NEA Working Group IETF meeting Nov 17, 2011 IETF 82 - NEA Meeting1.

Slides:



Advertisements
Similar presentations
IETF Calsify.
Advertisements

STRAW IETF#91, Honolulu, USA. Victor Pascual Christer Holmberg.
TSVWG #1 IETF-92 (Dallas) 24 th March 2015 Gorry Fairhurst David Black WG chairs.
HIP Working Group IETF 64 Gonzalo Camarillo David Ward.
OAuth 2.0 Security IETF OAuth WG Conference Call, 14th December 2012.
L2VPN WG “NVO3” Meeting IETF 82 Taipei, Taiwan. Agenda Administrivia Framing Today’s Discussions (5 minutes) Cloud Networking: Framework and VPN Applicability.
Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.
PPSP Working Group IETF-89 London, UK 16:10-18:40, Tuesday, Webex: participation.html.
CCAMP Working Group Online Agenda and Slides at: Tools start page:
DRINKS Interim („77.5“) Reston, VA Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF.
IETF 90: NetExt WG Meeting. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet- Draft.
L3VPN WG IETF 78 09/11/ :00-15:00 Chairs: Marshall Eubanks Danny McPherson Ben Niven-Jenkins.
Dime WG Status Update IETF#81, THURSDAY, July 28, Afternoon Session I.
MPTCP – MULTIPATH TCP Interim meeting #3 20 th October 2011 audio Yoshifumi Nishida Philip Eardley.
July 27, 2009IETF NEA Meeting1 NEA Working Group IETF 75 Co-chairs: Steve Hanna
SIPCLF Working Group Spencer Dawkins Theo Zourzouvillys IETF 76 – November 2009 Hiroshima, Japan.
IETF #82 DRINKS WG Meeting Taipei, Taiwan Fri, Nov 18 th
Transport Layer Security (TLS) IETF-72, Dublin July 27, 2008 Chairs: Eric Rescorla Joseph Salowey.
EAP Method Update (EMU) IETF-79 Chairs Joe Salowey Alan DeKok.
IETF #81 DRINKS WG Meeting Québec City, QC, Canada Tue, July 26 th, 2011.
PAWS Protocol to Access White Space DB IETF 81 Gabor Bajko, Brian Rosen.
NEA Working Group IETF 80 March 29, 2011 Mar 29, 2011IETF NEA Meeting1.
Authority To Citizen Alerts IETF 81 Quebec. Note: Note Well the Note Well Any submission to the IETF intended by the Contributor for publication as all.
IETF 86 PIM wg meeting. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC.
Source Packet Routing in Networking WG (spring) IETF 91 – Honolulu Chairs: John Scudder Alvaro Retana
IETF 79 - Beijing, China1 Martini Working Group IETF 79 Beijing Chairs: Bernard Spencer
EAP Method Update (EMU) IETF-80 Chairs: Joe Salowey Alan DeKok.
Extensible Messaging and Presence Protocol (XMPP) WG Interim Meeting, Monday, January 7,
IPPM WG IETF 79. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and.
NEA Working Group IETF meeting July 27, Co-chairs: Steve Hanna
Tictoc working group Thursday, 28 July – 1720 EDT (1920 – 2120 UTC) Karen O’Donoghue and Yaakov Stein, co-chairs.
SIPREC WG, IETF# , GMT+2 John Elwell (WG co-chair) Brian Rosen (WG co-chair)
PAWS Protocol to Access White Space DB IETF 83, Paris Gabor Bajko, Brian Rosen.
CCAMP Working Group Online Agenda and Slides at: Data tracker:
Web Authorization Protocol (oauth) IETF 90, Toronto Chairs: Hannes Tschofenig, Derek Atkins Responsible AD: Kathleen Moriarty Mailing List:
Web Authorization Protocol (oauth) Hannes Tschofenig.
IETF #86 - NETCONF WG session 1 NETCONF WG IETF 86 - Orlando, FL, USA MONDAY, March 11, Bert Wijnen Mehmet Ersue.
Transport Service (TAPS) Aaron Falk
IETF DRINKS Interim Meeting (#82.5) Virtual Interim Meeting Wed, Feb 1 st p-6p UTC/9a-1p Eastern.
Wed 24 Mar 2010SIDR IETF 77 Anaheim, CA1 SIDR Working Group IETF 77 Anaheim, CA Wednesday, Mar 24, 2010.
IETF 851 Chairs: Flemming Andreasen Miguel A. Garcia [Paul Kyzivat substitute for this meeting]
Transport Layer Security (TLS) Chairs: Eric Rescorla Joe Salowey.
IETF 89, LONDON, UK LISP Working Group. 2 Agenda and slides:  lisp.html Audio Stream 
NEA Working Group IETF meeting July 27, 2011 Jul 27, 2011IETF 81 - NEA Meeting1.
MPTCP – MULTIPATH TCP WG meeting #5 Nov 8 th & 10 th 2010 Beijing, ietf-79 Yoshifumi Nishida Philip Eardley.
DMM WG IETF 84 DMM WG Agenda & Status Tuesday, July 31 st, 2012 Jouni Korhonen, Julien Laganier.
LMAP WG IETF 92, Dallas, TX Dan Romascanu Jason Weil.
Transport Layer Security (TLS) IETF-84 Chairs: Eric Rescorla Joe Salowey.
Interface to the Routing System (IRS) BOF IETF 85, Atlanta November 2012.
IPR WG IETF 62 Minneapolis. IPR WG: Administrivia Blue sheets Scribes Use the microphones Note Well.
IETF #81 - NETCONF WG session 1 NETCONF WG IETF 81, Quebec City, Canada MONDAY, July 25, Bert Wijnen Mehmet Ersue.
3 August th IETF - San Diego, CA, USA1 SPEECHSC Eric Burger Dave Oran
Transport Layer Security (TLS) IETF 73 Thursday, November Chairs: Eric Rescorla Joe Salowey.
IETF #73 - NETMOD WG session1 NETMOD WG IETF 73, Minneapolis, MN, USA November 20, David Harrington David Partain.
Transport Layer Security (TLS) IETF-78 Chairs Joe Salowey Eric Rescorla
OPSREA Open Meeting Area Directors: Dan Romascanu and Ron Bonica Monday, March 28, 2011 Morning Session, 10:30 – 11:30, Room Barcelona/Berlin Discussion.
Agenda Behcet Sarikaya Dirk von Hugo November 2012 FMC BOF IETF
IETF #82 - NETCONF WG session 1 NETCONF WG IETF 82, Taipei, Taiwan TUESDAY, November 15, Afternoon Session III Bert Wijnen Mehmet Ersue.
NETWORK-BASED MOBILITY EXTENSIONS WG (NETEXT) July 28 th, 2011 IETF81 1.
Agenda Stig Venaas Behcet Sarikaya November 2011 Multimob WG IETF
Alternatives to Content Classification for Operator Resource Deployment (ACCORD) BOF Chairs: Gonzalo Camarillo & Pete Resnick.
Source Packet Routing in Networking WG (spring) IETF 89 – London Chairs: John Scudder Alvaro Retana
OPSAWG chairs: Scott Bradner Christopher Liljenstolpe.
Agenda Wednesday, July 29, :00 – 15:00 Congresshall B Please join the Jabber room: LEDBAT WG IETF 75.
Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.
MODERN Working Group IETF 97 November 14, 2016.
CAPWAP Working Group IETF 73 Minneapolis 18 Nov 2008, 17:10-18:10
SIPREC WG, Interim Meeting , GMT/UTC
SIPREC WG, Interim virtual meeting , GMT
Presentation transcript:

NEA Working Group IETF meeting Nov 17, 2011 IETF 82 - NEA Meeting1

Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made within the context of an IETF activity is considered an "IETF Contribution". Such statements include oral statements in IETF sessions, as well as written and electronic communications made at any time or place, which are addressed to: The IETF plenary session The IESG, or any member thereof on behalf of the IESG Any IETF mailing list, including the IETF list itself, any working group or design team list, or any other list functioning under IETF auspices Any IETF working group or portion thereof The IAB or any member thereof on behalf of the IAB The RFC Editor or the Internet-Drafts function All IETF Contributions are subject to the rules of RFC 5378 and RFC 3979 (updated by RFC 4879).RFC 5378RFC 3979RFC 4879 Statements made outside of an IETF session, mailing list or other function, that are clearly not intended to be input to an IETF activity, group or function, are not IETF Contributions in the context of this notice. Please consult RFC 5378 and RFC 3979 for details.RFC 5378RFC 3979 A participant in any IETF activity is deemed to accept all IETF rules of process, as documented in Best Current Practices RFCs and IESG Statements. A participant in any IETF activity acknowledges that written, audio and video records of meetings may be made and may be available to the public. Nov 17, 20112IETF 82 - NEA Meeting

Agenda Review 0900 Administrivia Jabber & Minute scribes Agenda bashing 0905 WG Status 0910 NEA Reference Model 0915 Discuss and Resolve WGLC PT-TLS Comments Discuss and Resolve PT-EAP Issues Discuss next steps for NEA Asokan I-D Next Steps 1130 Adjourn Nov 17, 2011IETF 82 - NEA Meeting3

WG Status TLS-based Posture Transport –WGLC on PT-TLS -01 I-D EAP-based Posture Transport –PT-EAP selected as basis for WG document –PT-EAP published as -00 I-D Nov 17, 2011IETF 82 - NEA Meeting4

NEA Reference Model Nov 17, 2011IETF 82 - NEA Meeting5

NEA Reference Model from RFC 5209 Posture Collectors Posture Validators Posture Transport Server Posture Attribute (PA) protocol Posture Broker (PB) protocol NEA ClientNEA Server Posture Transport (PT) protocols Posture Transport Client Posture Broker Client Posture Broker Server Nov 17, 20116IETF 82 - NEA Meeting

PA-TNC Within PB-TNC Within PT PT PB-TNC Header PB-TNC Message (Type=PB-Batch-Type, Batch-Type=CDATA) PB-TNC Message (Type=PB-PA, PA Vendor ID=0, PA Subtype= OS) PA-TNC Message PA-TNC Attribute (Type=Product Info, Product ID=Windows XP) PA-TNC Attribute (Type=Numeric Version, Major=5, Minor=3,...) Nov 17, 20117IETF 82 - NEA Meeting

8 PT-TLS WGLC Issues Paul Sangster Nancy Cam-Winget Joseph Salowey Nov 17, 2011IETF 82 - NEA Meeting

PT-TLS Working Group Last Call completed –Some open issues with proposed resolutions Nov 17, 20119IETF 82 - NEA Meeting

TLS Keepalive TLS Heartbeat provides mechanism to keep TLS session up –draft-ietf-tls-dtls-heartbeat –Should be completed before PT-TLS Proposed Resolution: revise PT-TLS draft to include optional support for TLS heartbeat Nov 17, IETF 82 - NEA Meeting

Version Negotiation “Subsequent assessments on the same session MUST use the negotiated version number and therefore SHOULD NOT send additional version negotiation messages.” Proposed Resolution: Change SHOULD NOT to MUST NOT Nov 17, IETF 82 - NEA Meeting

SASL initiation Who initiates the SASL exchange? TLS client or server Proposed Resolution: Identify use cases to be supported and expected behavior. Update draft to ensure specified operation is unambiguous. Nov 17, IETF 82 - NEA Meeting

PT Client as TLS server If PT client is the TLS server, how does it authenticate the PT server? Proposed Resolution: Require TLS mutual authentication when PT client is acting as TLS server. Nov 17, IETF 82 - NEA Meeting

Channel Bindings Would be good to bind authentication to TLS tunnel when possible –SASL GS2 mechanism provides this capability Proposed Resolution: Add text describing usage of Channel Bindings between TLS and SASL Nov 17, IETF 82 - NEA Meeting

15 PT-EAP Issues Nov 17, 2011IETF 82 - NEA Meeting Nancy Cam-Winget Paul Sangster

Status draft-ietf-nea-pt-eap-00 submitted on Aug 30, 2011 A few comments posted by one of the editors Need more reviews! Nov 17, IETF 82 - NEA Meeting

Received Comment Summary Minimize acronyms, use PT-EAP for all instances of EAP-TNC and PT-TNC –Comments include proposed updates to achieve this throughout the draft New EAP method: NEA has defined new behavior Section 1.1 remove TNC reference (e.g. the last sentence of the paragraph) Nov 17, 2011IETF 82 - NEA Meeting17

Use PT-EAP only Comment: PT-EAP defines the standalone method for carrying NEA data and specifies its bounds and usage to an EAP tunnel method. As such, I recommend that the draft stick to naming this method PT-EAP (vs. The use of both PT-EAP, EAP-TNC, and PT-TNC) Proposal: Update draft to use PT-EAP only Nov 17, 2011IETF 82 - NEA Meeting18

