IETF Logo Mail Archive

Re: [sacm] Proposing a SACM architecture based on TNC standards

Trevor Freeman <trevorf@exchange.microsoft.com> Wed, 23 April 2014 17:04 UTC

Return-Path: <trevorf@exchange.microsoft.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B2BD1A03BF for <sacm@ietfa.amsl.com>; Wed, 23 Apr 2014 10:04:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fADpChfd4Qbv for <sacm@ietfa.amsl.com>; Wed, 23 Apr 2014 10:04:01 -0700 (PDT)
Received: from na01-by1-obe.outbound.o365filtering.com (na01-by1-obe.ptr.o365filtering.com [64.4.22.90]) by ietfa.amsl.com (Postfix) with ESMTP id C65841A0221 for <sacm@ietf.org>; Wed, 23 Apr 2014 10:04:01 -0700 (PDT)
Received: from BL2SR01CA105.namsdf01.sdf.exchangelabs.com (10.255.109.150) by BL2SR01MB592.namsdf01.sdf.exchangelabs.com (10.255.109.163) with Microsoft SMTP Server (TLS) id 15.0.939.4; Wed, 23 Apr 2014 16:47:52 +0000
Received: from SN2FFOFD004.ffo.gbl (2a01:111:f400:7c04::23) by BL2SR01CA105.outlook.office365.com (2a01:111:e400:c01::22) with Microsoft SMTP Server (TLS) id 15.0.939.4 via Frontend Transport; Wed, 23 Apr 2014 16:47:51 +0000
Received: from hybrid.exchange.microsoft.com (131.107.159.100) by SN2FFOFD004.mail.o365filtering.com (10.111.201.41) with Microsoft SMTP Server (TLS) id 15.0.929.2 via Frontend Transport; Wed, 23 Apr 2014 16:47:51 +0000
Received: from DFM-TK5MBX15-07.exchange.corp.microsoft.com (157.54.109.46) by DFM-TK5EDG15-02.exchange.corp.microsoft.com (157.54.27.97) with Microsoft SMTP Server (TLS) id 15.0.913.17; Wed, 23 Apr 2014 09:47:48 -0700
Received: from DFM-TK5MBX15-05.exchange.corp.microsoft.com (157.54.109.44) by DFM-TK5MBX15-07.exchange.corp.microsoft.com (157.54.109.46) with Microsoft SMTP Server (TLS) id 15.0.913.17; Wed, 23 Apr 2014 09:47:46 -0700
Received: from DFM-TK5MBX15-05.exchange.corp.microsoft.com ([157.54.109.44]) by DFM-TK5MBX15-05.exchange.corp.microsoft.com ([169.254.5.13]) with mapi id 15.00.0913.011; Wed, 23 Apr 2014 09:47:45 -0700
From: Trevor Freeman <trevorf@exchange.microsoft.com>
To: Steve Hanna <steve@hannas.com>, "sacm@ietf.org" <sacm@ietf.org>
Thread-Topic: [sacm] Proposing a SACM architecture based on TNC standards
Thread-Index: Ac9ds1wLt+sY5ExQRuKK+jJsi52i2gAbqEGAABE7Q+AAHX7yQAARSYCAAAUwXMA=
Date: Wed, 23 Apr 2014 16:47:45 +0000
Message-ID: <05597e97aad648769aee1c2120ad9c8d@DFM-TK5MBX15-05.exchange.corp.microsoft.com>
References: <9df25165e0e34389af0c6fd957eb1174@BY2PR05MB550.namprd05.prod.outlook.com> <9904FB1B0159DA42B0B887B7FA8119CA5C7B72EB@AZ-FFEXMB04.global.avaya.com> <f92c3a4d89b546b9bae9e7267fc314fe@DFM-TK5MBX15-07.exchange.corp.microsoft.com> <9904FB1B0159DA42B0B887B7FA8119CA5C7C506D@AZ-FFEXMB04.global.avaya.com> <5357A43D.2040301@hannas.com>
In-Reply-To: <5357A43D.2040301@hannas.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.13]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.159.100; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(479174003)(377454003)(164054003)(13464003)(24454002)(51704005)(199002)(189002)(33646001)(81816001)(90146001)(50986002)(53806002)(65816002)(94316002)(63696004)(46102001)(85852003)(99396002)(15975445006)(56816006)(44976005)(51856002)(95416001)(97336001)(31966008)(47736002)(83072002)(80976001)(93516002)(19580395003)(95666003)(81686001)(92566001)(93136001)(94946001)(6806004)(98676001)(561944002)(81542001)(81342001)(84676001)(47446003)(56776002)(59766002)(54356002)(47976003)(54316003)(97186001)(66066001)(47776003)(49866002)(80022001)(74662001)(46406003)(77982001)(85306002)(4396001)(83322001)(76786001)(76796001)(97736001)(97756001)(15202345003)(2009001)(87266001)(23726002)(69226001)(74366001)(19580405001)(93886001)(2656002)(77096001)(20776003)(74502001)(79102001)(76482001)(74706001)(87936001)(50466002)(74876001)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:BL2SR01MB592; H:hybrid.exchange.microsoft.com; FPR:; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-Exchange-Antispam-Report-Test: BL:0; ACTION:Default; RISK:Low; SCL:0; SPMLVL:NotSpam; PCL:0; RULEID:
X-Forefront-PRVS: 01901B3451
X-OriginatorOrg: exchange.microsoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/sacm/Ce1mzHYvjI-h7SHBKoPChmr7DEg
Subject: Re: [sacm] Proposing a SACM architecture based on TNC standards
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Apr 2014 17:04:05 -0000

