1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
|
Internet Engineering Task Force (IETF) P. Sangster
Request for Comments: 6876 Symantec Corporation
Category: Standards Track N. Cam-Winget
ISSN: 2070-1721 J. Salowey
Cisco Systems
February 2013
A Posture Transport Protocol over TLS (PT-TLS)
Abstract
This document specifies PT-TLS, a TLS-based Posture Transport (PT)
protocol. The PT-TLS protocol carries the Network Endpoint
Assessment (NEA) message exchange under the protection of a Transport
Layer Security (TLS) secured tunnel.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6876.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Sangster, et al. Standards Track [Page 1]
^L
RFC 6876 PT-TLS February 2013
Table of Contents
1. Introduction ....................................................3
1.1. Prerequisites ..............................................4
1.2. Message Diagram Conventions ................................4
1.3. Conventions Used in This Document ..........................4
1.4. Compatibility with Other Specifications ....................4
2. Design Considerations ...........................................5
2.1. Benefits of TCP/IP Connectivity ............................5
2.2. Leveraging Proven TLS Security .............................6
2.3. TLV-Based Message Encapsulation ............................6
2.4. No Change to Base TLS Protocol .............................6
3. PT-TLS Protocol .................................................7
3.1. Initiating a PT-TLS Session ................................8
3.1.1. Issues with Server-Initiated PT-TLS Sessions ........8
3.1.2. Establish or Re-Use Existing PT-TLS Session .........9
3.2. TCP Port Usage .............................................9
3.3. Preventing MITM Attacks with Channel Bindings ..............9
3.4. PT-TLS Message Flow .......................................10
3.4.1. Assessment Triggers ................................10
3.4.2. PT-TLS Message Exchange Phases .....................11
3.4.2.1. TLS Setup Phase ...........................12
3.4.2.2. PT-TLS Negotiation Phase ..................13
3.4.2.3. PT-TLS Data Transport Phase ...............14
3.4.3. TLS Requirements ...................................14
3.5. PT-TLS Message Format .....................................15
3.6. IETF Namespace PT-TLS Message Types .......................18
3.7. PT-TLS Version Negotiation ................................20
3.7.1. Version Request Message ............................21
3.7.2. Version Response Message ...........................22
3.8. Client Authentication Using SASL ..........................22
3.8.1. SASL Client Authentication Requirements ............23
3.8.2. SASL in PT-TLS Overview ............................24
3.8.3. SASL Authentication Flow ...........................24
3.8.4. Aborting SASL Authentication .......................25
3.8.5. Linkages to SASL Framework .........................25
3.8.5.1. SASL Service Name .........................25
3.8.5.2. SASL Authorization Identity ...............25
3.8.5.3. SASL Security Layer .......................25
3.8.5.4. Multiple Authentications ..................25
3.8.6. SASL Channel Bindings ..............................25
3.8.7. SASL Mechanisms ....................................26
3.8.8. SASL Mechanism Selection ...........................26
3.8.9. SASL Authentication Data ...........................27
3.8.10. SASL Result .......................................28
3.9. Error Message .............................................29
Sangster, et al. Standards Track [Page 2]
^L
RFC 6876 PT-TLS February 2013
4. Security Considerations ........................................32
4.1. Trust Relationships .......................................32
4.1.1. Posture Transport Client ...........................33
4.1.2. Posture Transport Server ...........................34
4.2. Security Threats and Countermeasures ......................35
4.2.1. Message Theft ......................................35
4.2.2. Message Fabrication ................................36
4.2.3. Message Modification ...............................36
4.2.4. Denial of Service ..................................37
4.2.5. NEA Asokan Attacks .................................37
4.2.6. Trust Anchors ......................................38
5. Privacy Considerations .........................................38
6. IANA Considerations ............................................38
6.1. Designated Expert Guidelines ..............................39
6.2. Registry for PT-TLS Message Types .........................40
6.3. Registry for PT-TLS Error Codes ...........................41
7. Acknowledgments ................................................41
8. References .....................................................42
8.1. Normative References ......................................42
8.2. Informative References ....................................43
1. Introduction
The NEA architecture [RFC5209] defines a system for communicating
posture between a client, where it is collected, and server, where it
is assessed. Posture is configuration and/or status of hardware or
software on an endpoint as it pertains to an organization's security
policy. This document specifies PT-TLS, a TLS-based Posture
Transport (PT) protocol protected by a TLS channel.
NEA protocols are intended to be used for pre-admission assessment of
endpoints joining the network and to assess endpoints already present
on the network. In order to support both usage models, two different
types (or bindings) of PT protocols are necessary to operate before
and after the endpoint has an assigned IP address and other network-
layer information. This specification focuses on the PT protocol
used to assess endpoints already present on the network and thus is
able to use TCP/IP-based transport protocols. NEA has defined
another protocol called PT-EAP [PT-EAP] to address assessment prior
to the endpoint having an assigned IP address.
The Posture Transport protocol in the NEA architecture [RFC5209] is
responsible for transporting Posture Broker (PB-TNC [RFC5793])
batches, often containing Posture Attributes (PA-TNC [RFC5792]) over
the network between the Posture Transport Client component of the NEA
Client and the Posture Transport Server component of the NEA Server.
Sangster, et al. Standards Track [Page 3]
^L
RFC 6876 PT-TLS February 2013
The PT protocol also offers strong security protections to ensure
that the exchanged messages are protected from a variety of threats
from hostile intermediaries.
1.1. Prerequisites
This document does not define an architecture or reference model.
Instead, it defines one binding of the PT protocol that works within
the reference model described in the NEA Overview and Requirements
specification [RFC5209]. The reader is assumed to be thoroughly
familiar with [RFC5209]. The NEA working group compared the
functionality described in this specification with the requirements
in [RFC5209] and found that each applicable requirement was
addressed.
1.2. Message Diagram Conventions
This specification defines the syntax of PT-TLS messages using
diagrams. Each diagram depicts the format and size of each field in
bits. Implementations MUST send the bits in each diagram as they are
shown, traversing the diagram from top to bottom and then from left
to right within each line (which represents a 32-bit quantity).
Multi-byte fields representing numeric values must be sent in network
(big endian) byte order.
Bit field (e.g., flag) values are described referring to the position
of the bit within the field. These bit positions are numbered from
the most significant bit through the least significant bit, so a
one-octet field with only bit 0 set has the value 0x80.
1.3. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
RFC 2119 [RFC2119].
1.4. Compatibility with Other Specifications
One of the goals of the NEA effort is to deliver a single set of
endpoint assessment standards, agreed upon by all parties. For this
reason, the authors understand that the Trusted Computing Group (TCG)
will be replacing its existing posture transport protocols with new
versions that are equivalent to and interoperable with the NEA
specifications.
Sangster, et al. Standards Track [Page 4]
^L
RFC 6876 PT-TLS February 2013
2. Design Considerations
This section discusses some of the key design considerations for the
PT protocol. This document specifies the PT binding for use when
performing an assessment or reassessment after the endpoint has been
admitted to the network and is capable of using TCP/IP to communicate
with the NEA Server. If the endpoint does not yet have TCP/IP-layer
access to the NEA Server (and vice versa), the endpoint can use the
PT-EAP (Posture Transport (PT) Protocol for Extensible Authentication
Protocol (EAP) Tunnel Methods) protocol when performing an
assessment.
Because the endpoint has TCP/IP access to the NEA Server (potentially
on a restricted portion of the network), the NEA Client and NEA
Server have the ability to establish (or re-use) a reliable TCP/IP
connection in order to perform the assessment. The TCP/IP connection
enables the assessment to occur over a relatively high-performance,
reliable channel capable of supporting multiple roundtrip message
exchanges in a full-duplex manner. These connection properties are
very different from what is available when the endpoint is initially
joining the network (e.g., during an 802.1X-based assessment);
therefore, the design described in this specification follows a
different path to maximize the benefits of the underlying TCP/IP
connection.
2.1. Benefits of TCP/IP Connectivity
The PT protocol over TLS is typically able to offer to the NEA Client
and NEA Server significantly higher quality of service and
flexibility of operation than PT-EAP. However, there may be some
added risks when the endpoint is on the network prior to its initial
assessment (if no admission time assessment had been performed).
Because of these risks, the combined use of an EAP-based assessment
during admission followed by reassessment using TCP/IP may be
appropriate in some environments.
Some of the benefits to having a TCP/IP-based transport during an
assessment include:
o Full-Duplex Connectivity - used to support asynchronous initiation
of posture exchanges within a single TLS connection (e.g.,
triggered by alerts of posture or policy changes)
o High Bandwidth - potentially much higher bandwidth than other
transports (e.g., EAP), allowing more in-band data (e.g.,
remediation, verbose posture information)
Sangster, et al. Standards Track [Page 5]
^L
RFC 6876 PT-TLS February 2013
o Large Messages - ability to send very large Posture Attribute
messages without directly fragmenting them (underlying carrier
protocol may introduce fragmentation)
o Bidirectional - NEA Client and NEA Server can initiate an
assessment or reassessment
o Multiple Roundtrips - NEA Client and NEA Server can exchange
numerous messages without fear of infrastructure timeouts.
