 07:39:22 moon charon: 08[IKE] peer supports MOBIKE
Nov 29 07:39:22 moon charon: 08[ENC] generating IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 08[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
h3. IKEv2 EAP-TTLS Tunnel
The IKEv2 EAP-TTLS tunnel is set up with certificate-based server authentication
<pre>
Nov 29 07:39:22 moon charon: 09[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 09[ENC] parsed IKE_AUTH request 2 [ EAP/RES/TTLS ]
Nov 29 07:39:22 moon charon: 09[TLS] received TLS 'signature algorithms' extension
Nov 29 07:39:22 moon charon: 09[TLS] received TLS 'elliptic curves' extension
Nov 29 07:39:22 moon charon: 09[TLS] received TLS 'ec point formats' extension
Nov 29 07:39:22 moon charon: 09[TLS] received TLS 'server name' extension
Nov 29 07:39:22 moon charon: 09[TLS] negotiated TLS version TLS 1.2 with suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Nov 29 07:39:22 moon charon: 09[TLS] sending TLS server certificate 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org'
Nov 29 07:39:22 moon charon: 09[ENC] generating IKE_AUTH response 2 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 09[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 moon charon: 06[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 06[ENC] parsed IKE_AUTH request 3 [ EAP/RES/TTLS ]
Nov 29 07:39:22 moon charon: 06[ENC] generating IKE_AUTH response 3 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 06[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 moon charon: 05[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 05[ENC] parsed IKE_AUTH request 4 [ EAP/RES/TTLS ]
</pre>
h3. Tunneled EAP-Identity
Via the IKEv2 EAP-TTLS tunnel the server requests the EAP client identity
<pre>
Nov 29 07:39:22 moon charon: 05[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/ID]
Nov 29 07:39:22 moon charon: 05[ENC] generating IKE_AUTH response 4 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 05[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 moon charon: 04[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 04[ENC] parsed IKE_AUTH request 5 [ EAP/RES/TTLS ]
Nov 29 07:39:22 moon charon: 04[IKE] received tunneled EAP-TTLS AVP [EAP/RES/ID]
Nov 29 07:39:22 moon charon: 04[IKE] received EAP identity 'carol@strongswan.org'
</pre>
h3. Tunneled EAP-MD5 Client Authentication
Next follows an EAP-MD5 client authentication
<pre>
Nov 29 07:39:22 moon charon: 04[IKE] phase2 method EAP_MD5 selected
Nov 29 07:39:22 moon charon: 04[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/MD5]
Nov 29 07:39:22 moon charon: 04[ENC] generating IKE_AUTH response 5 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 04[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 moon charon: 03[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 03[ENC] parsed IKE_AUTH request 6 [ EAP/RES/TTLS ]
Nov 29 07:39:22 moon charon: 03[IKE] received tunneled EAP-TTLS AVP [EAP/RES/MD5]
Nov 29 07:39:22 moon charon: 03[IKE] EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful
</pre>
h3. Tunneled EAP-TNC Transport
Now the EAP-TNC transport protocol connecting the TNC client with the TNC server is started:
<pre>
Nov 29 07:39:22 moon charon: 03[IKE] phase2 method EAP_TNC selected
Nov 29 07:39:22 moon charon: 03[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Nov 29 07:39:22 moon charon: 03[ENC] generating IKE_AUTH response 6 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 03[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
h2. PB-TNC/IF-TNCCS 2.0 Connection
A first PB-TNC CDATA (IF-TNCCS 2.0 ClientData) batch from the TNC client is received
<pre>
Nov 29 07:39:23 moon charon: 02[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:23 moon charon: 02[ENC] parsed IKE_AUTH request 7 [ EAP/RES/TTLS ]
Nov 29 07:39:23 moon charon: 02[IKE] received tunneled EAP-TTLS AVP [EAP/RES/TNC]
Nov 29 07:39:23 moon charon: 02[TNC] assigned TNCCS Connection ID 1
Nov 29 07:39:23 moon charon: 02[IMV] IMV 1 "Attestation" created a state for Connection ID 1
Nov 29 07:39:23 moon charon: 02[IMV] IMV 1 "Attestation" changed state of Connection ID 1 to 'Handshake'
Nov 29 07:39:23 moon charon: 02[TNC] received TNCCS batch (105 bytes) for Connection ID 1
Nov 29 07:39:23 moon charon: 02[TNC] => 105 bytes @ 0x80ba6b6
Nov 29 07:39:23 moon charon: 02[TNC] 0: 02 00 00 01 00 00 00 69 00 00 00 00 00 00 00 06 .......i........