Hi Steve,

As you say, Lisa draft by itself does not preset much of a challenge. If you subtract all the things referenced but not contributed, it looks very similar to what we already have. 

Even at a high level there are some aspects which raise concerns over unnecessary complexity. For example, the need to a different protocol to query current state vs historical state? Why would a need a different protocol just because the timestamp on the data is older?

You description of what TCG did to extend the NEA protocols confirmed my suspicion on their lack of flexibility. That will have to be fixed, but it is best to better understand what SACM need first. 

If TCG want to help us instantiate the SACM architecture by contributing some work, that would be great, but unlit that happens, I don't want to count chickens.

On the subject of counting chickens, I did not understand the reference to the RFC7171. The NEA PT-EAP draft still shows up in the editors queue. 

Trevor


-----Original Message-----
From: sacm [mailto:sacm-bounces@ietf.org] On Behalf Of Steve Hanna
Sent: Wednesday, April 23, 2014 4:30 AM
To: sacm@ietf.org
Subject: Re: [sacm] Proposing a SACM architecture based on TNC standards

Certainly, everyone should read BCP 78 and BCP 79 before participating in IETF discussions. That's always a good idea. And if you have a corporate policy that restricts what you can talk about in IETF, you should follow it.

I don't think that Lisa's draft presents any particular challenges. On this mailing list, we have talked about SCAP and SWIDs and many other things that haven't been contributed to IETF (at least, not yet). If you can't talk about something (because you have a patent on it or whatever), then don't!

Now on to the semi-technical content of Trevor's email:

 > It was interesting to note that the TCG protocols that  > NEA was based on had to be extended. It sounds like SACM  > may need to draft a requirements doc for NEA to close  > the gaps. Certainly the breath of the definition of SACM  > posture attributes seems much broader that what NEA can  > currently support.

The NEA protocols (which are part of the TNC architecture) were designed to be extended. We spent a lot of time and effort on making them extensible. We knew from the start that there would be a continuous stream of new attributes that people would want to get from endpoints. We even designed the system so that it's easy to have plug-in modules (Posture Collectors) on the NEA Client to gather new attributes and plug-in modules (Posture Validators) on the NEA Server to process new attributes. The PA Subtype field indicates which kind of attribute is being sent or gathered: Operating System, Anti-Virus, Firewall, etc.
TCG has defined new PA Subtypes for SWID, SCAP, and TPM attestations with new attribute types to carry the content.

I expect that SACM will come up with some new attribute types and probably also some new PA Subtypes.