However, the entire exchange should be kept as brief as possible
if the user has to wait for its completion.
2.2. Leveraging Proven TLS Security
All PT protocol bindings must be capable of providing strong
authentication, integrity, and confidentiality protection for the
PB-TNC batches. Rather than define a new protocol over TCP/IP to
provide adequate protection, this specification requires the use of
Transport Layer Security [RFC5246] to secure the connection. TLS was
selected because it's a widely deployed protocol with parallel
protections to a number of the EAP tunnel methods, and it meets all
of the security requirements.
2.3. TLV-Based Message Encapsulation
The design of the PT-TLS protocol is based upon the use of a
type-length-value (TLV)-oriented protocol message that identifies the
type of message, the message's length, and a potentially variable-
length payload value. The use of a TLV-oriented encoding was chosen
to match the Internet standard PA-TNC and PB-TNC protocols. Because
the PA-TNC, PB-TNC, and PT-TLS protocols are typically implemented
inside the same process space, this allows a common set of message-
parsing code to be used. Similarly, creation of debugging tools is
simplified by the common encoding methodologies. TLV-based encoding
was used in each of the NEA protocols in part because it enables a
very space-efficient representation on the network and is simpler to
parse than some other encodings to benefit lower-powered (or battery
constrained) devices.
2.4. No Change to Base TLS Protocol
During the design of the PT-TLS protocol, several approaches were
considered with different costs and benefits. Several considered
approaches involved integrating the PT protocol into the TLS
handshake protocol. Because the PT protocol requires the underlying
TLS carrier to provide security protections, the PT protocol couldn't
operate before the cipher suites were negotiated and in use. One
option was to integrate into the TLS handshake protocol after the
Sangster, et al. Standards Track [Page 6]
^L
RFC 6876 PT-TLS February 2013
ChangeCipherSpec phase, allowing the PT message to be protected. The
benefit of this approach is that the assessment protocol could
operate below the application protocols, allowing for easier
integration into applications. However, making this change would
require some extensions to the TLS handshake protocol standards and
existing widely deployed TLS implementations, so it wasn't clear that
the cost was warranted, particularly because the application
independence can also be offered by a shim library between the
application and TLS library that provides the PT protocol
encapsulation/decapsulation.
The other general approach considered was to have PT-TLS layer on top
of TLS as an application protocol (using the standard
application_data ContentType). This has the advantage that existing
TLS software could be used. However, the PB-TNC traffic would need
to be encapsulated/decapsulated by a new PT-TLS protocol layer before
being passed to the TLS library. This didn't seem like a significant
issue, as PB-TNC is architected to layer on PT anyway.
After considering the different options, it was determined that
layering the PT protocol on top of the TLS protocol without requiring
current TLS protocol implementations to change met all the
requirements and offered the best path toward rapid adoption and
deployment. Therefore, the following sections describe a PT protocol
that is carried on top of TLS.
3. PT-TLS Protocol
This section specifies the PT-TLS protocol, a Posture Transport (PT)
protocol carried by the Transport Layer Security (TLS) protocol over
a TCP/IP network. As shown in Figure 1, this protocol runs directly
on top of TLS as an application. This means PT-TLS is encapsulated
within the TLS Record Layer protocol using the standard ContentType
for applications (application_data).
+---------------------------------------------------------------+
| TLV Encapsulation of PB-PA message |
+---------------------------------------------------------------+
| TLS |
+---------------------------------------------------------------+
| TCP |
+---------------------------------------------------------------+
Figure 1. PT-TLS Layering Model
Sangster, et al. Standards Track [Page 7]
^L
RFC 6876 PT-TLS February 2013
3.1. Initiating a PT-TLS Session
The PT-TLS protocol may be initiated by a Posture Transport Client or
a Posture Transport Server. This flexibility supports different use
cases. For example, a Posture Transport Client that wishes to
trigger a NEA assessment to determine whether its security posture is
good can start up a PT-TLS session and request a posture assessment.
On the other hand, when an endpoint requests access to a protected
network or resource, a Posture Transport Server can start up a PT-TLS
session and perform a posture assessment before deciding whether to
grant access.
The party that initiates a PT-TLS session is known as the "PT-TLS
Initiator". The other party in the session (which receives the
request to open a PT-TLS session) is known as the "PT-TLS Responder".
3.1.1. Issues with Server-Initiated PT-TLS Sessions
In order for a NEA Server to establish a PT-TLS session, the NEA
Client needs to be listening for a connection request on a TCP port
known by the NEA Server. In many deployments, the security policies
of an endpoint (e.g., firewall software) or the security policies of
a network (e.g., firewall devices) are designed to minimize the
number of open inbound TCP/UDP ports that are available to the
network to reduce the potential attack footprint. This is one issue
that makes it difficult for a NEA Server to initiate a PT-TLS
session.
Another issue with this scenario involves X.509 certificates. When
the NEA Server creates a TLS session to the NEA Client, the NEA
Client is effectively acting as the TLS server during the TLS
protocol exchange. This means the NEA Client would typically need to
possess an X.509 certificate to protect the initial portion of the
TLS handshake. In situations where the NEA Server initiates the
creation of the TLS session, both the NEA Client and NEA Server MUST
possess X.509 certificates to fully authenticate the session. For
many deployments, provisioning X.509 certificates to all NEA Clients
has scalability and cost issues; therefore, it is recommended that
the NEA Client not listen for connection requests from the NEA Server
but instead establish and maintain a TLS session to the NEA Server
proactively, so either party can initiate an assessment using the
preexisting TLS session as required.
In most cases, the traditional methods of server certificate ID
validation will not apply when the NEA Server initiates the
connection. In this case, the NEA Client and Server need to follow
the certificate path validation rules in RFC 5280 [RFC5280]. In
Sangster, et al. Standards Track [Page 8]
^L
RFC 6876 PT-TLS February 2013
addition, each side needs to be able to authorize its peer based upon
matching Subject and SubjectAltName fields for certificates issued by
a particular trust anchor.
Therefore, NEA Clients SHOULD be capable of establishing and holding
open a TLS session with the NEA Server immediately after obtaining
network access. A NEA Client MAY listen for connection requests from
the NEA Server and establish a new PT-TLS session when one does not
already exist. Because of the potential added complexity, a NEA
Client's support for accepting inbound PT-TLS connections is optional
to implement. Having an existing PT-TLS session allows either party
to initiate an assessment without requiring the NEA Client to be
listening for new connection requests. In order to keep the TLS
session alive, the NEA Client and NEA Server SHOULD be capable of
supporting the TLS heartbeat protocol [RFC6520].
3.1.2. Establish or Re-Use Existing PT-TLS Session
A single PT-TLS session can support multiple NEA assessments, which
can be started by either party (the PT-TLS Initiator or the PT-TLS
Responder). The party that starts a NEA assessment is known as the
"assessment initiator", and the other party is known as the
"assessment responder".
If the assessment initiator already has a PT-TLS session to the
assessment responder, the initiator can re-use this session;
otherwise, a new PT-TLS session needs to be established.
3.2. TCP Port Usage
In order for a PT-TLS Initiator to establish a TCP connection to a
PT-TLS Responder, the initiator needs to know the TCP port number on
which the responder is listening for assessment requests. The IANA
has reserved TCP port number 271 for use by "pt-tls".
3.3. Preventing MITM Attacks with Channel Bindings
As described in "The Network Endpoint Assessment (NEA) Asokan Attack
Analysis" [RFC6813], a sophisticated Man-in-the-Middle (MITM) attack
can be mounted against NEA systems. The attacker forwards PA-TNC
messages from a healthy machine through an unhealthy one so that the
unhealthy machine can gain network access. Because there are easier
attacks on NEA systems, like having the unhealthy machine lie about
its configuration, this attack is generally only mounted against
machines with an External Measurement Agent (EMA). The EMA is a
separate entity, difficult to compromise, that measures and attests
to the configuration of the endpoint.
Sangster, et al. Standards Track [Page 9]
^L
RFC 6876 PT-TLS February 2013
To protect against NEA Asokan attacks, the Posture Broker Client on
an EMA-equipped endpoint should pass the tls-unique channel binding
[RFC5929] for PT-TLS's underlying TLS session to the EMA. This value
can then be included in the EMA's attestation, and the Posture
Validator responsible for communicating with the EMA may then confirm
that the value matches the tls-unique channel binding for its end of
the connection. If the values match, the posture sent by the EMA and
NEA Client is from the same endpoint as the client side of the TLS
connection (since the endpoint knows the tls-unique value), so no
man-in-the-middle is forwarding posture. If they differ, the Asokan
attack has been detected. The Posture Validator MUST fail its
verification of the endpoint if the Asokan attack has been detected.
3.4. PT-TLS Message Flow
This section discusses the general flow of messages between the NEA
Client's Posture Transport Client and the NEA Server's Posture
Transport Server in order to perform NEA assessments using the PT-TLS
protocol.