Nov 29 07:39:23 moon charon: 02[TNC] 16: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67 75 ....Accept-Langu
Nov 29 07:39:23 moon charon: 02[TNC] 32: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01 00 age: en.........
Nov 29 07:39:23 moon charon: 02[TNC] 48: 00 00 42 00 00 55 97 00 00 00 01 00 01 FF FF 01 ..B..U..........
Nov 29 07:39:23 moon charon: 02[TNC] 64: 00 00 00 56 9E 52 8E 00 00 00 00 00 00 00 02 00 ...V.R..........
Nov 29 07:39:23 moon charon: 02[TNC] 80: 00 00 22 00 00 00 00 00 55 62 75 6E 74 75 20 31 ..".....Ubuntu 1
Nov 29 07:39:23 moon charon: 02[TNC] 96: 31 2E 31 30 20 69 36 38 36 1.10 i686
Nov 29 07:39:23 moon charon: 02[TNC] PB-TNC state transition from 'Init' to 'Server Working'
Nov 29 07:39:23 moon charon: 02[TNC] processing PB-TNC CDATA batch
</pre>
containing a 'PB-Language-Preference' and a 'PB-PA' message
<pre>
Nov 29 07:39:23 moon charon: 02[TNC] processing PB-Language-Preference message (31 bytes)
Nov 29 07:39:23 moon charon: 02[TNC] processing PB-PA message (66 bytes)
</pre>
This causes a new TNCCS connection to be instantiated on the TNC server. Its IF-TNCCS 2.0 state machine immediately transitions from the Init to the ServerWorking state.
!IF-TNCCS-20-State-Diagram.png!
The language preference is set to English (en) and the PB-PA message is forwarded to the PTS-IMV which subscribed to this PA message type:
<pre>
Nov 29 07:39:23 moon charon: 02[TNC] setting language preference to 'en'
Nov 29 07:39:23 moon charon: 02[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x01
</pre>
The PA-TNC message contains an 'IETF/Product Information' attribute which carries information about the operating system the PTS-IMC is running on:
<pre>
Nov 29 07:39:23 moon charon: 02[IMV] IMV 1 "Attestation" received message type 0x00559701 for Connection ID 1
Nov 29 07:39:23 moon charon: 02[TNC] processing PA-TNC message with ID 0x569e528e
Nov 29 07:39:23 moon charon: 02[TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002
Nov 29 07:39:23 moon charon: 02[TNC] => 22 bytes @ 0x80b4d20
Nov 29 07:39:23 moon charon: 02[TNC] 0: 00 00 00 00 00 55 62 75 6E 74 75 20 31 31 2E 31 .....Ubuntu 11.1
Nov 29 07:39:23 moon charon: 02[TNC] 16: 30 20 69 36 38 36 0 i686
</pre>
h3. PTS Capability Discovery
The PTS-IMV creates a PA-TNC message containing a 'Request PTS Protocol Capabilities' and a 'PTS Measurement Algorithm Request' attribute from the TCG namespace. SHA-1 is the only PTS measurement algorithm proposed by the PTS-IMV.
namespace:
<pre>
Nov 29 07:39:23 moon charon: 02[TNC] creating PA-TNC message with ID 0x10fbc931
Nov 29 07:39:23 moon charon: 02[TNC] creating PA-TNC attribute type 'TCG/Request PTS Protocol Capabilities' 0x005597/0x01000000
Nov 29 07:39:23 moon charon: 02[TNC] => 4 bytes @ 0x80bfd54
Nov 29 07:39:23 moon charon: 02[TNC] 0: 00 00 00 0E ....
Nov 29 07:39:23 moon charon: 02[TNC] creating PA-TNC attribute type 'TCG/PTS Measurement Algorithm Request' 0x005597/0x06000000
Nov 29 07:39:23 moon charon: 02[TNC] => 4 bytes @ 0x80bfe3c
Nov 29 07:39:23 moon charon: 02[TNC] 0: 00 00 80 00 ....
