TNC Server with PTS-IMV » History » Version 9
Version 8 (Andreas Steffen, 30.11.2011 14:27) → Version 9/57 (Andreas Steffen, 30.11.2011 15:24)
h1. TNC Server with PTS-IMV
This HOWTO explains in a step-for-step fashion how a strongSwan IPsec gateway with integrated TNC server functionality and an attached Platform Trust Service Integrity Measurement Verifier (PTS-IMV) can verify remote attestation measurement data provided by a TNC client via the IKEv2 EAP-TTLS protocol.
{{>toc}}
h2. Installation and Configuration
The following steps describe the installation of the strongSwan software
<pre>
wget http://download.strongswan.org/strongswan-4.6.2dr1.tar.bz2
tar xjf strongswan-4.6.2dr1.tar.bz2
cd strongswan-4.6.2dr1
./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-openssl --enable-curl
--enable-eap-identity --enable-eap-md5 --enable-eap-ttls --enable-eap-tnc
--enable-tnccs-20 --enable-tnc-imv --enable-imv-attestation
make
[sudo] make install
</pre>
The /etc/ipsec.conf file defines an IPsec a remote access policy either allowing access to the production network (rw-allow) or to a remediation network (rw-isolate): template:
<pre>
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3, imc 3, pts 3"
conn rw-allow
rightgroups=allow
leftsubnet=10.1.0.0/28
also=rw-eap
auto=add
conn rw-isolate
rightgroups=isolate
leftsubnet=10.1.0.16/28
also=rw-eap
auto=add
conn rw-eap
left=192.168.0.1
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftauth=eap-ttls
rightauth=eap-ttls
rightid=*@strongswan.org
rightsendcert=never
right=%any
</pre>
The following IKEv2 charon and Attestation IMC options are defined in the /etc/strongswan.conf file
<pre>
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl sha1 pem pkcs1 gmp random pubkey x509 openssl revocation hmac kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 sqlite tnc-imv stroke
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
}
eap-tnc {
protocol = tnccs-2.0
}
}
}
libimcv {
plugins {
imv-attestation {
database = sqlite:///etc/pts/config.db
cadir = /etc/pts/cacerts
hash_algorithm = sha1
}
}
} /* TODO */
</pre>
h2. IKEv2 Negotiation
h3. Startup and Initialization
The command
<pre>
ipsec start
</pre>
starts the TNC-enabled IPsec gateway:
<pre>
Nov 29 07:39:14 moon charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.2dr1)
Nov 29 07:39:15 moon charon: 00[KNL] listening on interfaces:
Nov 29 07:39:15 moon charon: 00[KNL] eth0
Nov 29 07:39:15 moon charon: 00[KNL] 192.168.0.1
Nov 29 07:39:15 moon charon: 00[KNL] fec0::1
Nov 29 07:39:15 moon charon: 00[KNL] fe80::fcfd:c0ff:fea8:1
Nov 29 07:39:15 moon charon: 00[KNL] eth1
Nov 29 07:39:15 moon charon: 00[KNL] 10.1.0.1
Nov 29 07:39:15 moon charon: 00[KNL] fec1::1
Nov 29 07:39:15 moon charon: 00[KNL] fe80::fcfd:aff:fe01:1
</pre>
The file /etc/tnc_config
<pre>
IMV configuration file for strongSwan client
IMV "Attestation" /usr/lib/ipsec/imcvs/imv-attestation.so
</pre>
defines which IMVs are loaded by the TNC server. Also the Privacy CA certificates which are required to establish trust in the AIK certificates are loaded:
<pre>
Nov 29 07:39:15 moon charon: 00[TNC] TNC recommendation policy is 'default'
Nov 29 07:39:15 moon charon: 00[TNC] loading IMVs from '/etc/tnc_config'
Nov 29 07:39:15 moon charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA1[sha1] available
Nov 29 07:39:15 moon charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA256[openssl] available
Nov 29 07:39:15 moon charon: 00[PTS] optional PTS measurement algorithm HASH_SHA384[openssl] available
Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group MODP_2048[gmp] available
Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group MODP_1536[gmp] available
Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group MODP_1024[gmp] available
Nov 29 07:39:15 moon charon: 00[PTS] mandatory PTS DH group ECP_256[openssl] available
Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group ECP_384[openssl] available
Nov 29 07:39:15 moon charon: 00[TNC] added IETF attributes
Nov 29 07:39:15 moon charon: 00[TNC] added ITA-HSR attributes
Nov 29 07:39:15 moon charon: 00[LIB] libimcv initialized
Nov 29 07:39:15 moon charon: 00[IMV] IMV 1 "Attestation" initialized
Nov 29 07:39:15 moon charon: 00[TNC] added TCG attributes
Nov 29 07:39:15 moon charon: 00[PTS] added TCG functional component namespace
Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component namespace
Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader'
Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component 'Trusted Boot'
Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component 'Linux IMA'
Nov 29 07:39:15 moon charon: 00[LIB] libpts initialized
Nov 29 07:39:15 moon charon: 00[PTS] loading PTS ca certificates from '/etc/pts/cacerts'
Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA Root Certificate" from '/etc/pts/cacerts/privacy_ca_root.pem'
Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA Insecure/Unchecked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_0.pem'
Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA EK-Cert-Checked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_1.pem'
Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA EK+Platform-Cert-Checked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_2.pem'
Nov 29 07:39:15 moon charon: 00[IMV] IMV 1 "Attestation" provided with bind function
Nov 29 07:39:15 moon charon: 00[TNC] IMV 1 supports 1 message type: 0x00559701
Nov 29 07:39:15 moon charon: 00[TNC] IMV 1 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imv-attestation.so'
</pre>
Next the IKEv2 credentials, all necessary plugins and the IPsec connection definitions are loaded
<pre>
Nov 29 07:39:15 moon charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 29 07:39:15 moon charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
Nov 29 07:39:15 moon charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 29 07:39:15 moon charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 29 07:39:15 moon charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 29 07:39:15 moon charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 29 07:39:15 moon charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 29 07:39:15 moon charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/moonKey.pem'
Nov 29 07:39:15 moon charon: 00[CFG] loaded EAP secret for carol@strongswan.org
Nov 29 07:39:15 moon charon: 00[CFG] loaded EAP secret for dave@strongswan.org
Nov 29 07:39:15 moon charon: 00[DMN] loaded plugins: curl sha1 pem pkcs1 gmp random pubkey x509 openssl revocation hmac kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnccs-20 sqlite tnc-imv stroke
Nov 29 07:39:16 moon charon: 00[JOB] spawning 16 worker threads
Nov 29 07:39:16 moon charon: 16[CFG] received stroke: add connection 'rw-allow'
Nov 29 07:39:16 moon charon: 16[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem'
Nov 29 07:39:16 moon charon: 16[CFG] added configuration 'rw-allow'
Nov 29 07:39:16 moon charon: 16[CFG] received stroke: add connection 'rw-isolate'
Nov 29 07:39:16 moon charon: 16[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem'
Nov 29 07:39:16 moon charon: 16[CFG] added configuration 'rw-isolate'
</pre>
h3. IKEv2 Exchanges
The IPsec gateway *moon* is passively waiting for IPsec clients to initiate an IKEv2 negotiation starting with an IKE_SA_INIT exchange:
<pre>
Nov 29 07:39:22 moon charon: 16[NET] received packet: from 192.168.0.254[500] to 192.168.0.1[500]
Nov 29 07:39:22 moon charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 29 07:39:22 moon charon: 16[IKE] 192.168.0.254 is initiating an IKE_SA
Nov 29 07:39:22 moon charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 29 07:39:22 moon charon: 16[NET] sending packet: from 192.168.0.1[500] to 192.168.0.254[500]
</pre>
followed by the IKE_AUTH exchange where the IKEv2 gateway proposes a mutual IKEv2 EAP-TTLS only authentication:
<pre>
Nov 29 07:39:22 moon charon: 08[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]
Nov 29 07:39:22 moon charon: 08[CFG] looking for peer configs matching 192.168.0.1[moon.strongswan.org]...192.168.0.254[carol@strongswan.org]
Nov 29 07:39:22 moon charon: 08[CFG] selected peer config 'rw-allow'
Nov 29 07:39:22 moon charon: 08[IKE] initiating EAP_TTLS method (id 0xA8)
Nov 29 07:39:22 moon charon: 08[IKE] peer supports MOBIKE
Nov 29 07:39:22 moon charon: 08[ENC] generating IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 08[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
h3. IKEv2 EAP-TTLS Tunnel
The IKEv2 EAP-TTLS tunnel is set up with certificate-based server authentication
<pre>
Nov 29 07:39:22 moon charon: 09[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 09[ENC] parsed IKE_AUTH request 2 [ EAP/RES/TTLS ]
Nov 29 07:39:22 moon charon: 09[TLS] received TLS 'signature algorithms' extension
Nov 29 07:39:22 moon charon: 09[TLS] received TLS 'elliptic curves' extension
Nov 29 07:39:22 moon charon: 09[TLS] received TLS 'ec point formats' extension
Nov 29 07:39:22 moon charon: 09[TLS] received TLS 'server name' extension
Nov 29 07:39:22 moon charon: 09[TLS] negotiated TLS version TLS 1.2 with suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Nov 29 07:39:22 moon charon: 09[TLS] sending TLS server certificate 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org'
Nov 29 07:39:22 moon charon: 09[ENC] generating IKE_AUTH response 2 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 09[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 moon charon: 06[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 06[ENC] parsed IKE_AUTH request 3 [ EAP/RES/TTLS ]
Nov 29 07:39:22 moon charon: 06[ENC] generating IKE_AUTH response 3 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 06[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 moon charon: 05[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 05[ENC] parsed IKE_AUTH request 4 [ EAP/RES/TTLS ]
</pre>
h3. Tunneled EAP-Identity
Via the IKEv2 EAP-TTLS tunnel the server requests the EAP client identity
<pre>
Nov 29 07:39:22 moon charon: 05[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/ID]