3.4.1. Assessment Triggers
Initially, the NEA Client or NEA Server will decide that an
assessment is needed. What stimulates the decision to perform an
assessment is outside the scope of this specification, but some
examples include:
o NEA Server becoming aware of suspicious behavior on an endpoint
o NEA Server receiving new policies requiring immediate action
o NEA Client noticing a change in local security posture
o NEA Client wishing to access a protected network or resource
Because either the NEA Client or NEA Server can trigger the
establishment of the TLS session and initiate the assessment, this
document will use the terms "assessment initiator" and "assessment
responder". This nomenclature allows either NEA component to fill
either of the PT-TLS roles.
Sangster, et al. Standards Track [Page 10]
^L
RFC 6876 PT-TLS February 2013
3.4.2. PT-TLS Message Exchange Phases
The PT-TLS message exchange occurs in three distinct phases:
o TLS Setup (including TLS handshake protocol)
o PT-TLS Negotiation
o PT-TLS Data Transport
The TLS Setup phase is responsible for the establishment of the TCP
connection and the TLS protections for the PT-TLS messages. The TLS
Setup phase starts with the establishment of a TCP connection between
the Posture Transport Client and Posture Transport Server. The new
connection triggers the TLS server to start the TLS handshake
protocol to establish the cryptographic protections for the session.
Once the TLS Setup phase has completed (after the TLS Finished
messages), the TLS session MUST NOT be renegotiated. TLS session
renegotiation MAY be used before the TLS Setup phase ends and the
PT-TLS Negotiation phase begins. This phase also enables the
establishment of the tls-unique shared secret. The tls-unique shared
secret can later be used by the PA protocol to protect against some
forms of man-in-the-middle attacks.
The PT-TLS Negotiation phase is only performed at the start of the
first assessment on a TLS session. During this phase, the NEA Client
and NEA Server discover each other's PT-TLS capabilities and
establish a context that will apply to all future PT-TLS messages
sent over the TLS session. The PT-TLS Negotiation phase MUST NOT be
repeated after the session has entered the Data Transport phase. NEA
assessment messages (PB-TNC batches) MUST NOT be sent by the NEA
Client or NEA Server prior to the completion of the PT-TLS
Negotiation phase to ensure that the security protections for the
session are properly established and applied to the NEA assessment
messages.
Finally, the Data Transport phase allows the NEA Client and NEA
Server to exchange PT messages under the protection of the TLS
session consistent with the capabilities established in earlier
phases. The exchanged messages can be a PT-TLS protected NEA
assessment as described in this specification or other vendor-defined
PT-TLS exchanged messages.
Sangster, et al. Standards Track [Page 11]
^L
RFC 6876 PT-TLS February 2013
3.4.2.1. TLS Setup Phase
After a new TCP connection is established between the Posture
Transport Client and Posture Transport Server, a standard TLS
exchange is performed to negotiate a common security context for
protecting subsequent communications. As discussed in Section 3.1,
the TCP connection establishment and/or the TLS handshake protocol
could be initiated by either the NEA Client or NEA Server. The most
common situation would be for the assessment initiator to trigger the
creation of the TCP connection and TLS handshake, so an assessment
could begin when no session already exists. When the NEA Server has
initiated the TLS Setup, the NEA Server is acting as a TLS client and
the NEA Client is the TLS server (accepting the inbound TLS session
request). The expected normal case is that the NEA Client initiates
this phase, so that the NEA Server is acting as the TLS server and
therefore the bootstrapping of the security of the TLS session is
using the NEA Server's certificate. Having the NEA Client initiate
the TLS session avoids the need for the NEA Client to also possess a
certificate.
During the TLS Setup phase of PT-TLS, the PT-TLS Initiator contacts
the listening port of the PT-TLS Responder and performs a TLS
handshake. The PT-TLS Responder MUST possess a trustworthy X.509
certificate used to authenticate to the PT-TLS Initiator and used to
bootstrap the security protections of the TLS session. The PT-TLS
Initiator MAY also use an X.509 certificate to authenticate to the
PT-TLS Responder providing for a bidirectional authentication of the
PT-TLS session. The NEA Client MUST provide certificate validation
according to the rules in RFC 5280 when evaluating the server
certificate. The NEA Client MAY perform certificate revocation
checking on the NEA Server's certificate. This specification allows
the NEA Client implementation to decide on what certificate
revocation technique is to be implemented. If revocation information
is not provided in a TLS handshake extension, then clients performing
certificate validation will require some network access (e.g., HTTP)
to be allowed during the assessment. NEA Client network access to
other non-essential services might be restricted during assessments
in some situations. If the client cannot access the status
information, then its policy may prevent it from completing the TLS
handshake.
Sangster, et al. Standards Track [Page 12]
^L
RFC 6876 PT-TLS February 2013
In addition, the NEA Client MUST follow the recommendations in
RFC 6125 [RFC6125] when validating the NEA Server domain name against
the contents of the server certificate, taking into consideration the
following restrictions:
o Any SRV-IDs and URI-IDs in the certificate are ignored.
o Use of CN-IDs in certificates is NOT RECOMMENDED.
o Wildcards MUST NOT appear in the DNS-ID or CN-ID of a certificate
identifying a PT-TLS server.
Details for the reverse direction are given in Section 3.1.
Due to deployment issues with issuing and distributing certificates
to a potentially large number of NEA Clients, this specification
allows the NEA Client to be authenticated during the PT-TLS
Negotiation phase using other more cost-effective methods, as
described in Section 3.8.1. At the conclusion of a successful
initial TLS Setup phase, the NEA Client and NEA Server have a
protected session to exchange messages. This allows the protocol to
transition to the PT-TLS Negotiation phase.
3.4.2.2. PT-TLS Negotiation Phase
Once a TLS session has been established between a Posture Transport
Client and Posture Transport Server, the PT-TLS Initiator sends a
Version Request message indicating its supported PT-TLS protocol
version range. Next, the PT-TLS Responder sends a Version Response
message, which selects a protocol version from within the range
offered. The PT-TLS Responder SHOULD select the preferred version
offered if supported; otherwise, the highest version that the
responder is able to support from the received Version Request
message will be used. If the PT-TLS Responder is unable or unwilling
to support any of the versions included in the Version Request
message, the responder SHOULD send a Version Not Supported error
message.
If no client-side authentication occurred during the TLS Setup phase,
the Posture Transport Server can authenticate the client using PT-TLS
client authentication messages as described in Section 3.8. The NEA
Server initiates the client authentication and indicates when the
authentication is complete.
When the NEA Client receives the Simple Authentication and Security
Layer (SASL) [RFC4422] Mechanisms list, the NEA Client responds with
a SASL Mechanism Selection TLV indicating the method of
authentication to be used. Upon selecting an appropriate SASL
Sangster, et al. Standards Track [Page 13]
^L
RFC 6876 PT-TLS February 2013
mechanism, the NEA Client and Server exchange SASL-mechanism-specific
messages in order to authenticate the NEA Client. When the client
authentication successfully completes and no additional
authentications are required (as indicated by the NEA Server sending
an empty SASL Mechanisms list), the PT-TLS session transitions into
the Data Transport phase, where it will remain for the duration of
the session. Note that the NEA Server could choose to not
authenticate the client (indicated by only sending an empty SASL
Mechanisms list) or to continue performing a posture assessment even
if the authentication did not complete successfully.
3.4.2.3. PT-TLS Data Transport Phase
Once a PT-TLS session is available to carry NEA assessments, PT-TLS
allows either side of the connection to send the first PB-TNC batch.
The PB-TNC standard prescribes whether the Posture Broker Client or
Posture Broker Server starts the assessment. The assessment
initiator first envelopes the PB-TNC batch in a PT-TLS message, then
assigns a message identifier to the message and finally transmits it
over the session. The assessment responder validates the PT-TLS
message and delivers the encapsulated PB-TNC batch to its upstream
component (Posture Broker Client or Server).
Most PT-TLS messages contain PB-TNC batches that house PA-TNC
requests for posture information or a response containing the
requested posture information. The Posture Transport Client and
Posture Transport Server may also exchange messages between them,
such as a PT-TLS Error message indicating that a problem occurred
processing a message. During an assessment, the Posture Transport
Client and Server merely encapsulate and exchange the PB-TNC batches
and are unaware of the state of the assessment.
The PT-TLS protocol allows either party to send a PT-TLS message at
any time, reflecting the full-duplex nature of the underlying TLS
session. For example, an assessment initiator may send several
PT-TLS messages prior to receiving any responses from the assessment
responder. All implementations of PT-TLS MUST support full-duplex
PT-TLS message exchange. However, some higher-layer NEA protocols
(e.g., PB-TNC) may not be able to fully make use of the full-duplex
message exchange.
3.4.3. TLS Requirements
In order to ensure that strong security is always available for
deployers and to improve interoperability, this section discusses
some requirements on the underlying TLS transport used by PT-TLS.