</pre>
The PB-PA message is sent in a PB-TNC SDATA (IF-TNCCS 2.0 ServerData) (ServerData) batch to the TNC client:
<pre>
Nov 29 07:39:23 moon charon: 02[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x01
Nov 29 07:39:23 moon charon: 02[TNC] creating PB-TNC SDATA batch
Nov 29 07:39:23 moon charon: 02[TNC] adding PB-PA message
Nov 29 07:39:23 moon charon: 02[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
Nov 29 07:39:23 moon charon: 02[TNC] sending PB-TNC SDATA batch (72 bytes) for Connection ID 1
Nov 29 07:39:23 moon charon: 02[TNC] => 72 bytes @ 0x80b65c4
Nov 29 07:39:23 moon charon: 02[TNC] 0: 02 80 00 02 00 00 00 48 80 00 00 00 00 00 00 01 .......H........
Nov 29 07:39:23 moon charon: 02[TNC] 16: 00 00 00 40 00 00 55 97 00 00 00 01 FF FF 00 01 ...@..U.........
Nov 29 07:39:23 moon charon: 02[TNC] 32: 01 00 00 00 10 FB C9 31 80 00 55 97 01 00 00 00 .......1..U.....
Nov 29 07:39:23 moon charon: 02[TNC] 48: 00 00 00 10 00 00 00 0E 80 00 55 97 06 00 00 00 ..........U.....
Nov 29 07:39:23 moon charon: 02[TNC] 64: 00 00 00 10 00 00 80 00 ........
Nov 29 07:39:23 moon charon: 02[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Nov 29 07:39:23 moon charon: 02[ENC] generating IKE_AUTH response 7 [ EAP/REQ/TTLS ]
Nov 29 07:39:23 moon charon: 02[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
As a response a PB-TNC CDATA batch is received from the TNC client
<pre>
Nov 29 07:39:23 moon charon: 01[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:23 moon charon: 01[ENC] parsed IKE_AUTH request 8 [ EAP/RES/TTLS ]
Nov 29 07:39:23 moon charon: 01[IKE] received tunneled EAP-TTLS AVP [EAP/RES/TNC]
Nov 29 07:39:23 moon charon: 01[TNC] received TNCCS batch (72 bytes) for Connection ID 1
Nov 29 07:39:23 moon charon: 01[TNC] => 72 bytes @ 0x80be80e
Nov 29 07:39:23 moon charon: 01[TNC] 0: 02 00 00 01 00 00 00 48 80 00 00 00 00 00 00 01 .......H........
Nov 29 07:39:23 moon charon: 01[TNC] 16: 00 00 00 40 00 00 55 97 00 00 00 01 00 01 FF FF ...@..U.........
Nov 29 07:39:23 moon charon: 01[TNC] 32: 01 00 00 00 0E D3 F1 F3 00 00 55 97 02 00 00 00 ..........U.....
Nov 29 07:39:23 moon charon: 01[TNC] 48: 00 00 00 10 00 00 00 0E 00 00 55 97 07 00 00 00 ..........U.....
Nov 29 07:39:23 moon charon: 01[TNC] 64: 00 00 00 10 00 00 80 00 ........
Nov 29 07:39:23 moon charon: 01[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
Nov 29 07:39:23 moon charon: 01[TNC] processing PB-TNC CDATA batch
</pre>
containing a PB-PA message with a PA message of type TCG/PTS to which the PTS-IMV is subscribed:
<pre>
Nov 29 07:39:23 moon charon: 01[TNC] processing PB-PA message (64 bytes)
Nov 29 07:39:23 moon charon: 01[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x01
</pre>
The PA-TNC message contains a 'PTS Protocol Capabilities' and a 'PTS Measurement Algorithm' attribute from the TCG namespace:
<pre>
Nov 29 07:39:23 moon charon: 01[IMV] IMV 1 "Attestation" received message type 0x00559701 for Connection ID 1
Nov 29 07:39:23 moon charon: 01[TNC] processing PA-TNC message with ID 0x0ed3f1f3
Nov 29 07:39:23 moon charon: 01[TNC] processing PA-TNC attribute type 'TCG/PTS Protocol Capabilities' 0x005597/0x02000000
Nov 29 07:39:23 moon charon: 01[TNC] => 4 bytes @ 0x80be670
Nov 29 07:39:23 moon charon: 01[TNC] 0: 00 00 00 0E ....
Nov 29 07:39:23 moon charon: 01[TNC] processing PA-TNC attribute type 'TCG/PTS Measurement Algorithm' 0x005597/0x07000000
Nov 29 07:39:23 moon charon: 01[TNC] => 4 bytes @ 0x80be680
Nov 29 07:39:23 moon charon: 01[TNC] 0: 00 00 80 00 ....