Nov 29 07:39:22 moon charon: 05[ENC] generating IKE_AUTH response 4 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 05[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 moon charon: 04[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 04[ENC] parsed IKE_AUTH request 5 [ EAP/RES/TTLS ]
Nov 29 07:39:22 moon charon: 04[IKE] received tunneled EAP-TTLS AVP [EAP/RES/ID]
Nov 29 07:39:22 moon charon: 04[IKE] received EAP identity 'carol@strongswan.org'
</pre>
h3. Tunneled EAP-MD5 Client Authentication
Next follows an EAP-MD5 client authentication
<pre>
Nov 29 07:39:22 moon charon: 04[IKE] phase2 method EAP_MD5 selected
Nov 29 07:39:22 moon charon: 04[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/MD5]
Nov 29 07:39:22 moon charon: 04[ENC] generating IKE_AUTH response 5 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 04[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 moon charon: 03[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 03[ENC] parsed IKE_AUTH request 6 [ EAP/RES/TTLS ]
Nov 29 07:39:22 moon charon: 03[IKE] received tunneled EAP-TTLS AVP [EAP/RES/MD5]
Nov 29 07:39:22 moon charon: 03[IKE] EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful
</pre>
h3. Tunneled EAP-TNC Transport
Now the EAP-TNC transport protocol connecting the TNC client with the TNC server is started:
<pre>
Nov 29 07:39:22 moon charon: 03[IKE] phase2 method EAP_TNC selected
Nov 29 07:39:22 moon charon: 03[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Nov 29 07:39:22 moon charon: 03[ENC] generating IKE_AUTH response 6 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 03[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
h2. PB-TNC/IF-TNCCS 2.0 Connection
A first PB-TNC CDATA (IF-TNCCS 2.0 ClientData) batch from the TNC client is received
<pre>
Nov 29 07:39:23 moon charon: 02[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:23 moon charon: 02[ENC] parsed IKE_AUTH request 7 [ EAP/RES/TTLS ]
Nov 29 07:39:23 moon charon: 02[IKE] received tunneled EAP-TTLS AVP [EAP/RES/TNC]
Nov 29 07:39:23 moon charon: 02[TNC] assigned TNCCS Connection ID 1
Nov 29 07:39:23 moon charon: 02[IMV] IMV 1 "Attestation" created a state for Connection ID 1
Nov 29 07:39:23 moon charon: 02[IMV] IMV 1 "Attestation" changed state of Connection ID 1 to 'Handshake'
Nov 29 07:39:23 moon charon: 02[TNC] received TNCCS batch (105 bytes) for Connection ID 1
Nov 29 07:39:23 moon charon: 02[TNC] => 105 bytes @ 0x80ba6b6
Nov 29 07:39:23 moon charon: 02[TNC] 0: 02 00 00 01 00 00 00 69 00 00 00 00 00 00 00 06 .......i........
Nov 29 07:39:23 moon charon: 02[TNC] 16: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67 75 ....Accept-Langu
Nov 29 07:39:23 moon charon: 02[TNC] 32: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01 00 age: en.........
Nov 29 07:39:23 moon charon: 02[TNC] 48: 00 00 42 00 00 55 97 00 00 00 01 00 01 FF FF 01 ..B..U..........
Nov 29 07:39:23 moon charon: 02[TNC] 64: 00 00 00 56 9E 52 8E 00 00 00 00 00 00 00 02 00 ...V.R..........
Nov 29 07:39:23 moon charon: 02[TNC] 80: 00 00 22 00 00 00 00 00 55 62 75 6E 74 75 20 31 ..".....Ubuntu 1
Nov 29 07:39:23 moon charon: 02[TNC] 96: 31 2E 31 30 20 69 36 38 36 1.10 i686
Nov 29 07:39:23 moon charon: 02[TNC] PB-TNC state transition from 'Init' to 'Server Working'
Nov 29 07:39:23 moon charon: 02[TNC] processing PB-TNC CDATA batch
</pre>
containing a 'PB-Language-Preference' and a 'PB-PA' message
<pre>
Nov 29 07:39:23 moon charon: 02[TNC] processing PB-Language-Preference message (31 bytes)
Nov 29 07:39:23 moon charon: 02[TNC] processing PB-PA message (66 bytes)
</pre>
This causes a new TNCCS connection to be instantiated on the TNC server. Its IF-TNCCS 2.0 state machine immediately transitions from the Init to the ServerWorking state.
!IF-TNCCS-20-State-Diagram.png!
The language preference is set to English (en) and the PB-PA message is forwarded to the PTS-IMV which subscribed to this PA message type:
<pre>
Nov 29 07:39:23 moon charon: 02[TNC] setting language preference to 'en'
Nov 29 07:39:23 moon charon: 02[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x01
</pre>
The PA-TNC message contains an 'IETF/Product Information' attribute which carries information about the operating system the PTS-IMC is running on:
<pre>
Nov 29 07:39:23 moon charon: 02[IMV] IMV 1 "Attestation" received message type 0x00559701 for Connection ID 1
Nov 29 07:39:23 moon charon: 02[TNC] processing PA-TNC message with ID 0x569e528e
Nov 29 07:39:23 moon charon: 02[TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002
Nov 29 07:39:23 moon charon: 02[TNC] => 22 bytes @ 0x80b4d20
Nov 29 07:39:23 moon charon: 02[TNC] 0: 00 00 00 00 00 55 62 75 6E 74 75 20 31 31 2E 31 .....Ubuntu 11.1
Nov 29 07:39:23 moon charon: 02[TNC] 16: 30 20 69 36 38 36 0 i686
</pre>
The PTS-IMV creates a PA-TNC message containing a 'Request PTS Protocol Capabilities' and a 'PTS Measurement Algorithm Request' attribute from the TCG namespace:
<pre>
Nov 29 07:39:23 moon charon: 02[TNC] creating PA-TNC message with ID 0x10fbc931
Nov 29 07:39:23 moon charon: 02[TNC] creating PA-TNC attribute type 'TCG/Request PTS Protocol Capabilities' 0x005597/0x01000000
Nov 29 07:39:23 moon charon: 02[TNC] => 4 bytes @ 0x80bfd54
Nov 29 07:39:23 moon charon: 02[TNC] 0: 00 00 00 0E ....