Whenever TLS is used by this specification, the appropriate version
(or versions) of TLS will vary over time, based on the widespread
Sangster, et al. Standards Track [Page 14]
^L
RFC 6876 PT-TLS February 2013
deployment and known security vulnerabilities. At the time of this
writing, TLS version 1.2 [RFC5246] is the most recent version, but it
has a very limited deployment base and might not be readily available
for implementation. TLS version 1.0 [RFC2246] and version 1.1
[RFC4346] are the most widely deployed versions and will provide the
broadest interoperability. Implementations of PT-TLS SHOULD support
use of TLS 1.2.
For each TLS version supported, implementations of the PT-TLS
protocol MUST at least support the TLS_RSA_WITH_AES_128_CBC_SHA
cipher suite. This cipher suite requires the server to provide a
certificate that can be used during the key exchange.
Implementations SHOULD NOT include support for cipher suites that do
not minimally offer PT-TLS Responder (typically Posture Transport
Server) authentication, such as the anonymous Diffie-Hellman cipher
suites (e.g., TLS_DH_anon_WITH_AES_128_CBC_SHA). Implementations
MUST support RFC 5746 [RFC5746]. Implementations MAY allow
renegotiation to provide confidentiality for the client certificate.
If renegotiation is allowed, implementations need to select the
appropriate handshake messages as described in RFC 5929 for the
tls-unique value.
3.5. PT-TLS Message Format
This section describes the format and semantics of the PT-TLS
message. Every message sent over a PT-TLS session MUST start with
the PT-TLS header described in this section.
The PT-TLS header format is as follows:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved | Message Type Vendor ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Message Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Message Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Message Identifier |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Message Value (e.g., PB-TNC Batch) . . . |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Reserved
Reserved for future use. This field MUST be set to 0 on
transmission and ignored upon reception.
Sangster, et al. Standards Track [Page 15]
^L
RFC 6876 PT-TLS February 2013
Message Type Vendor ID
This field indicates the owner of the namespace associated with
the message type. This is accomplished by specifying the 24-bit
Structure of Management Information (SMI) Private Enterprise
Number [PEN] (Vendor ID) of the party who owns the message type
namespace. Consistent with PA-TNC and PB-TNC, we depend on the
PEN fitting in 24 bits, so if IANA were to register a wider PEN,
then that PEN could not be used with NEA. IETF namespace PT-TLS
Message Types MUST use zero (0) in this field. For more
information about the intended use of NEA namespace identifiers,
see the PA-TNC specification (RFC 5792), Sections 2.1 and 2.2.
The PT-TLS Message Type Vendor ID 0xffffff is reserved. Posture
Transport Clients and Servers MUST NOT send PT-TLS messages in
which the PT-TLS Message Type Vendor ID has this reserved value
(0xffffff). If a Posture Transport Client or Posture Transport
Server receives a message containing this reserved value
(0xffffff) in the PT-TLS Message Type Vendor ID, the recipient
SHOULD respond with an Invalid Parameter error code in a PT-TLS
Error message.
Message Type
This field defines the type of the PT-TLS message within the scope
of the specified Message Type Vendor ID that is included in the
Message Value field. The specific IETF-defined values allowable
in this field when the Message Type Vendor ID is the IETF SMI
Private Enterprise Number value (0) are defined in Section 3.6.
Recipients of a message containing a Message Type Vendor ID and a
message type that is unrecognized SHOULD respond with a Type Not
Supported error code in a PT-TLS Error message.
Posture Transport Clients and Posture Transport Servers MUST NOT
require support for particular vendor-defined PT-TLS Message Types
in order to interoperate with other PT-TLS compliant
implementations (although implementations MAY permit
administrators to configure them to require support for specific
vendor-defined PT-TLS Message Types).
If the PT-TLS Message Type Vendor ID field has the value zero (0),
then the PT-TLS Message Type field contains an IETF namespace
PT-TLS Message Type, as listed in the IANA registry. IANA
maintains a registry of PT-TLS Message Types. Entries in this
registry are added following the IANA Specification Required
policy, following the guidelines in Section 6.1. Section 3.6 of
this specification defines the initial set of IETF-defined PT-TLS
Message Types.
Sangster, et al. Standards Track [Page 16]
^L
RFC 6876 PT-TLS February 2013
The PT-TLS Message Type 0xffffffff is reserved. Posture Transport
Clients and Posture Transport Servers MUST NOT send PT-TLS
messages in which the PT-TLS Message Type has this reserved value
(0xffffffff). If a Posture Transport Client or Posture Transport
Server receives a message in which the PT-TLS Message Type has
this reserved value (0xffffffff), it SHOULD respond with an
Invalid Parameter error code in a PT-TLS Error message.
Message Length
This field contains the length in octets of the entire PT-TLS
message (including the entire header). Therefore, this value MUST
always be at least 16. Any Posture Transport Client or Posture
Transport Server that receives a message with a PT-TLS Message
Length field whose value is less than 16 SHOULD respond with an
Invalid Parameter PT-TLS Error Code. Similarly, if a Posture
Transport Client or Posture Transport Server receives a PT-TLS
message for a Message Type that has a known Message Length and the
Message Length indicates a different value (greater or less than
the expected value), the recipient SHOULD respond with an Invalid
Parameter PT-TLS Error Code.
Message Identifier
This field contains a value that uniquely identifies the PT-TLS
message on a per message sender (Posture Transport Client or
Server) basis. This value is copied into the body of the PT-TLS
Error message so the recipient can determine which message caused
the error.
The Message Identifier MUST be a monotonically increasing counter
starting at zero indicating the number of the messages the sender
has transmitted over the TLS session. It is possible that a busy
or long-lived session might exceed 2^32-1 messages sent, so the
message sender MUST roll over to zero upon reaching the 2^32nd
message, thus restarting the increasing counter. During a
rollover, it is feasible that the message recipient could be
confused if it keeps track of every previously received Message
Identifier, so recipients MUST be able to handle rollover
situations without generating errors.
Sangster, et al. Standards Track [Page 17]
^L
RFC 6876 PT-TLS February 2013
Message Value
The contents of this field vary depending on the particular
Message Type Vendor ID and Message Type given in the PT-TLS header
for this PT-TLS message. This field most frequently contains a
PB-TNC batch. The contents of this field for each of the initial
IETF namespace PT-TLS Message Types are defined in this
specification.
3.6. IETF Namespace PT-TLS Message Types
This section defines the NEA standard PT-TLS Message Types used to
carry PT-TLS messages and PB-TNC batches between the Posture
Transport Client and Posture Transport Server.
The following table summarizes the initial set of IETF-defined
message type values, which are used with the PT-TLS Message Type
Vendor ID field set to the IETF SMI PEN (0). Note that the IANA
administers a PEN value of 0 on behalf of the IETF. These
descriptions only apply to the IETF namespace.
Value (Name) Definition
---------------------------- ---------------------------------------
0 (Experimental) Reserved for experimental use. This
type will not offer interoperability
but allows for experimentation. This
message type MUST only be sent when the
NEA Client and NEA Server are in the
Data Transport phase and only on a
restricted, experimental network.
Compliant implementations MUST send an
Invalid Message error code in a PT-TLS
Error message if an Experimental
message is received.
1 (Version Request) Version negotiation request including
the range of versions supported by the
sender. This message type MUST only be
sent by the TLS session initiator as
the first PT-TLS message in the PT-TLS
Negotiation phase. Recipients MUST
send an Invalid Message error code in a
PT-TLS Error message if a Version
Request is received at another time.
Sangster, et al. Standards Track [Page 18]
^L
RFC 6876 PT-TLS February 2013
2 (Version Response) PT-TLS protocol version selected by the
responder. This message type MUST only
be sent by the PT-TLS Responder as the
second message in the PT-TLS
Negotiation phase. Recipients MUST
send an Invalid Message error code in a
PT-TLS Error message if a Version
Response is received at another time.
3 (SASL Mechanisms) Sent by the NEA Server to indicate what
SASL mechanisms it is willing to use
for authentication on this session.
This message type MUST only be sent by
the NEA Server in the PT-TLS
Negotiation phase. The NEA Client MUST
send an Invalid Message error code in a
PT-TLS Error message if a SASL
Mechanisms message is received at
another time.
4 (SASL Mechanism Selection) Sent by the NEA Client to select a SASL
mechanism from the list offered by the
NEA Server. This message type MUST
only be sent by the NEA Client in the
PT-TLS Negotiation phase. The NEA
Server MUST send an Invalid Message
error code in a PT-TLS Error message if
a SASL Mechanism Selection is received
after the PT-TLS Negotiation phase.
Once a SASL mechanism has been
selected, it may not change until the
mechanism completes either successfully
or as a failure.
5 (SASL Authentication Data) Opaque octets exchanged between the NEA
Client and NEA Server's SASL mechanisms
to perform the client authentication.
This message type MUST only be sent
during the PT-TLS Negotiation phase.
Recipients MUST send an Invalid Message
error code in a PT-TLS Error message if
a SASL Authentication Data message is
received after the PT-TLS Negotiation
phase.
