Trusted Network Connect (TNC) HOWTO » History » Version 38
Version 37 (Andreas Steffen, 04.08.2011 08:19) → Version 38/92 (Andreas Steffen, 04.08.2011 08:25)
{{>toc}}
h1. Trusted Network Connect (TNC) HOWTO
The "Trusted Computing Group":http://www.trustedcomputinggroup.org/ (TCG) has defined and released an open architecture and a growing set of standards for endpoint integrity called "Trusted Network Connect":http://www.trustedcomputinggroup.org/developers/trusted_network_connect.
h2. Architecture
!TNC_Architecture.png!
strongSwan supports both the older XML-based "IF-TNCCS 1.1":http://www.trustedcomputinggroup.org/files/resource_files/64697C86-1D09-3519-ADE44ADD6B39B71D/TNC_IF-TNCCS_v1_1_r15.pdf "TNC Client-Server Interface" and the latest "IF-TNCCS 2.0":http://www.trustedcomputinggroup.org/files/resource_files/495CA3DD-1D09-3519-AD0043966E821ECB/IF-TNCCS_TLVBinding_v2_0_r16a.pdf "TLV Binding" but currently not the "IF-TNCCS SoH 1.0":http://www.trustedcomputinggroup.org/files/resource_files/8D2DF7F3-1D09-3519-AD76CE4433FECE07/IF-TNCCS-SOH_v1.0_r8.pdf "State of Health Protocol Bindings" used by Microsoft's Network Access Protection (NAP) framework. The new strongSwan "Test" and "Scanner" IMC/IMV pairs support the "IF-M 1.0":http://www.trustedcomputinggroup.org/files/resource_files/495862FF-1D09-3519-AD8977DC98C1167C/TNC_IFM_TLVBinding_v1_0_r37a.pdf "TLV Binding" standard.
The TCG IF-M 1.0 IF-TNCCS 2.0 protocol is equivalent to the IETF "Posture Attribute (PA) Broker (PB) Protocol Compatible with Trusted Network Connect" (PA-TNC) (PB-TNC) defined by "RFC 5792":http://tools.ietf.org/html/rfc5792 5793":http://tools.ietf.org/html/rfc5793 and the TCG IF-TNCCS 2.0 IF-M 1.0 protocol is equivalent to the IETF "Posture Broker (PB) Attribute (PA) Protocol Compatible with Trusted Network Connect" (PB-TNC) (PA-TNC) defined by "RFC 5793":http://tools.ietf.org/html/rfc5793. 5792":http://tools.ietf.org/html/rfc5792. Both RFCs are part of the IETF's "Network Endpoint Assessment" (NEA) framework defined by "RFC 5209":http://tools.ietf.org/html/rfc5209.
!NEA_Architecture_small.png!
As a transport protocol to exchange IF-TNCCS 1.1 or IF-TNCCS 2.0 messages between TNC Client and TNC Server, strongSwan uses the EAP-TNC method defined by "IF-T":http://www.trustedcomputinggroup.org/files/resource_files/8CC75909-1D09-3519-ADA6958AA29CF223/TNC_IFT_v1_1_r10.pdf "Protocol Bindings for Tunneled EAP Methods 1.1". EAP-TNC as an inner non-secure protocol is then encapsulated in an outer encrypted and authenticated IKEv2-EAP-TTLS tunnel.
h2. Configuration
By activating the appropriate plugins, a strongSwan VPN Client can act as a TNC Client and a strongSwan VPN Gateway can take on either the role of a "Policy Enforcement Point" (PEP) only which forwards all EAP-TTLS packets via EAP-RADIUS to an external AAA-Server or alternatively can additionally act as a TNC Server.