Nov 29 07:39:23 moon charon: 02[TNC] creating PA-TNC attribute type 'TCG/PTS Measurement Algorithm Request' 0x005597/0x06000000
Nov 29 07:39:23 moon charon: 02[TNC] => 4 bytes @ 0x80bfe3c
Nov 29 07:39:23 moon charon: 02[TNC] 0: 00 00 80 00 ....
</pre>
The PB-PA message is sent in a PB-TNC SDATA (ServerData) batch to the TNC client:
<pre>
Nov 29 07:39:23 moon charon: 02[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x01
Nov 29 07:39:23 moon charon: 02[TNC] creating PB-TNC SDATA batch
Nov 29 07:39:23 moon charon: 02[TNC] adding PB-PA message
Nov 29 07:39:23 moon charon: 02[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
Nov 29 07:39:23 moon charon: 02[TNC] sending PB-TNC SDATA batch (72 bytes) for Connection ID 1
Nov 29 07:39:23 moon charon: 02[TNC] => 72 bytes @ 0x80b65c4
Nov 29 07:39:23 moon charon: 02[TNC] 0: 02 80 00 02 00 00 00 48 80 00 00 00 00 00 00 01 .......H........
Nov 29 07:39:23 moon charon: 02[TNC] 16: 00 00 00 40 00 00 55 97 00 00 00 01 FF FF 00 01 ...@..U.........
Nov 29 07:39:23 moon charon: 02[TNC] 32: 01 00 00 00 10 FB C9 31 80 00 55 97 01 00 00 00 .......1..U.....
Nov 29 07:39:23 moon charon: 02[TNC] 48: 00 00 00 10 00 00 00 0E 80 00 55 97 06 00 00 00 ..........U.....
Nov 29 07:39:23 moon charon: 02[TNC] 64: 00 00 00 10 00 00 80 00 ........
Nov 29 07:39:23 moon charon: 02[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Nov 29 07:39:23 moon charon: 02[ENC] generating IKE_AUTH response 7 [ EAP/REQ/TTLS ]
Nov 29 07:39:23 moon charon: 02[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
<pre>
Nov 29 07:39:23 moon charon: 01[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:23 moon charon: 01[ENC] parsed IKE_AUTH request 8 [ EAP/RES/TTLS ]
Nov 29 07:39:23 moon charon: 01[IKE] received tunneled EAP-TTLS AVP [EAP/RES/TNC]
Nov 29 07:39:23 moon charon: 01[TNC] received TNCCS batch (72 bytes) for Connection ID 1
Nov 29 07:39:23 moon charon: 01[TNC] => 72 bytes @ 0x80be80e
Nov 29 07:39:23 moon charon: 01[TNC] 0: 02 00 00 01 00 00 00 48 80 00 00 00 00 00 00 01 .......H........
Nov 29 07:39:23 moon charon: 01[TNC] 16: 00 00 00 40 00 00 55 97 00 00 00 01 00 01 FF FF ...@..U.........
Nov 29 07:39:23 moon charon: 01[TNC] 32: 01 00 00 00 0E D3 F1 F3 00 00 55 97 02 00 00 00 ..........U.....
Nov 29 07:39:23 moon charon: 01[TNC] 48: 00 00 00 10 00 00 00 0E 00 00 55 97 07 00 00 00 ..........U.....
Nov 29 07:39:23 moon charon: 01[TNC] 64: 00 00 00 10 00 00 80 00 ........
Nov 29 07:39:23 moon charon: 01[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
Nov 29 07:39:23 moon charon: 01[TNC] processing PB-TNC CDATA batch
</pre>
<pre>
Nov 29 07:39:23 moon charon: 01[TNC] processing PB-PA message (64 bytes)
Nov 29 07:39:23 moon charon: 01[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x01
</pre>
<pre>
Nov 29 07:39:23 moon charon: 01[IMV] IMV 1 "Attestation" received message type 0x00559701 for Connection ID 1
Nov 29 07:39:23 moon charon: 01[TNC] processing PA-TNC message with ID 0x0ed3f1f3
Nov 29 07:39:23 moon charon: 01[TNC] processing PA-TNC attribute type 'TCG/PTS Protocol Capabilities' 0x005597/0x02000000
Nov 29 07:39:23 moon charon: 01[TNC] => 4 bytes @ 0x80be670
Nov 29 07:39:23 moon charon: 01[TNC] 0: 00 00 00 0E ....
Nov 29 07:39:23 moon charon: 01[TNC] processing PA-TNC attribute type 'TCG/PTS Measurement Algorithm' 0x005597/0x07000000
Nov 29 07:39:23 moon charon: 01[TNC] => 4 bytes @ 0x80be680
Nov 29 07:39:23 moon charon: 01[TNC] 0: 00 00 80 00 ....
</pre>
<pre>
Nov 29 07:39:23 moon charon: 01[PTS] supported PTS protocol capabilities: .VDT.