Sangster, et al. Standards Track [Page 19]
^L
RFC 6876 PT-TLS February 2013
6 (SASL Result) Indicates the result code of the SASL
mechanism authentication as described
in Section 3.8.10. This message type
MUST only be sent by the NEA Server
when the NEA Client and NEA Server are
in the PT-TLS Negotiation phase. The
NEA Client MUST send an Invalid Message
error code in a PT-TLS Error message if
a SASL Result is received after the
PT-TLS Negotiation phase.
7 (PB-TNC Batch) Contains a PB-TNC batch. For more
information on PB-TNC batches, see
RFC 5793 (PB-TNC) Section 4. This
message type MUST only be sent when the
NEA Client and NEA Server are in the
PT-TLS Data Transport phase.
Recipients SHOULD send an Invalid
Message error code in a PT-TLS Error
message if a PB-TNC Batch is received
outside of the Data Transport phase.
8 (PT-TLS Error) PT-TLS Error message as described in
Section 3.9. This message type may be
used during any PT-TLS phase.
9-4294967294 (Unassigned) These values are for future allocation
following guidelines defined in the
IANA Considerations section (see
Section 6.1). Recipients of
unsupported messages in the IETF
namespace using a message type of 9 to
4294967294 MUST respond with a Type Not
Supported PT-TLS Error Code in a PT-TLS
Error message.
4294967295 Reserved
3.7. PT-TLS Version Negotiation
This section describes the message format and semantics for the
PT-TLS protocol version negotiation. This exchange is used by the
PT-TLS Initiator to trigger a version negotiation at the start of an
assessment. The PT-TLS Initiator MUST send a Version Request message
as its first PT-TLS message and MUST NOT send any other PT-TLS
messages on this connection until it receives a Version Response
message or an Error message. The PT-TLS Responder MUST complete the
version negotiation (or cause an error) prior to sending or accepting
Sangster, et al. Standards Track [Page 20]
^L
RFC 6876 PT-TLS February 2013
reception of any additional messages. After the successful
completion of the version negotiation, both the Posture Transport
Client and Posture Transport Server MUST only send messages compliant
with the negotiated protocol version. Subsequent assessments on the
same session MUST use the negotiated version number and therefore
MUST NOT send additional version negotiation messages.
3.7.1. Version Request Message
This message is sent by a PT-TLS Initiator as the first PT-TLS
message in a PT-TLS session. This message discloses the sender's
supported versions of the PT-TLS protocol. To ensure compatibility,
this message MUST always be sent using version 1 of the PT-TLS
protocol. Recipients of this message MUST respond with a Version
Response or with a PT-TLS Error message (Version Not Supported or
Invalid Message). The following diagram shows the format of the
Version Request message:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved | Min Vers | Max Vers | Pref Vers |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Reserved
Reserved for future use. This field MUST be set to 0 on
transmission and ignored upon reception.
Min Vers
This field contains the minimum version of the PT-TLS protocol
supported by the sender. This field MUST be set to 1 indicating
support for the first version of PT-TLS. However, future versions
of this specification will probably remove this requirement, so
PT-TLS Responders MUST be prepared to receive other values.
Max Vers
This field contains the maximum version of the PT-TLS protocol
supported by the sender. This field MUST be set to 1 indicating
support for the first version of PT-TLS. However, future versions
of this specification will probably remove this requirement, so
PT-TLS Responders MUST be prepared to receive other values.
Sangster, et al. Standards Track [Page 21]
^L
RFC 6876 PT-TLS February 2013
Pref Vers
This field contains the sender's preferred version of the PT-TLS
protocol. This is a hint to the recipient that the sender would
like this version selected if supported. The value of this field
MUST fall within the range of Min Vers to Max Vers. This field
MUST be set to 1 indicating support for the first version of
PT-TLS. However, future versions of this specification will
probably remove this requirement, so PT-TLS Responders MUST be
prepared to receive other values.
3.7.2. Version Response Message
This message is sent in response to receiving a Version Request
message at the start of a new assessment session. If a recipient
receives a Version Request after a successful version negotiation has
occurred on the session, the recipient MUST send an Invalid Message
error code in a PT-TLS Error message and have TLS close the session.
This message MUST be sent using the syntax, semantics, and
requirements of the protocol version specified in this message.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved | Version |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Reserved
Reserved for future use. This field MUST be set to 0 on
transmission and ignored upon reception.
Version
This field contains the version selected by the sender of this
message. The version selected MUST be within the Min Vers to Max
Vers inclusive range sent in the Version Request message. If a
PT-TLS Initiator receives a message with an invalid Version
selected, the PT-TLS Initiator MUST respond with a Version Not
Supported PT-TLS Error message.
3.8. Client Authentication Using SASL
This section includes a description of the message format and
semantics necessary to perform client authentication (authentication
of the NEA Client) over PT-TLS. Client authentication could be
necessary if the NEA Server requires such an authentication and it
was not performed during the TLS handshake. The general model used
Sangster, et al. Standards Track [Page 22]
^L
RFC 6876 PT-TLS February 2013
for performing an authentication of the client using PT-TLS messages
is to integrate the Simple Authentication and Security Layer (SASL)
[RFC4422] framework. SASL provides a number of standards-based
authentication mechanisms capable of authenticating the NEA Client
using a variety of base technologies.
Client authentication could occur during the TLS handshake using TLS-
defined authentication techniques. Because this client
authentication is optional, the NEA Server's policy might require the
client to be authenticated by PT-TLS before performing the
assessment. Similarly, the NEA Server may require a PT-TLS
authentication even if the NEA Client was authenticated during the
TLS handshake (e.g., to allow a user authentication after a system-
level authentication occurred during the TLS handshake). The
decision of whether a SASL client authentication is to occur is left
to the NEA Server's policy.
As discussed in Section 3.1.1, it is possible that the NEA Server may
initiate the TLS session to the NEA Client, thus causing it to fill
the role of TLS client during the TLS handshake. Because the NEA
Server is required to possess an X.509 certificate for those times
when it is acting as the TLS server (normal case), PT-TLS requires
that the NEA Server MUST use its X.509 certificate for TLS client
authentication during the TLS handshake to authenticate itself even
when it is acting as the TLS client. In this case, the NEA Client
and NEA Server will authenticate using certificates during the TLS
handshake, so the PT-TLS SASL client authentication might not be
required unless NEA Server policy required an additional
authentication of the NEA Client. Therefore, the normal usage for
the SASL messages is when the NEA Client acted as the TLS client and
did not authenticate during the TLS handshake.
3.8.1. SASL Client Authentication Requirements
Implementations compliant with the PT-TLS specification MUST
implement the PT-TLS client authentication messages described in this
section. These PT-TLS client authentication messages are capable of
carrying a variety of SASL authentication mechanisms' exchanges. In
order to ensure interoperability, all PT-TLS implementations
compliant with this specification MUST at least support the PLAIN
SASL mechanism [RFC4616]. Similarly, implementations MUST provide
the EXTERNAL SASL mechanism if both parties are authenticated during
the TLS establishment. In order to be able to take advantage of
other strong, widely deployed authentication technologies such as
Kerberos and support for channel bindings, implementations MAY
Sangster, et al. Standards Track [Page 23]
^L
RFC 6876 PT-TLS February 2013
include support for GS2 (the second Generic Security Service
Application Program Interface (GSS-API) bridge for SASL) [RFC5801].
GS2 includes negotiable support for channel binding for use with SASL
(see Section 5 of RFC 5801).
Implementations MUST also support the case where no client
authentication is required.
3.8.2. SASL in PT-TLS Overview
Mechanism negotiation is initiated by the NEA Server sending the SASL
Mechanisms TLV to the NEA Client to indicate the zero or more SASL
mechanisms that the NEA Server's policy is willing to use with the
NEA Client. The NEA Client selects one SASL mechanism from the list
and sends a SASL Mechanism Selection TLV completing the negotiation.
Subsequent challenges and responses are carried within the SASL
Authentication Data TLV carrying the authentication data for the
selected mechanism. The authentication outcome is communicated in a
SASL Result TLV containing a status code. If additional
authentications are required, the NEA Server could trigger the next
authentication by sending another SASL Mechanisms TLV after sending
the SASL Result TLV for the current authentication mechanism.
3.8.3. SASL Authentication Flow
The SASL client authentication starts when the NEA Server enters the
PT-TLS Negotiation phase and its policy indicates that an
authentication of the NEA Client is necessary, such as if it was not
performed during the TLS handshake protocol. The NEA Server is
responsible for triggering the client authentication by sending the
SASL Mechanisms TLV to the NEA Client listing the set of SASL
mechanisms the server is willing to use based upon its policy.
The NEA Client selects a SASL mechanism from the list proposed by the
NEA Server or sends a PT-TLS Invalid Message error code indicating
that it is unable or unwilling to perform any of the mechanisms that
were offered. If the NEA Server receives a SASL Mechanism Selection
TLV that contains an unacceptable SASL mechanism, the NEA Server
would respond with a SASL Mechanism Error in a PT-TLS Error TLV.