Thanks,

Steve

On 4/23/2014 6:19 AM, Romascanu, Dan (Dan) wrote:
> Of course. Please, everybody, pay (again) attention to http://www.ietf.org/about/note-well.html and read (again if necessary) RFC 5378 and RFC 3979 (updated by RFC 4879).
>
> Thanks and Regards,
>
> Dan
>
>
>> -----Original Message-----
>> From: Trevor Freeman [mailto:trevorf@exchange.microsoft.com]
>> Sent: Tuesday, April 22, 2014 11:59 PM
>> To: Romascanu, Dan (Dan); Lisa Lorenzin; sacm@ietf.org
>> Subject: RE: Proposing a SACM architecture based on TNC standards
>>
>> Hi Dan,
>>
>> We will have to be careful about BCP78/9 during discussion of Lisa's draft.
>>
>> The TCG specifications themselves have not been contributed in this draft.
>>
>> Any discussion of the TCG protocols on the call would be a 
>> contribution to the IETF subject to BCP78/79.
>>
>> I for one have company policy which requires authorization to make 
>> technical contributions so I cannot discuss the TCG protocols themselves.
>>
>> It was interesting to note that the TCG protocols that NEA was based 
>> on had to be extended. It sounds like SACM may need to draft a 
>> requirements doc for NEA to close the gaps. Certainly the breath of 
>> the definition of SACM posture attributes seems much broader that 
>> what NEA can currently support.
>>
>> Trevor
>>
>> -----Original Message-----
>> From: sacm [mailto:sacm-bounces@ietf.org] On Behalf Of Romascanu, Dan
>> (Dan)
>> Sent: Tuesday, April 22, 2014 5:01 AM
>> To: Lisa Lorenzin; sacm@ietf.org
>> Subject: Re: [sacm] Proposing a SACM architecture based on TNC 
>> standards
>>
>> Hi Lisa,
>>
>> Thank you for your contribution.
>>
>> I suggest that we include this I-D on the agenda of the virtual 
>> interim meeting next week.  Best would be if you can prepare a few 
>> slides to guide us through it, but all participants are invited to 
>> read the I-D in advance and come prepared for questions, comments and discussions.
>>
>> Thanks and Regards,
>>
>> Dan
>>
>>
>>> -----Original Message-----
>>> From: sacm [mailto:sacm-bounces@ietf.org] On Behalf Of Lisa Lorenzin
>>> Sent: Tuesday, April 22, 2014 1:46 AM
>>> To: sacm@ietf.org
>>> Subject: [sacm] Proposing a SACM architecture based on TNC standards
>>>
>>> Greetings!
>>>
>>> While reviewing the draft architecture included in the SACM 
>>> requirements document, several of us who contribute to the Trusted 
>>> Computing Group's Trusted Network Connect workgroup were struck by 
>>> its similarity to the TNC architecture.
>>>
>>> The TNC architecture is not a direct mapping to what SACM is 
>>> defining; in addition to endpoint posture checking (used by the IETF 
>>> NEA WG) and security automation interfaces, the TNC architecture 
>>> also addresses enforcement, which has been established to be out of scope for SACM.
>>> And the TNC architecture doesn't currently address content repositories.
>>> However, the TNC architecture is not monolithic; in real-world 
>>> deployments based on TNC, it's common to use the components that are 
>>> useful, ignore components that aren't relevant, and add components 
>>> to address additional use cases.
>>>
>>> Atul Shah (of Microsoft) and I, with input from our TNC colleagues, 
>>> have put together a brief overview of a possible SACM architecture, 
>>> using the TNC architecture and interfaces as a starting point, for
>> consideration:
>>>
>>> http://www.ietf.org/internet-drafts/draft-shah-sacm-tnc-architecture
>>> -0
>>> 0.txt
>>>
>>> (Full disclosure: Atul & I are the current co-chairs of the TNC WG.
>>> However, we are submitting this proposal as individuals, not as 
>>> representatives of TCG/TNC or our respective employers.)
>>>
>>>                                         Regards,
>>>
>>>                                            Lisa
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Lisa Lorenzin  /  919-384-7275  /  llorenzin@juniper.net Principal 
>>> Solutions Architect - Security & Mobility Juniper Networks  / 
>>> http://www.juniper.net/
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> sacm mailing list
>>> sacm@ietf.org
>>> https://www.ietf.org/mailman/listinfo/sacm
>>
>> _______________________________________________
>> sacm mailing list
>> sacm@ietf.org
>> https://www.ietf.org/mailman/listinfo/sacm
>
> _______________________________________________
> sacm mailing list
> sacm@ietf.org
> https://www.ietf.org/mailman/listinfo/sacm
>

_______________________________________________
sacm mailing list
sacm@ietf.org
https://www.ietf.org/mailman/listinfo/sacm

v2.23.0 | Report a Bug | By Email