Nov 29 07:39:23 moon charon: 01[PTS] selected PTS measurement algorithm is HASH_SHA1
</pre>
This HOWTO explains in a step-for-step fashion how a strongSwan IPsec gateway with integrated TNC server functionality and an attached Platform Trust Service Integrity Measurement Verifier (PTS-IMV) can verify remote attestation measurement data provided by a TNC client via the IKEv2 EAP-TTLS protocol.
{{>toc}}
h2. Installation and Configuration
The following steps describe the installation of the strongSwan software
<pre>
wget http://download.strongswan.org/strongswan-4.6.2dr1.tar.bz2
tar xjf strongswan-4.6.2dr1.tar.bz2
cd strongswan-4.6.2dr1
./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-openssl --enable-curl
--enable-eap-identity --enable-eap-md5 --enable-eap-ttls --enable-eap-tnc
--enable-tnccs-20 --enable-tnc-imv --enable-imv-attestation
make
[sudo] make install
</pre>
The /etc/ipsec.conf file defines an IPsec a remote access policy either allowing access to the production network (rw-allow) or to a remediation network (rw-isolate): template:
<pre>
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3, imc 3, pts 3"
conn rw-allow
rightgroups=allow
leftsubnet=10.1.0.0/28
also=rw-eap
auto=add
conn rw-isolate
rightgroups=isolate
leftsubnet=10.1.0.16/28
also=rw-eap
auto=add
conn rw-eap
left=192.168.0.1
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftauth=eap-ttls
rightauth=eap-ttls
rightid=*@strongswan.org
rightsendcert=never
right=%any
</pre>
The following IKEv2 charon and Attestation IMC options are defined in the /etc/strongswan.conf file
<pre>
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl sha1 pem pkcs1 gmp random pubkey x509 openssl revocation hmac kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 sqlite tnc-imv stroke
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
}
eap-tnc {
protocol = tnccs-2.0
}
}
}
libimcv {
plugins {
imv-attestation {
database = sqlite:///etc/pts/config.db
cadir = /etc/pts/cacerts
hash_algorithm = sha1
}
}
} /* TODO */
</pre>
h2. IKEv2 Negotiation
h3. Startup and Initialization
The command
<pre>
ipsec start
</pre>
starts the TNC-enabled IPsec gateway:
<pre>
Nov 29 07:39:14 moon charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.2dr1)
Nov 29 07:39:15 moon charon: 00[KNL] listening on interfaces:
Nov 29 07:39:15 moon charon: 00[KNL] eth0
Nov 29 07:39:15 moon charon: 00[KNL] 192.168.0.1
Nov 29 07:39:15 moon charon: 00[KNL] fec0::1
Nov 29 07:39:15 moon charon: 00[KNL] fe80::fcfd:c0ff:fea8:1
Nov 29 07:39:15 moon charon: 00[KNL] eth1
Nov 29 07:39:15 moon charon: 00[KNL] 10.1.0.1
Nov 29 07:39:15 moon charon: 00[KNL] fec1::1
Nov 29 07:39:15 moon charon: 00[KNL] fe80::fcfd:aff:fe01:1
</pre>
The file /etc/tnc_config
<pre>
IMV configuration file for strongSwan client
IMV "Attestation" /usr/lib/ipsec/imcvs/imv-attestation.so
</pre>
defines which IMVs are loaded by the TNC server. Also the Privacy CA certificates which are required to establish trust in the AIK certificates are loaded:
<pre>
Nov 29 07:39:15 moon charon: 00[TNC] TNC recommendation policy is 'default'
Nov 29 07:39:15 moon charon: 00[TNC] loading IMVs from '/etc/tnc_config'
Nov 29 07:39:15 moon charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA1[sha1] available
Nov 29 07:39:15 moon charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA256[openssl] available
Nov 29 07:39:15 moon charon: 00[PTS] optional PTS measurement algorithm HASH_SHA384[openssl] available
Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group MODP_2048[gmp] available
Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group MODP_1536[gmp] available
Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group MODP_1024[gmp] available
Nov 29 07:39:15 moon charon: 00[PTS] mandatory PTS DH group ECP_256[openssl] available
Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group ECP_384[openssl] available
Nov 29 07:39:15 moon charon: 00[TNC] added IETF attributes
Nov 29 07:39:15 moon charon: 00[TNC] added ITA-HSR attributes
Nov 29 07:39:15 moon charon: 00[LIB] libimcv initialized
Nov 29 07:39:15 moon charon: 00[IMV] IMV 1 "Attestation" initialized
Nov 29 07:39:15 moon charon: 00[TNC] added TCG attributes
Nov 29 07:39:15 moon charon: 00[PTS] added TCG functional component namespace
Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component namespace
Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader'
Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component 'Trusted Boot'
Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component 'Linux IMA'
Nov 29 07:39:15 moon charon: 00[LIB] libpts initialized
Nov 29 07:39:15 moon charon: 00[PTS] loading PTS ca certificates from '/etc/pts/cacerts'
Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA Root Certificate" from '/etc/pts/cacerts/privacy_ca_root.pem'
Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA Insecure/Unchecked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_0.pem'
Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA EK-Cert-Checked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_1.pem'
Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA EK+Platform-Cert-Checked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_2.pem'
Nov 29 07:39:15 moon charon: 00[IMV] IMV 1 "Attestation" provided with bind function
Nov 29 07:39:15 moon charon: 00[TNC] IMV 1 supports 1 message type: 0x00559701
Nov 29 07:39:15 moon charon: 00[TNC] IMV 1 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imv-attestation.so'
</pre>
Next the IKEv2 credentials, all necessary plugins and the IPsec connection definitions are loaded
<pre>
Nov 29 07:39:15 moon charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 29 07:39:15 moon charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
Nov 29 07:39:15 moon charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 29 07:39:15 moon charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 29 07:39:15 moon charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 29 07:39:15 moon charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 29 07:39:15 moon charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 29 07:39:15 moon charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/moonKey.pem'
Nov 29 07:39:15 moon charon: 00[CFG] loaded EAP secret for carol@strongswan.org
Nov 29 07:39:15 moon charon: 00[CFG] loaded EAP secret for dave@strongswan.org
Nov 29 07:39:15 moon charon: 00[DMN] loaded plugins: curl sha1 pem pkcs1 gmp random pubkey x509 openssl revocation hmac kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnccs-20 sqlite tnc-imv stroke
Nov 29 07:39:16 moon charon: 00[JOB] spawning 16 worker threads
Nov 29 07:39:16 moon charon: 16[CFG] received stroke: add connection 'rw-allow'
Nov 29 07:39:16 moon charon: 16[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem'
Nov 29 07:39:16 moon charon: 16[CFG] added configuration 'rw-allow'
Nov 29 07:39:16 moon charon: 16[CFG] received stroke: add connection 'rw-isolate'
Nov 29 07:39:16 moon charon: 16[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem'
Nov 29 07:39:16 moon charon: 16[CFG] added configuration 'rw-isolate'
</pre>
h3. IKEv2 Exchanges
The IPsec gateway *moon* is passively waiting for IPsec clients to initiate an IKEv2 negotiation starting with an IKE_SA_INIT exchange:
<pre>
Nov 29 07:39:22 moon charon: 16[NET] received packet: from 192.168.0.254[500] to 192.168.0.1[500]
Nov 29 07:39:22 moon charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 29 07:39:22 moon charon: 16[IKE] 192.168.0.254 is initiating an IKE_SA
Nov 29 07:39:22 moon charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 29 07:39:22 moon charon: 16[NET] sending packet: from 192.168.0.1[500] to 192.168.0.254[500]
</pre>
followed by the IKE_AUTH exchange where the IKEv2 gateway proposes a mutual IKEv2 EAP-TTLS only authentication:
<pre>
Nov 29 07:39:22 moon charon: 08[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]
Nov 29 07:39:22 moon charon: 08[CFG] looking for peer configs matching 192.168.0.1[moon.strongswan.org]...192.168.0.254[carol@strongswan.org]
Nov 29 07:39:22 moon charon: 08[CFG] selected peer config 'rw-allow'
Nov 29 07:39:22 moon charon: 08[IKE] initiating EAP_TTLS method (id 0xA8)
Nov 29 07:39:22 moon charon: 08[IKE] peer supports MOBIKE
Nov 29 07:39:22 moon charon: 08[ENC] generating IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 08[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
h3. IKEv2 EAP-TTLS Tunnel
The IKEv2 EAP-TTLS tunnel is set up with certificate-based server authentication
<pre>
Nov 29 07:39:22 moon charon: 09[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 09[ENC] parsed IKE_AUTH request 2 [ EAP/RES/TTLS ]
Nov 29 07:39:22 moon charon: 09[TLS] received TLS 'signature algorithms' extension
Nov 29 07:39:22 moon charon: 09[TLS] received TLS 'elliptic curves' extension
Nov 29 07:39:22 moon charon: 09[TLS] received TLS 'ec point formats' extension
Nov 29 07:39:22 moon charon: 09[TLS] received TLS 'server name' extension
Nov 29 07:39:22 moon charon: 09[TLS] negotiated TLS version TLS 1.2 with suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Nov 29 07:39:22 moon charon: 09[TLS] sending TLS server certificate 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org'
Nov 29 07:39:22 moon charon: 09[ENC] generating IKE_AUTH response 2 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 09[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 moon charon: 06[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 06[ENC] parsed IKE_AUTH request 3 [ EAP/RES/TTLS ]
Nov 29 07:39:22 moon charon: 06[ENC] generating IKE_AUTH response 3 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 06[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 moon charon: 05[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 05[ENC] parsed IKE_AUTH request 4 [ EAP/RES/TTLS ]
</pre>
h3. Tunneled EAP-Identity
Via the IKEv2 EAP-TTLS tunnel the server requests the EAP client identity
<pre>
Nov 29 07:39:22 moon charon: 05[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/ID]
Nov 29 07:39:22 moon charon: 05[ENC] generating IKE_AUTH response 4 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 05[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 moon charon: 04[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 04[ENC] parsed IKE_AUTH request 5 [ EAP/RES/TTLS ]