In situations where the NEA Server does not require a client
authentication, the NEA Server MUST send a SASL Mechanisms TLV with
no mechanisms included (only the PT-TLS header) indicating that the
connection should transition to the PT-TLS Data Transport phase. The
same mechanism is employed to indicate that a SASL authentication
already performed in this session is adequate to permit transition to
the PT-TLS Data Transport phase. So the NEA Server MUST always send
Sangster, et al. Standards Track [Page 24]
^L
RFC 6876 PT-TLS February 2013
a SASL Mechanisms TLV with no mechanisms as the last message in the
PT-TLS Negotiation phase, and the NEA Client MUST NOT transition to
the PT-TLS Data Transport phase until it receives such a message.
If the NEA Server receives a NEA assessment message before the
completion of the client authentication, the NEA Server MUST send an
Authentication Required PT-TLS Error message indicating to the NEA
Client that an authentication exchange is required prior to entering
the PT-TLS Data Transport phase.
3.8.4. Aborting SASL Authentication
The NEA Server may abort the authentication exchange by sending the
SASL Result TLV with a status code of Abort. The NEA Client may
abort the authentication exchange by sending a PT-TLS Error message
with an Error Code of SASL Mechanism Error.
3.8.5. Linkages to SASL Framework
3.8.5.1. SASL Service Name
The service name for PT-TLS is "nea-pt-tls".
3.8.5.2. SASL Authorization Identity
The PT-TLS protocol does not make use of a SASL authorization
identity string as described in RFC 4422.
3.8.5.3. SASL Security Layer
The NEA PT-TLS protocol always runs under the protection of TLS.
SASL security layers are not used and thus MUST be negotiated off
during SASL authentication.
3.8.5.4. Multiple Authentications
Only one SASL mechanism authentication may be in progress at any one
time. Once a SASL mechanism completes (successfully or
unsuccessfully), the NEA Server MAY trigger an additional
authentication by sending a SASL Mechanisms TLV.
3.8.6. SASL Channel Bindings
SASL channel bindings are used to bind the SASL authentication to the
outer TLS tunnel to ensure that the authenticating endpoints are the
same as the TLS endpoints. For SASL mechanisms that support channel
bindings, the tls-unique value defined in RFC 5929 is carried by the
SASL mechanism. For most mechanisms, this means including the
Sangster, et al. Standards Track [Page 25]
^L
RFC 6876 PT-TLS February 2013
tls-unique value with the appropriate prefix defined in RFC 5929 in
the application data portion of the SASL Mechanism channel-binding
data. If the validation of the channel binding fails, then the
connection MUST be aborted.
3.8.7. SASL Mechanisms
This TLV is sent by the NEA Server to indicate the list of SASL
mechanisms that it is willing and able to use to authenticate the NEA
Client. Each mechanism name consists of a length followed by a name.
The total length of the list is determined by the TLV Length field.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Rsvd| Mech Len| Mechanism Name (1-20 bytes) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Rsvd| Mech Len| Mechanism Name (1-20 bytes) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| . . . . . . . . . . . |
Rsvd (Reserved)
Reserved for future use. This field MUST be set to 0 on
transmission and ignored upon reception.
Mech Len (Mechanism Name Length)
The length of the Mechanism Name field in octets.
Mechanism Name
SASL mechanism name adhering to the rules defined in RFC 4422 with
no padding.
3.8.8. SASL Mechanism Selection
This TLV is sent by the NEA Client in order to select a SASL
mechanism for use on this session.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Rsvd| Mech Len| Mechanism Name (1-20 bytes) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Optional Initial Mechanism Response |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Sangster, et al. Standards Track [Page 26]
^L
RFC 6876 PT-TLS February 2013
Rsvd (Reserved)
Reserved for future use. This field MUST be set to 0 on
transmission and ignored upon reception.
Mech Len (Mechanism Name Length)
The length of the Mechanism Name field in octets.
Mechanism Name
SASL mechanism name adhering to the rules defined in RFC 4422.
Optional Initial Mechanism Response
Initial set of authentication information required from the NEA
Client to kick-start the authentication. This data is optional
and if not provided would be solicited by the NEA Server in the
first SASL Authentication Data TLV request.
3.8.9. SASL Authentication Data
This TLV carries an opaque (to PT-TLS) blob of octets being exchanged
between the NEA Client and the NEA Server. This TLV facilitates
their communications without interpreting any of the bytes. The SASL
Authentication Data TLV MUST NOT be sent until a SASL mechanism has
been established for a session. The SASL Authentication Data TLV
associated with the current authentication mechanism MUST NOT be sent
after a SASL Result is sent with a Result Code of Success.
Additional SASL Authentication Data TLVs would be sent if the PT-TLS
Initiator and Responder desire a subsequent SASL authentication to
occur but only after another SASL mechanism selection exchange
occurs.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ SASL Mechanism Data (Variable Length) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
SASL Mechanism Data
Opaque, variable-length set of bytes exchanged between the PT-TLS
Initiator's SASL mechanism and its peer PT-TLS Responder's SASL
mechanism. These bytes MUST NOT be interpreted by the PT-TLS
layer.
Sangster, et al. Standards Track [Page 27]
^L
RFC 6876 PT-TLS February 2013
3.8.10. SASL Result
This TLV is sent by the NEA Server at the conclusion of the SASL
exchange to indicate the authentication result. Upon reception of a
SASL Result TLV indicating an Abort, the NEA Client MUST terminate
the current authentication conversation. The recipient may retry the
authentication in the event of an authentication failure. Similarly,
the NEA Server may request that additional SASL authentication(s) be
performed after the completion of a SASL mechanism by sending another
SASL Mechanisms TLV including any mechanisms dictated by its policy.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Result Code | Optional Result Data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| . . . . . . . . . . . |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Result Code
This field contains the result of the SASL authentication
exchange.
Value (Name) Definition
--------------------- -------------------------------------------
0 (Success) SASL authentication was successful, and
identity was confirmed.
1 (Failure) SASL authentication failed. This might be
caused by the client providing an invalid
user identity and/or credential pair. Note
that this is not the same as a mechanism's
failure to process the authentication as
reported by the Mechanism Failure code.
2 (Abort) SASL authentication exchange was aborted by
the sender.
3 (Mechanism Failure) SASL "mechanism failure" during the
processing of the client's authentication
(e.g., not related to the user's input).
For example, this could occur if the
mechanism is unable to allocate memory
(e.g., malloc) that is needed to process a
received SASL mechanism message.
Sangster, et al. Standards Track [Page 28]
^L
RFC 6876 PT-TLS February 2013
Optional Result Data
This field contains a variable-length set of additional data for a
successful result. This field MUST be zero length unless the NEA
Server is returning a Result Code of Success and has more data to
return. For more information on the additional data with success
in SASL, see RFC 4422.
3.9. Error Message
This section describes the format and contents of the PT-TLS Error
message sent by the NEA Client or NEA Server when it detects a
PT-TLS-level protocol error. Each error message contains an error
code indicating the error that occurred, followed by a copy of the
message that caused the error.
When a PT-TLS error is received, the recipient MUST NOT respond with
a PT-TLS error, because this could result in an infinite loop of
error messages being sent. Instead, the recipient MAY log the error,
modify its behavior to avoid future errors, ignore the error,
terminate the assessment, or take other action as appropriate (as
long as it is consistent with the requirements of this
specification).
The Message Value portion of a PT-TLS Error message contains the
following information:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved | Error Code Vendor ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Error Code |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Copy of Original Message (Variable Length) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| . . . . . . . |
Reserved
Reserved for future use. This field MUST be set to 0 on
transmission and ignored upon reception.
Sangster, et al. Standards Track [Page 29]
^L
RFC 6876 PT-TLS February 2013
Error Code Vendor ID
This field contains the IANA-assigned SMI Private Enterprise
Number for the vendor whose Error Code namespace is being used in
the message. For IETF namespace Error Code values, this field
MUST be set to zero (0). For other vendor-defined Error Code
namespaces, this field MUST be set to the SMI Private Enterprise
Number of the vendor.
Error Code
This field contains the error code. This error code exists within
the scope of Error Code Vendor ID in this message. Posture
Transport Clients and Posture Transport Servers MUST NOT require
support for particular vendor-specific PT-TLS Error Codes in order
to interoperate with other PT-TLS-compliant implementations
(although implementations MAY permit administrators to configure
them to require support for specific PT-TLS Error Codes).
When the Error Code Vendor ID is set to the IETF Private
Enterprise Number, the following table lists the initial supported
IETF-defined numeric error codes:
Value (Name) Definition
------------------------- ---------------------------------------
0 (Reserved) Reserved value indicates that the
PT-TLS Error message SHOULD be ignored
by all recipients. This MAY be used
for debugging purposes to allow a
sender to see a copy of the message
that was received.
1 (Malformed Message) PT-TLS message unrecognized or
unsupported. This error code SHOULD be
sent when the basic message content
sanity test fails. The sender of this
error code MUST consider it a fatal
error and abort the assessment.