* [[TNCC|Configuration as a TNC Client]]
* [[TNCS|Configuration as a TNC Server]]
* [[PEP|Configuration as a PEP with EAP-RADIUS Interface]]
strongSwan can dynamically load any number of Integrity Measurement Collectors (IMCs) and Integrity Measurement Verifiers (IMVs) that adhere to the "IF-IMC 1.2":http://www.trustedcomputinggroup.org/files/resource_files/8CB977E1-1D09-3519-AD48484530EF6639/TNC_IFIMC_v1_2_r8.pdf and "IF-IMV 1.2":http://www.trustedcomputinggroup.org/files/static_page_files/646808C3-1D09-3519-AD2E60765779A42A/TNC_IFIMV_v1_2_r8.pdf interface specifications, respectively. These interfaces are implemented by the *tnc-imc* and *tnc-imv* plugins, respectively.
h2. Deployment
* *IF-TNCCS 1.1* support was first introduced in October 2010 with the strongSwan 4.5.0 release. The *tnccs-11* charon plugin originally used Mike McCauley's "libtnc":http://sourceforge.net/projects/libtnc/ library but the code was refactored with the strongSwan 4.5.1 release to use the *tnc-imc* and *tnc-imv* plugins and now implements the IF-TNCCS 1.1 protocol directly by including Mike McCauley's *libxml* statements.
A strongSwan VPN Gateway configured as a PEP can connect to a FreeRADIUS server running the "TNC@FHH":http://trust.inform.fh-hannover.de/joomla/index.php/projects/tncfhh plugin.
- "Example 1a":http://www.strongswan.org/uml/testresults/tnc/tnccs-11/: TNC Client - TNC Server with password-based EAP-MD5 client authentication
- "Example 1b":http://www.strongswan.org/uml/testresults/tnc/tnccs-11-radius/: TNC Client - PEP - FreeRADIUS
* *IF-TNCCS 2.0* support was introduced in February 2011 with the strongSwan 4.5.1 release. The *tnccs-20* charon plugin was implemented by HSR master student Sansar Choinyambuu and does not make use of the libtnc library at all. Communication with IMCs and IMVs is handled by the *tnc-imc* or *tnc-imv* plugin, respectively.
- "Example 2a":http://www.strongswan.org/uml/testresults/tnc/tnccs-20/: TNC Client - TNC Server with password-based EAP-MD5 client authentication
- "Example 2b":http://www.strongswan.org/uml/testresults/tnc/tnccs-20-tls/: TNC Client - TNC Server with certificate-based EAP-TLS client authentication
* Using the *tnccs-dynamic* plugin, a strongSwan VPN gateway can act as a TNC Server handling both the *IF-TNCCS 1.1* and *IF-TNCCS 2.0* protocols by dynamically detecting the protocol version chosen by the TNC Client.
- "Example 3":http://www.strongswan.org/uml/testresults/tnc/tnccs-dynamic/: TNC Client - TNC Server with dynamic IF-TNCCS 1.1/2.0 protocol detection.
* *IF-M 1.0* support was introduced in August 2011 with the strongSwan 4.5.3 release. The strongSwan "Test" and "Scanner" IMC/IMV pairs which communicate with each other via the IF-M TLV-based protocol can be used either in conjunction with a strongSwan TNC Client or TNC Server, respectively, or as stand-alone dynamic libraries *imc-test.so*, *imc-scanner.so*, *imv-test.so*, and *imv-scanner.so* with any third party TNC Client or TNC Server product having an *IF-IMC* or *IF-IMV* interface, respectively.
h2. Certification
The *IF-IMC* interface of the strongSwan 4.5.2 TNC Client (*TNCC*) and the *IF-IMV* interface of the strongSwan 4.5.2 TNC Server (*TNCS*) were successfully "certified":http://www.trustedcomputinggroup.org/certification/tnc_certified_products_list by the Trusted Computing Group (TCG). We also participated in the May 2011 Plugfest in Chantilly, Virginia, USA, where we tested *IF-PEP* interoperability.