Nov 29 07:39:22 moon charon: 04[IKE] received tunneled EAP-TTLS AVP [EAP/RES/ID]
Nov 29 07:39:22 moon charon: 04[IKE] received EAP identity 'carol@strongswan.org'
</pre>
h3. Tunneled EAP-MD5 Client Authentication
Next follows an EAP-MD5 client authentication
<pre>
Nov 29 07:39:22 moon charon: 04[IKE] phase2 method EAP_MD5 selected
Nov 29 07:39:22 moon charon: 04[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/MD5]
Nov 29 07:39:22 moon charon: 04[ENC] generating IKE_AUTH response 5 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 04[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
Nov 29 07:39:22 moon charon: 03[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:22 moon charon: 03[ENC] parsed IKE_AUTH request 6 [ EAP/RES/TTLS ]
Nov 29 07:39:22 moon charon: 03[IKE] received tunneled EAP-TTLS AVP [EAP/RES/MD5]
Nov 29 07:39:22 moon charon: 03[IKE] EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful
</pre>
h3. Tunneled EAP-TNC Transport
Now the EAP-TNC transport protocol connecting the TNC client with the TNC server is started:
<pre>
Nov 29 07:39:22 moon charon: 03[IKE] phase2 method EAP_TNC selected
Nov 29 07:39:22 moon charon: 03[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Nov 29 07:39:22 moon charon: 03[ENC] generating IKE_AUTH response 6 [ EAP/REQ/TTLS ]
Nov 29 07:39:22 moon charon: 03[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
h2. PB-TNC/IF-TNCCS 2.0 Connection
A first PB-TNC CDATA (IF-TNCCS 2.0 ClientData) batch from the TNC client is received
<pre>
Nov 29 07:39:23 moon charon: 02[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:23 moon charon: 02[ENC] parsed IKE_AUTH request 7 [ EAP/RES/TTLS ]
Nov 29 07:39:23 moon charon: 02[IKE] received tunneled EAP-TTLS AVP [EAP/RES/TNC]
Nov 29 07:39:23 moon charon: 02[TNC] assigned TNCCS Connection ID 1
Nov 29 07:39:23 moon charon: 02[IMV] IMV 1 "Attestation" created a state for Connection ID 1
Nov 29 07:39:23 moon charon: 02[IMV] IMV 1 "Attestation" changed state of Connection ID 1 to 'Handshake'
Nov 29 07:39:23 moon charon: 02[TNC] received TNCCS batch (105 bytes) for Connection ID 1
Nov 29 07:39:23 moon charon: 02[TNC] => 105 bytes @ 0x80ba6b6
Nov 29 07:39:23 moon charon: 02[TNC] 0: 02 00 00 01 00 00 00 69 00 00 00 00 00 00 00 06 .......i........
Nov 29 07:39:23 moon charon: 02[TNC] 16: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67 75 ....Accept-Langu
Nov 29 07:39:23 moon charon: 02[TNC] 32: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01 00 age: en.........
Nov 29 07:39:23 moon charon: 02[TNC] 48: 00 00 42 00 00 55 97 00 00 00 01 00 01 FF FF 01 ..B..U..........
Nov 29 07:39:23 moon charon: 02[TNC] 64: 00 00 00 56 9E 52 8E 00 00 00 00 00 00 00 02 00 ...V.R..........
Nov 29 07:39:23 moon charon: 02[TNC] 80: 00 00 22 00 00 00 00 00 55 62 75 6E 74 75 20 31 ..".....Ubuntu 1
Nov 29 07:39:23 moon charon: 02[TNC] 96: 31 2E 31 30 20 69 36 38 36 1.10 i686
Nov 29 07:39:23 moon charon: 02[TNC] PB-TNC state transition from 'Init' to 'Server Working'
Nov 29 07:39:23 moon charon: 02[TNC] processing PB-TNC CDATA batch
</pre>
containing a 'PB-Language-Preference' and a 'PB-PA' message
<pre>
Nov 29 07:39:23 moon charon: 02[TNC] processing PB-Language-Preference message (31 bytes)
Nov 29 07:39:23 moon charon: 02[TNC] processing PB-PA message (66 bytes)
</pre>
This causes a new TNCCS connection to be instantiated on the TNC server. Its IF-TNCCS 2.0 state machine immediately transitions from the Init to the ServerWorking state.
!IF-TNCCS-20-State-Diagram.png!
The language preference is set to English (en) and the PB-PA message is forwarded to the PTS-IMV which subscribed to this PA message type:
<pre>
Nov 29 07:39:23 moon charon: 02[TNC] setting language preference to 'en'
Nov 29 07:39:23 moon charon: 02[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x01
</pre>
The PA-TNC message contains an 'IETF/Product Information' attribute which carries information about the operating system the PTS-IMC is running on:
<pre>
Nov 29 07:39:23 moon charon: 02[IMV] IMV 1 "Attestation" received message type 0x00559701 for Connection ID 1
Nov 29 07:39:23 moon charon: 02[TNC] processing PA-TNC message with ID 0x569e528e
Nov 29 07:39:23 moon charon: 02[TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002
Nov 29 07:39:23 moon charon: 02[TNC] => 22 bytes @ 0x80b4d20
Nov 29 07:39:23 moon charon: 02[TNC] 0: 00 00 00 00 00 55 62 75 6E 74 75 20 31 31 2E 31 .....Ubuntu 11.1
Nov 29 07:39:23 moon charon: 02[TNC] 16: 30 20 69 36 38 36 0 i686
</pre>
The PTS-IMV creates a PA-TNC message containing a 'Request PTS Protocol Capabilities' and a 'PTS Measurement Algorithm Request' attribute from the TCG namespace:
<pre>
Nov 29 07:39:23 moon charon: 02[TNC] creating PA-TNC message with ID 0x10fbc931
Nov 29 07:39:23 moon charon: 02[TNC] creating PA-TNC attribute type 'TCG/Request PTS Protocol Capabilities' 0x005597/0x01000000
Nov 29 07:39:23 moon charon: 02[TNC] => 4 bytes @ 0x80bfd54
Nov 29 07:39:23 moon charon: 02[TNC] 0: 00 00 00 0E ....