</pre>
The PTS-IMC supports the Verification (V), DH Nonce Negotiation (D) and Trusted Platform Evidence (T) PTS protocol capabilities all of which the PTS-IMV proposed in the capabilities request. Also SHA-1 is confirmed by the PTS-IMC to be used as PTS measurement algorithm.
<pre>
Nov 29 07:39:23 moon charon: 01[PTS] supported PTS protocol capabilities: .VDT.
Nov 29 07:39:23 moon charon: 01[PTS] selected PTS measurement algorithm is HASH_SHA1
</pre>
h3. DH Nonce Parameters
<pre>
Nov 29 07:39:23 moon charon: 01[TNC] creating PA-TNC message with ID 0xc2d18ef1
Nov 29 07:39:23 moon charon: 01[TNC] creating PA-TNC attribute type 'TCG/DH Nonce Parameters Request' 0x005597/0x03000000
Nov 29 07:39:23 moon charon: 01[TNC] => 4 bytes @ 0x80bdf9c
Nov 29 07:39:23 moon charon: 01[TNC] 0: 00 00 F0 00 ....
</pre>
<pre>
Nov 29 07:39:23 moon charon: 01[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x01
Nov 29 07:39:23 moon charon: 01[TNC] creating PB-TNC SDATA batch
Nov 29 07:39:23 moon charon: 01[TNC] adding PB-PA message
Nov 29 07:39:23 moon charon: 01[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
Nov 29 07:39:23 moon charon: 01[TNC] sending PB-TNC SDATA batch (56 bytes) for Connection ID 1
Nov 29 07:39:23 moon charon: 01[TNC] => 56 bytes @ 0x80a30fc
Nov 29 07:39:23 moon charon: 01[TNC] 0: 02 80 00 02 00 00 00 38 80 00 00 00 00 00 00 01 .......8........
Nov 29 07:39:23 moon charon: 01[TNC] 16: 00 00 00 30 00 00 55 97 00 00 00 01 FF FF 00 01 ...0..U.........
Nov 29 07:39:23 moon charon: 01[TNC] 32: 01 00 00 00 C2 D1 8E F1 80 00 55 97 03 00 00 00 ..........U.....
Nov 29 07:39:23 moon charon: 01[TNC] 48: 00 00 00 10 00 00 F0 00 ........
Nov 29 07:39:23 moon charon: 01[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Nov 29 07:39:23 moon charon: 01[ENC] generating IKE_AUTH response 8 [ EAP/REQ/TTLS ]
Nov 29 07:39:23 moon charon: 01[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
<pre>
Nov 29 07:39:23 moon charon: 13[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:23 moon charon: 13[ENC] parsed IKE_AUTH request 9 [ EAP/RES/TTLS ]
Nov 29 07:39:23 moon charon: 13[IKE] received tunneled EAP-TTLS AVP [EAP/RES/TNC]
Nov 29 07:39:23 moon charon: 13[TNC] received TNCCS batch (144 bytes) for Connection ID 1
Nov 29 07:39:23 moon charon: 13[TNC] => 144 bytes @ 0x80bb0e6
Nov 29 07:39:23 moon charon: 13[TNC] 0: 02 00 00 01 00 00 00 90 80 00 00 00 00 00 00 01 ................
Nov 29 07:39:23 moon charon: 13[TNC] 16: 00 00 00 88 00 00 55 97 00 00 00 01 00 01 FF FF ......U.........
Nov 29 07:39:23 moon charon: 13[TNC] 32: 01 00 00 00 A6 9F 8B 02 00 00 55 97 04 00 00 00 ..........U.....
Nov 29 07:39:23 moon charon: 13[TNC] 48: 00 00 00 68 00 00 00 14 10 00 E0 00 AA B1 9A 5C ...h...........\
Nov 29 07:39:23 moon charon: 13[TNC] 64: 9B 47 D0 0D EF 3B F4 48 7A 55 EF DA 89 55 D3 74 .G...;.HzU...U.t
Nov 29 07:39:23 moon charon: 13[TNC] 80: DF CE B2 FB 44 16 FD 98 44 1D 79 1F 36 7A A5 67 ....D...D.y.6z.g
Nov 29 07:39:23 moon charon: 13[TNC] 96: 94 30 81 C8 38 A8 1A AD 99 55 0E 91 2F E4 36 62 .0..8....U../.6b
Nov 29 07:39:23 moon charon: 13[TNC] 112: FA C2 08 63 88 69 41 79 35 D4 64 8C 4C D4 CB E9 ...c.iAy5.d.L...