h2. Presentations
* TCG Members Meeting June 2011 Munich: "The strongSwan IPsec Solution with TNC Support":http://www.strongswan.org/tcg/tcg_munich_2011.pdf.
h1. Trusted Network Connect (TNC) HOWTO
The "Trusted Computing Group":http://www.trustedcomputinggroup.org/ (TCG) has defined and released an open architecture and a growing set of standards for endpoint integrity called "Trusted Network Connect":http://www.trustedcomputinggroup.org/developers/trusted_network_connect.
h2. Architecture
!TNC_Architecture.png!
strongSwan supports both the older XML-based "IF-TNCCS 1.1":http://www.trustedcomputinggroup.org/files/resource_files/64697C86-1D09-3519-ADE44ADD6B39B71D/TNC_IF-TNCCS_v1_1_r15.pdf "TNC Client-Server Interface" and the latest "IF-TNCCS 2.0":http://www.trustedcomputinggroup.org/files/resource_files/495CA3DD-1D09-3519-AD0043966E821ECB/IF-TNCCS_TLVBinding_v2_0_r16a.pdf "TLV Binding" but currently not the "IF-TNCCS SoH 1.0":http://www.trustedcomputinggroup.org/files/resource_files/8D2DF7F3-1D09-3519-AD76CE4433FECE07/IF-TNCCS-SOH_v1.0_r8.pdf "State of Health Protocol Bindings" used by Microsoft's Network Access Protection (NAP) framework. The new strongSwan "Test" and "Scanner" IMC/IMV pairs support the "IF-M 1.0":http://www.trustedcomputinggroup.org/files/resource_files/495862FF-1D09-3519-AD8977DC98C1167C/TNC_IFM_TLVBinding_v1_0_r37a.pdf "TLV Binding" standard.
The TCG IF-M 1.0 IF-TNCCS 2.0 protocol is equivalent to the IETF "Posture Attribute (PA) Broker (PB) Protocol Compatible with Trusted Network Connect" (PA-TNC) (PB-TNC) defined by "RFC 5792":http://tools.ietf.org/html/rfc5792 5793":http://tools.ietf.org/html/rfc5793 and the TCG IF-TNCCS 2.0 IF-M 1.0 protocol is equivalent to the IETF "Posture Broker (PB) Attribute (PA) Protocol Compatible with Trusted Network Connect" (PB-TNC) (PA-TNC) defined by "RFC 5793":http://tools.ietf.org/html/rfc5793. 5792":http://tools.ietf.org/html/rfc5792. Both RFCs are part of the IETF's "Network Endpoint Assessment" (NEA) framework defined by "RFC 5209":http://tools.ietf.org/html/rfc5209.
!NEA_Architecture_small.png!
As a transport protocol to exchange IF-TNCCS 1.1 or IF-TNCCS 2.0 messages between TNC Client and TNC Server, strongSwan uses the EAP-TNC method defined by "IF-T":http://www.trustedcomputinggroup.org/files/resource_files/8CC75909-1D09-3519-ADA6958AA29CF223/TNC_IFT_v1_1_r10.pdf "Protocol Bindings for Tunneled EAP Methods 1.1". EAP-TNC as an inner non-secure protocol is then encapsulated in an outer encrypted and authenticated IKEv2-EAP-TTLS tunnel.
h2. Configuration
By activating the appropriate plugins, a strongSwan VPN Client can act as a TNC Client and a strongSwan VPN Gateway can take on either the role of a "Policy Enforcement Point" (PEP) only which forwards all EAP-TTLS packets via EAP-RADIUS to an external AAA-Server or alternatively can additionally act as a TNC Server.