Nov 29 07:39:23 moon charon: 02[TNC] creating PA-TNC attribute type 'TCG/PTS Measurement Algorithm Request' 0x005597/0x06000000
Nov 29 07:39:23 moon charon: 02[TNC] => 4 bytes @ 0x80bfe3c
Nov 29 07:39:23 moon charon: 02[TNC] 0: 00 00 80 00 ....
</pre>
The PB-PA message is sent in a PB-TNC SDATA (ServerData) batch to the TNC client:
<pre>
Nov 29 07:39:23 moon charon: 02[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x01
Nov 29 07:39:23 moon charon: 02[TNC] creating PB-TNC SDATA batch
Nov 29 07:39:23 moon charon: 02[TNC] adding PB-PA message
Nov 29 07:39:23 moon charon: 02[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
Nov 29 07:39:23 moon charon: 02[TNC] sending PB-TNC SDATA batch (72 bytes) for Connection ID 1
Nov 29 07:39:23 moon charon: 02[TNC] => 72 bytes @ 0x80b65c4
Nov 29 07:39:23 moon charon: 02[TNC] 0: 02 80 00 02 00 00 00 48 80 00 00 00 00 00 00 01 .......H........
Nov 29 07:39:23 moon charon: 02[TNC] 16: 00 00 00 40 00 00 55 97 00 00 00 01 FF FF 00 01 ...@..U.........
Nov 29 07:39:23 moon charon: 02[TNC] 32: 01 00 00 00 10 FB C9 31 80 00 55 97 01 00 00 00 .......1..U.....
Nov 29 07:39:23 moon charon: 02[TNC] 48: 00 00 00 10 00 00 00 0E 80 00 55 97 06 00 00 00 ..........U.....
Nov 29 07:39:23 moon charon: 02[TNC] 64: 00 00 00 10 00 00 80 00 ........
Nov 29 07:39:23 moon charon: 02[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/TNC]
Nov 29 07:39:23 moon charon: 02[ENC] generating IKE_AUTH response 7 [ EAP/REQ/TTLS ]
Nov 29 07:39:23 moon charon: 02[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.254[4500]
</pre>
<pre>
Nov 29 07:39:23 moon charon: 01[NET] received packet: from 192.168.0.254[4500] to 192.168.0.1[4500]
Nov 29 07:39:23 moon charon: 01[ENC] parsed IKE_AUTH request 8 [ EAP/RES/TTLS ]
Nov 29 07:39:23 moon charon: 01[IKE] received tunneled EAP-TTLS AVP [EAP/RES/TNC]
Nov 29 07:39:23 moon charon: 01[TNC] received TNCCS batch (72 bytes) for Connection ID 1
Nov 29 07:39:23 moon charon: 01[TNC] => 72 bytes @ 0x80be80e
Nov 29 07:39:23 moon charon: 01[TNC] 0: 02 00 00 01 00 00 00 48 80 00 00 00 00 00 00 01 .......H........
Nov 29 07:39:23 moon charon: 01[TNC] 16: 00 00 00 40 00 00 55 97 00 00 00 01 00 01 FF FF ...@..U.........
Nov 29 07:39:23 moon charon: 01[TNC] 32: 01 00 00 00 0E D3 F1 F3 00 00 55 97 02 00 00 00 ..........U.....
Nov 29 07:39:23 moon charon: 01[TNC] 48: 00 00 00 10 00 00 00 0E 00 00 55 97 07 00 00 00 ..........U.....
Nov 29 07:39:23 moon charon: 01[TNC] 64: 00 00 00 10 00 00 80 00 ........
Nov 29 07:39:23 moon charon: 01[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
Nov 29 07:39:23 moon charon: 01[TNC] processing PB-TNC CDATA batch
</pre>
<pre>
Nov 29 07:39:23 moon charon: 01[TNC] processing PB-PA message (64 bytes)
Nov 29 07:39:23 moon charon: 01[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x01
</pre>
<pre>
Nov 29 07:39:23 moon charon: 01[IMV] IMV 1 "Attestation" received message type 0x00559701 for Connection ID 1
Nov 29 07:39:23 moon charon: 01[TNC] processing PA-TNC message with ID 0x0ed3f1f3
Nov 29 07:39:23 moon charon: 01[TNC] processing PA-TNC attribute type 'TCG/PTS Protocol Capabilities' 0x005597/0x02000000
Nov 29 07:39:23 moon charon: 01[TNC] => 4 bytes @ 0x80be670
Nov 29 07:39:23 moon charon: 01[TNC] 0: 00 00 00 0E ....
Nov 29 07:39:23 moon charon: 01[TNC] processing PA-TNC attribute type 'TCG/PTS Measurement Algorithm' 0x005597/0x07000000
Nov 29 07:39:23 moon charon: 01[TNC] => 4 bytes @ 0x80be680
Nov 29 07:39:23 moon charon: 01[TNC] 0: 00 00 80 00 ....
</pre>
<pre>
Nov 29 07:39:23 moon charon: 01[PTS] supported PTS protocol capabilities: .VDT.
Nov 29 07:39:23 moon charon: 01[PTS] selected PTS measurement algorithm is HASH_SHA1
</pre>