2 (Version Not Supported) This error SHOULD be sent when a PT-TLS
Responder receives a PT-TLS Version
Request message containing a range of
version numbers that doesn't include
any version numbers that the recipient
is willing and able to support on the
session. All PT-TLS messages carrying
the Version Not Supported error code
MUST use a version number of 1. All
Sangster, et al. Standards Track [Page 30]
^L
RFC 6876 PT-TLS February 2013
parties that receive or send PT-TLS
messages MUST be able to properly
process an error message that meets
this description, even if they cannot
process any other aspect of PT-TLS
version 1. The sender and receiver of
this error code MUST consider it a
fatal error and close the TLS session
after sending or receiving this PT-TLS
message.
3 (Type Not Supported) PT-TLS Message Type unknown or not
supported. When a recipient receives a
PT-TLS Message Type that it does not
support, it MUST send back this error,
ignore the message, and proceed. For
example, this could occur if the sender
used a Vendor ID for the Message Type
that is not supported by the recipient.
This error message does not indicate
that a fatal error has occurred, so the
assessment is allowed to continue.
4 (Invalid Message) PT-TLS message received was invalid
based on the protocol state. For
example, this error would be sent if a
recipient receives a message associated
with the PT-TLS Negotiation Phase (such
as Version messages) after the protocol
has reached the PT-TLS Data Transport
Phase. The sender and receiver of this
error code MUST consider it a fatal
error and close the TLS session after
sending or receiving this PT-TLS
message.
5 (SASL Mechanism Error) A fatal error occurred while trying to
perform the client authentication. For
example, the NEA Client is unable to
support any of the offered SASL
mechanisms. The sender and receiver of
this error code MUST consider it a
fatal error and close the TLS session
after sending or receiving this PT-TLS
message.
Sangster, et al. Standards Track [Page 31]
^L
RFC 6876 PT-TLS February 2013
6 (Invalid Parameter) The PT-TLS Error message sender has
received a message with an invalid or
unsupported value in the PT-TLS header.
This could occur if the NEA Client
receives a PT-TLS message from the NEA
Server with a Message Length of zero
(see Section 3.5 for details). The
sender and receiver of this error code
MUST consider it a fatal error and
close the TLS session after sending or
receiving this PT-TLS message.
Copy of Original Message
This variable-length value MUST contain a copy (up to 1024 bytes)
of the original PT-TLS message that caused the error. If the
original message is longer than 1024 bytes, only the initial 1024
bytes will be included in this field. This field is included so
the error recipient can determine which message sent caused the
error. In particular, the recipient can use the Message
Identifier field from the Copy of Original Message data to
determine which message caused the error.
4. Security Considerations
This section discusses the major threats potentially faced by each
binding of the PT protocol and countermeasures provided by the PT-TLS
protocol.
4.1. Trust Relationships
In order to understand where security countermeasures are necessary,
this section starts with a discussion of where the NEA architecture
envisions some trust relationships between the processing elements of
the PT-TLS protocol. Implementations or deployments where these
trust relationships are not present would need to provide additional
countermeasures to ensure the proper operation and security of PT-TLS
(which relies upon these relationships to be trustworthy). The
following subsections discuss the trust properties associated with
each portion of the NEA reference model directly involved with the
processing of the PT-TLS protocol.
Sangster, et al. Standards Track [Page 32]
^L
RFC 6876 PT-TLS February 2013
4.1.1. Posture Transport Client
The Posture Transport Client is trusted by the Posture Broker
Client to:
o Not observe, fabricate, or alter the contents of the PB-TNC
batches received from the network
o Not observe, fabricate, or alter the PB-TNC batches passed down
from the Posture Broker Client for transmission on the network
o Transmit on the network any PB-TNC batches passed down from the
Posture Broker Client
o Deliver properly security protected messages received from the
network that are destined for the Posture Broker Client
o Provide configured security protections (e.g., authentication,
integrity, and confidentiality) for the Posture Broker Client's
PB-TNC batches sent on the network
o Expose the authenticated identity of the Posture Transport Server
only to the PB-TNC layer within the NEA Client
o Verify the security protections placed upon messages received from
the network to ensure that the messages are authentic and
protected from attacks on the network
o Provide a secure, reliable, "in-order delivery", full-duplex
transport for the Posture Broker Client's messages
The Posture Transport Client is trusted by the Posture Transport
Server to:
o Not send malicious traffic intending to harm (e.g., denial of
service) the Posture Transport Server
o Not send malformed messages (e.g., messages lacking a PT-TLS
header)
o Not send invalid or incorrect responses to messages (e.g., errors
when no error is warranted)
o Not ignore or drop messages when such an action would cause issues
for the protocol processing (e.g., dropping PT-TLS SASL
Authentication Data messages)
Sangster, et al. Standards Track [Page 33]
^L
RFC 6876 PT-TLS February 2013
o Verify the security protections placed upon messages received from
the network to ensure that the messages are authentic and
protected from attacks on the network
4.1.2. Posture Transport Server
The Posture Transport Server is trusted by the Posture Broker
Server to:
o Not observe, fabricate, or alter the contents of the PB-TNC
batches received from the network
o Not observe, fabricate, or alter the PB-TNC batches passed down
from the Posture Broker Server for transmission on the network
o Transmit on the network any PB-TNC batches passed down from the
Posture Broker Server
o Deliver properly security protected messages received from the
network that are destined for the Posture Broker Server
o Provide configured security protections (e.g., authentication,
integrity, and confidentiality) for the Posture Broker Server's
messages sent on the network
o Expose the authenticated identity of the Posture Transport Client
only to the PB-TNC layer within the NEA Server
o Verify the security protections placed upon messages received from
the network to ensure that the messages are authentic and
protected from attacks on the network
o Provide a secure, reliable, "in-order delivery", full-duplex
transport for the Posture Broker Server's messages
The Posture Transport Server is trusted by the Posture Transport
Client to:
o Not send malicious traffic intending to harm (e.g., denial of
service) the Posture Transport Client
o Not send malformed messages (e.g., messages lacking a PT-TLS
header)
o Not send invalid or incorrect responses to messages (e.g., errors
when no error is warranted)
Sangster, et al. Standards Track [Page 34]
^L
RFC 6876 PT-TLS February 2013
o Not ignore or drop messages when such an action would cause issues
for the protocol processing (e.g., dropping PT-TLS SASL Result
messages)
o Verify the security protections placed upon messages received from
the network to ensure that the messages are authentic and
protected from attacks on the network
4.2. Security Threats and Countermeasures
Beyond the trust relationships assumed in Section 4.1, the PT-TLS
protocol faces a number of potential security attacks that could
require security countermeasures.
Generally, the PT-TLS protocol is responsible for offering strong
security protections for all of the NEA protocols, so any threats to
its ability to protect NEA protocol messages could be very damaging
to deployments. Once the message is delivered to the Posture Broker
Client or Posture Broker Server, the posture brokers are trusted to
properly and safely process the messages.
4.2.1. Message Theft
When PT-TLS messages are sent over unprotected network links or
spanning local software stacks that are not trusted, the contents of
the messages may be subject to information theft by an intermediary
party. This theft could result in information being recorded for
future use or analysis by the adversary. Messages observed by
eavesdroppers could contain information that exposes potential
weaknesses in the security of the endpoint, or system fingerprinting
information; this information would make it easier for the attacker
to employ attacks more likely to be successful against the endpoint.
The eavesdropper might also learn information about the endpoint or
network policies that either singularly or collectively is considered
sensitive information. For example, if PT-TLS does not provide
confidentiality protection, an adversary could observe the PA-TNC
attributes included in the PT-TLS message and determine that the
endpoint is lacking patches or that particular sub-networks have more
lenient policies.
In order to protect against NEA assessment message theft, the PT-TLS
protocol provides strong cryptographic authentication, integrity, and
confidentiality protection. Deployers are strongly encouraged to
employ "best practice of the day" TLS ciphers to ensure that the
information remains safe despite advances in technology and
discovered cipher weaknesses. The use of bidirectional
authentication of the assessment transport session ensures that only
properly authenticated and authorized parties may be involved in an
Sangster, et al. Standards Track [Page 35]
^L
RFC 6876 PT-TLS February 2013
assessment dialog. The PT-TLS protocol also provides strong
cryptography for all of the PB-TNC and PA-TNC protocol messages
traveling over the network, allowing the message contents to be
hidden from potential theft by the adversary even if the attacker is
able to observe the encrypted PT-TLS session.
4.2.2. Message Fabrication
Attackers on the network or present within the NEA system could
introduce fabricated PT-TLS messages intending to trick or create a
denial of service against aspects of an assessment. For example, an
adversary could attempt to insert into the message exchange fake
PT-TLS Error Codes in order to disrupt communications.
The PT-TLS protocol provides strong security protections for the
complete message exchange over the network. These security
protections prevent an intermediary from being able to insert fake
messages into the assessment. In particular, TLS's use of hashing
algorithms provides strong integrity protections that allow for
detection of any changes in the content of the message stream.