Nov 29 07:39:23 moon charon: 13[TNC] 128: 7B 5E CF 0A E0 E9 74 66 4C BB 06 3B F8 DE 96 2E {^....tfL..;....
Nov 29 07:39:23 moon charon: 13[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
Nov 29 07:39:23 moon charon: 13[TNC] processing PB-TNC CDATA batch
</pre>
<pre>
Nov 29 07:39:23 moon charon: 13[TNC] processing PB-PA message (136 bytes)
Nov 29 07:39:23 moon charon: 13[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x01
</pre>
<pre>
Nov 29 07:39:23 moon charon: 13[IMV] IMV 1 "Attestation" received message type 0x00559701 for Connection ID 1
Nov 29 07:39:23 moon charon: 13[TNC] processing PA-TNC message with ID 0xa69f8b02
Nov 29 07:39:23 moon charon: 13[TNC] processing PA-TNC attribute type 'TCG/DH Nonce Parameters Response' 0x005597/0x04000000
Nov 29 07:39:23 moon charon: 13[TNC] => 92 bytes @ 0x80b4c38
Nov 29 07:39:23 moon charon: 13[TNC] 0: 00 00 00 14 10 00 E0 00 AA B1 9A 5C 9B 47 D0 0D ...........\.G..
Nov 29 07:39:23 moon charon: 13[TNC] 16: EF 3B F4 48 7A 55 EF DA 89 55 D3 74 DF CE B2 FB .;.HzU...U.t....
Nov 29 07:39:23 moon charon: 13[TNC] 32: 44 16 FD 98 44 1D 79 1F 36 7A A5 67 94 30 81 C8 D...D.y.6z.g.0..
Nov 29 07:39:23 moon charon: 13[TNC] 48: 38 A8 1A AD 99 55 0E 91 2F E4 36 62 FA C2 08 63 8....U../.6b...c
Nov 29 07:39:23 moon charon: 13[TNC] 64: 88 69 41 79 35 D4 64 8C 4C D4 CB E9 7B 5E CF 0A .iAy5.d.L...{^..
Nov 29 07:39:23 moon charon: 13[TNC] 80: E0 E9 74 66 4C BB 06 3B F8 DE 96 2E ..tfL..;....
</pre>
<pre>
Nov 29 07:39:23 moon charon: 13[PTS] selected DH hash algorithm is HASH_SHA1
Nov 29 07:39:23 moon charon: 13[PTS] selected PTS DH group is ECP_256
Nov 29 07:39:23 moon charon: 13[PTS] nonce length is 20
Nov 29 07:39:23 moon charon: 13[PTS] initiator nonce: => 20 bytes @ 0x80be424
Nov 29 07:39:23 moon charon: 13[PTS] 0: 46 C4 11 FB 33 64 F3 27 1D 62 3D C4 83 73 AE AE F...3d.'.b=..s..
Nov 29 07:39:23 moon charon: 13[PTS] 16: 8B 36 E4 F5 .6..
Nov 29 07:39:23 moon charon: 13[PTS] responder nonce: => 20 bytes @ 0x80bbd24
Nov 29 07:39:23 moon charon: 13[PTS] 0: AA B1 9A 5C 9B 47 D0 0D EF 3B F4 48 7A 55 EF DA ...\.G...;.HzU..
Nov 29 07:39:23 moon charon: 13[PTS] 16: 89 55 D3 74 .U.t
Nov 29 07:39:23 moon charon: 13[PTS] shared DH secret: => 32 bytes @ 0x80c1f84
Nov 29 07:39:23 moon charon: 13[PTS] 0: 61 E8 7D D7 8C C8 DF 4E 5C 5A B7 48 75 38 0C B8 a.}....N\Z.Hu8..
Nov 29 07:39:23 moon charon: 13[PTS] 16: 2D 23 08 8E E2 D5 B9 25 04 F8 03 BA 35 9F 3A 52 -#.....%....5.:R
Nov 29 07:39:23 moon charon: 13[PTS] secret assessment value: => 20 bytes @ 0x80b2afc
Nov 29 07:39:23 moon charon: 13[PTS] 0: E1 1B 01 B4 FF 2B 56 83 24 AD AD AD 8B 7B 36 B7 .....+V.$....{6.
Nov 29 07:39:23 moon charon: 13[PTS] 16: FF CA D9 59 ...Y
</pre>