Abstract simplification Update the abstract to: This document specifies PT-EAP, an EAP based Posture Transport (PT) protocol designed to be used only inside an EAP tunnel method. As such, the document also describes the intended applicability of PT-EAP as well as the evaluation against the requirements defined in the NEA Requirements and PB-TNC specifications. Proposal: Update draft as suggested above Nov 17, 2011IETF 82 - NEA Meeting19

Introduction simplification Update 1 st sentence of Introduction to: This document specifies PT-EAP, an EAP based Posture Transport (PT) protocol protected by a TLS based tunnel established by an EAP tunnel method. Proposal: Update but with Steve’s suggestion to: This document specifies PT-EAP, an EAP based Posture Transport (PT) protocol protected by an outer TLS tunnel or equivalent protection. Nov 17, 2011IETF 82 - NEA Meeting20

Introduction simplification Update 2nd paragraph of Introduction to: The PT protocol in the NEA architecture is responsible for transporting PB-TNC batches (often containing PA-TNC [3] attributes) across the network between the NEA Client and NEA Server. The PT protocol must be protected by an outer TLS-based tunnel to ensure the exchanged messages are protected from a variety of threats from hostile intermediaries. Proposal: adopt changes in next draft Nov 17, 2011IETF 82 - NEA Meeting21

Introduction simplification To be consistent with a single reference of the inner method, my suggestion is to remove the 5th and 6th paragraph and replace the entire 4th paragraph with: PT-EAP is an inner EAP method designed to be used under a protected tunnel such as EAP- FAST and EAP-TTLS. Proposal: adopt changes in next draft Nov 17, 2011IETF 82 - NEA Meeting22

Remove TNC reference Section 1.1 remove TNC reference (e.g. the last sentence of the paragraph) Proposal: adopt change in next draft. If TNC needs to be noted, include in the acknowledgement “N.B. The Trusted Computing Group will also be referencing the protocol as defined in this document at the time of completion.” Nov 17, 2011IETF 82 - NEA Meeting23

Clarification on 3.1 Section 3.1: 4th paragraph, 2nd sentence seems to be a non sequitur, suggest to remove it (e.g. the sentence reading: ”Some EAP tunnel methods may provide explicit confirmation of inner method success; others may not. This is out of scope for the EAP-TNC method.”) Proposal: can discuss on the list to either clarify the sentence/paragraph or adopt above update Nov 17, 2011IETF 82 - NEA Meeting24

New EAP method Section 3.4: as NEA has changed the behavior of the method, it merits its own type and thus should be a TBD. Proposal: update in the next draft Nov 17, 2011IETF 82 - NEA Meeting25

Enforce use of EAP tunnel Section 4: language to enforce use within protected tunnel should be used, suggest wording to: “is designed and MUST run inside an EAP tunnel method” Proposal: adopt change in the next draft Nov 17, 2011IETF 82 - NEA Meeting26

Questions? Nov 17, 2011IETF 82 - NEA Meeting27

28 Disposition of NEA Asokan I-D Nov 17, 2011IETF 82 - NEA Meeting

Disposition of NEA Asokan I-D I-D provides analysis and recommendations for dealing with NEA Asokan attack Referenced by PT-TLS and PT-EAP I-Ds (Informative) Consensus to make WG document with goal to publish as Informational RFC? Nov 17, 2011IETF 82 - NEA Meeting29

Next Steps PT-TLS: –Update PT-TLS I-D after resolving WGLC issues –Issue 2 nd WGLC PT-EAP: –More WG Comments Please! –Update PT-EAP I-D and issue WGLC NEA Asokan I-D: –Publish updated version as WG document Nov 17, 2011IETF 82 - NEA Meeting30

Milestones Nov 2011Resolve issues from PT-TLS WGLC at IETF 82 Resolve open issues with PT-EAP at IETF 82 Dec 2011Publish -02 PT-TLS I-D and issue 2 nd WGLC Publish -01 PT-EAP I-D and issue WGLC Publish -00 WG I-D on NEA Asokan attack Jan 2012Send PT-TLS I-D to IESG Resolve WGLC issues on PT-EAP Resolve issues with NEA Asokan I-D Feb 2012Publish -02 PT-EAP I-D Publish -01 NEA Asokan I-D and issue WGLC Mar 2012Resolve IETF LC issues with PT-TLS I-D Resolve WGLC issues with PT-EAP and Asokan I-D Nov 17, 2011IETF 82 - NEA Meeting31

Adjourn Nov 17, IETF 82 - NEA Meeting