* [[TNCC|Configuration as a TNC Client]]
* [[TNCS|Configuration as a TNC Server]]
* [[PEP|Configuration as a PEP with EAP-RADIUS Interface]]
strongSwan can dynamically load any number of Integrity Measurement Collectors (IMCs) and Integrity Measurement Verifiers (IMVs) that adhere to the "IF-IMC 1.2":http://www.trustedcomputinggroup.org/files/resource_files/8CB977E1-1D09-3519-AD48484530EF6639/TNC_IFIMC_v1_2_r8.pdf and "IF-IMV 1.2":http://www.trustedcomputinggroup.org/files/static_page_files/646808C3-1D09-3519-AD2E60765779A42A/TNC_IFIMV_v1_2_r8.pdf interface specifications, respectively. These interfaces are implemented by the *tnc-imc* and *tnc-imv* plugins, respectively.
h2. Deployment
* *IF-TNCCS 1.1* support was first introduced in October 2010 with the strongSwan 4.5.0 release. The *tnccs-11* charon plugin originally used Mike McCauley's "libtnc":http://sourceforge.net/projects/libtnc/ library but the code was refactored with the strongSwan 4.5.1 release to use the *tnc-imc* and *tnc-imv* plugins and now implements the IF-TNCCS 1.1 protocol directly by including Mike McCauley's *libxml* statements.
A strongSwan VPN Gateway configured as a PEP can connect to a FreeRADIUS server running the "TNC@FHH":http://trust.inform.fh-hannover.de/joomla/index.php/projects/tncfhh plugin.
- "Example 1a":http://www.strongswan.org/uml/testresults/tnc/tnccs-11/: TNC Client - TNC Server with password-based EAP-MD5 client authentication
- "Example 1b":http://www.strongswan.org/uml/testresults/tnc/tnccs-11-radius/: TNC Client - PEP - FreeRADIUS
* *IF-TNCCS 2.0* support was introduced in February 2011 with the strongSwan 4.5.1 release. The *tnccs-20* charon plugin was implemented by HSR master student Sansar Choinyambuu and does not make use of the libtnc library at all. Communication with IMCs and IMVs is handled by the *tnc-imc* or *tnc-imv* plugin, respectively.
- "Example 2a":http://www.strongswan.org/uml/testresults/tnc/tnccs-20/: TNC Client - TNC Server with password-based EAP-MD5 client authentication
- "Example 2b":http://www.strongswan.org/uml/testresults/tnc/tnccs-20-tls/: TNC Client - TNC Server with certificate-based EAP-TLS client authentication
* Using the *tnccs-dynamic* plugin, a strongSwan VPN gateway can act as a TNC Server handling both the *IF-TNCCS 1.1* and *IF-TNCCS 2.0* protocols by dynamically detecting the protocol version chosen by the TNC Client.
- "Example 3":http://www.strongswan.org/uml/testresults/tnc/tnccs-dynamic/: TNC Client - TNC Server with dynamic IF-TNCCS 1.1/2.0 protocol detection.
* *IF-M 1.0* support was introduced in August 2011 with the strongSwan 4.5.3 release. The strongSwan "Test" and "Scanner" IMC/IMV pairs which communicate with each other via the IF-M TLV-based protocol can be used either in conjunction with a strongSwan TNC Client or TNC Server, respectively, or as stand-alone dynamic libraries *imc-test.so*, *imc-scanner.so*, *imv-test.so*, and *imv-scanner.so* with any third party TNC Client or TNC Server product having an *IF-IMC* or *IF-IMV* interface, respectively.
h2. Certification
The *IF-IMC* interface of the strongSwan 4.5.2 TNC Client (*TNCC*) and the *IF-IMV* interface of the strongSwan 4.5.2 TNC Server (*TNCS*) were successfully "certified":http://www.trustedcomputinggroup.org/certification/tnc_certified_products_list by the Trusted Computing Group (TCG). We also participated in the May 2011 Plugfest in Chantilly, Virginia, USA, where we tested *IF-PEP* interoperability.
h2. Presentations
* TCG Members Meeting June 2011 Munich: "The strongSwan IPsec Solution with TNC Support":http://www.strongswan.org/tcg/tcg_munich_2011.pdf.