Additionally, adversaries are unable to observe the PT-TLS protocol
exchanges because they are encrypted by the TLS ciphers and so would
have difficulty determining where to insert the falsified message,
since the attacker is unable to determine where the message
boundaries exist. Even if a successful message insertion did occur,
the recipient would be able to detect it due to failure of the TLS
cipher suite's integrity check.
4.2.3. Message Modification
This attack could allow an active attacker capable of intercepting a
message to modify a PT-TLS message or transported PA-TNC attribute to
a desired value to make it easier to compromise an endpoint. Without
the ability for message recipients to detect whether a received
message contains the same content as what was originally sent, active
attackers can stealthily modify the attribute exchange.
The PT-TLS protocol leverages the TLS protocol to provide strong
authentication and integrity protections as a countermeasure to this
threat. The bidirectional authentication prevents the attacker from
acting as an active man-in-the-middle to the protocol that could be
used to modify the message exchange. The strong integrity protection
(e.g., hashing) offered by TLS allows PT-TLS message recipients to
detect message alterations by other types of network-based
adversaries.
Sangster, et al. Standards Track [Page 36]
^L
RFC 6876 PT-TLS February 2013
4.2.4. Denial of Service
A variety of types of denial-of-service attacks are possible against
the PT-TLS protocol if the message exchanges are left unprotected
while traveling over the network. The Posture Transport Client and
Posture Transport Server are trusted not to participate in the denial
of service of the assessment session, leaving the threats to come
from the network.
The PT-TLS protocol provides bidirectional authentication
capabilities in order to prevent a man-in-the-middle on the network
from becoming an undetected active proxy of PT-TLS messages. Because
the PT-TLS protocol runs after the TLS handshake and thus cipher
establishment/use, all of the PT-TLS messages are protected from
undetected modification that could create a denial-of-service
situation. However, it is possible for an adversary to alter the
message flows, causing each message to be rejected by the recipient
because it fails the integrity checking.
The PT-TLS protocol operates as an application protocol on top of TLS
and thus TCP/IP protocols, so is subject to denial-of-service attacks
against the TLS, TCP, and IP protocols.
4.2.5. NEA Asokan Attacks
As described in Section 3.3 and in [RFC6813], a sophisticated MITM
attack can be mounted against NEA systems. The attacker forwards
PA-TNC messages from a healthy machine through an unhealthy one so
that the unhealthy machine can gain network access. Section 3.3 and
[RFC6813] provide a detailed description of this attack and of the
countermeasures that can be employed against it.
Because lying endpoint attacks are much easier than Asokan attacks
and the only known effective countermeasure against lying endpoint
attacks is the use of an External Measurement Agent (EMA),
countermeasures against an Asokan attack are not necessary unless an
EMA is in use. However, PT-TLS implementers may not know whether an
EMA will be used with their implementation. Therefore, PT-TLS
implementers SHOULD support the Asokan attack countermeasures
described in Section 3.3 by providing the value of the tls-unique
channel binding to higher layers in the NEA reference model: Posture
Broker Clients, Posture Broker Servers, Posture Collectors, and
Posture Validators.
The Asokan attack can also apply to authentication mechanisms carried
within TLS. SASL mechanisms providing channel bindings use the
tls-unique channel-binding data as defined in Section 3.3 to protect
against the attack.
Sangster, et al. Standards Track [Page 37]
^L
RFC 6876 PT-TLS February 2013
4.2.6. Trust Anchors
The TLS protocol bases its trust decision about the signer of the
certificates received during the TLS authentication on using a set of
trust anchor certificates. It is essential that these trust anchor
certificates are integrity protected from unauthorized modification.
Many common software components (e.g., browsers, operating systems,
security protocols) include a set of trust anchor certificates that
are relevant to their operation. The PT-TLS SHOULD use a PT-TLS-
specific set of trust anchor certificates in order to limit what
Certificate Authorities are authorized to issue certificates for use
with NEA.
5. Privacy Considerations
The role of PT-TLS is to act as a secure transport for PB-TNC and
other higher-layer protocols. As such, PT-TLS does not directly
utilize personally identifiable information (PII) except when client
authentication is enabled. When client authentication is being used,
the NEA Client will be asked to use SASL, which may disclose a local
identifier (e.g., username) associated with the endpoint and an
authenticator (e.g., password) to authenticate that identity.
Because the identity and authenticator are potentially privacy-
sensitive information, the NEA Client MUST offer a mechanism to
restrict which NEA Servers will be sent this information. Similarly,
the NEA Client SHOULD provide an indication to the person being
identified that a request for their identity has been made in case
they choose to opt out of the authentication to remain anonymous
unless no user interface is available. PT-TLS provides cryptographic
peer authentication, message integrity, and data confidentiality
protections to higher-layer NEA protocols that may exchange data
potentially including PII. These security services can be used to
protect any PII involved in an assessment from passive and active
attackers on the network. Endpoints sending potentially privacy-
sensitive information SHOULD ensure that the PT-TLS security
protections (TLS cipher suites) negotiated for an assessment of the
endpoint are adequate to avoid interception and off-line attacks of
any long-term privacy-sensitive information unless other network
protections are already present.
6. IANA Considerations
Per this specification, two new IANA registries have been created and
a TCP port number has been assigned. IANA has permanently reserved
the early allocated TCP port number 271 for use with the PT-TLS
protocol.
Sangster, et al. Standards Track [Page 38]
^L
RFC 6876 PT-TLS February 2013
This section defines the contents of two new IANA registries, PT-TLS
Message Types and PT-TLS Error Codes, and explains how these
registries work.
Each of the registries defined in this document support IETF-defined
values and vendor-defined values. To explain this phenomenon, we
will use the PT-TLS Message Type as an example, but the other
registry works the same way.
Whenever a PT-TLS Message Type appears on a network, it is always
accompanied by an SMI Private Enterprise Number (PEN), also known as
a vendor ID. If this vendor ID is zero, the accompanying PT-TLS
Message Type is an IETF namespace value listed in the IANA registry
for PT-TLS Message Types, and its meaning is defined in the
specification listed for that PT-TLS Message Type in that registry.
If the vendor ID is not zero, the meaning of the PT-TLS Message Type
is defined by the vendor identified by the vendor ID (as listed in
the IANA registry for SMI PENs). The identified vendor is encouraged
but not required to register with IANA some or all of the PT-TLS
Message Types used with their vendor ID and publish a specification
for each of these values.
6.1. Designated Expert Guidelines
For each of the IANA registries defined by this specification, new
values are added to the registry by following the IANA Specification
Required policy [RFC5226].
This section provides guidance to designated experts so that they may
make decisions using a philosophy appropriate for these registries.
The registries defined in this document have plenty of values. In
most cases, the IETF has approximately 2^32 values available for it
to define, and each vendor has the same number of values for its use.
Because there are so many values available, designated experts should
not be terribly concerned about exhausting the set of values.
Instead, designated experts should focus on the following
requirements. All values in these IANA registries are required to be
documented in a specification that is permanently and publicly
available. IETF namespace values must also be useful not harmful to
the Internet, and defined in a manner that is clear and likely to
ensure interoperability.
Designated experts should encourage vendors to avoid defining similar
but incompatible values and instead agree on a single IETF-reviewed
approach and value. However, it is beneficial to document existing
practice.
Sangster, et al. Standards Track [Page 39]
^L
RFC 6876 PT-TLS February 2013
There are several ways to ensure that a specification is permanently
and publicly available. It may be published as an RFC.
Alternatively, it may be published in another manner that makes it
freely available to anyone. However, in this latter case, the vendor
will need to supply a copy to the IANA and authorize the IANA to
archive this copy and make it freely available to all if at some
point the document becomes no longer freely available to all through
other channels.
The following two sections provide guidance to the IANA in creating
and managing the new IANA registries defined by this specification.
6.2. Registry for PT-TLS Message Types
The name for this registry is "PT-TLS Message Types". Each entry in
this registry should include a human-readable name, an SMI Private
Enterprise Number, a decimal integer value between 0 and 4294967294,
and a reference to the specification where the contents of this
message type are defined. This specification must define the meaning
of the PT-TLS Message Type and the format and semantics of the PT-TLS
Message Value field that include the designated Private Enterprise
Number in the PT-TLS Message Type Vendor ID field and the designated
numeric value in the PT-TLS Message Type field.
The following entries for this registry are defined in this document.
Additional entries to this registry are added by following the IANA
Specification Required policy, consistent with the guidelines in
Section 6.1.
PEN Value Name Reference
--- -------- ------------------------ ---------
0 0 Experimental RFC 6876
0 1 Version Request RFC 6876
0 2 Version Response RFC 6876
0 3 SASL Mechanisms RFC 6876
0 4 SASL Mechanism Selection RFC 6876
0 5 SASL Authentication Data RFC 6876
0 6 SASL Result RFC 6876
0 7 PB-TNC Batch RFC 6876
0 8 PT-TLS Error RFC 6876
0 9-4294967294 Unassigned
0 4294967295 Reserved RFC 6876
The PEN 0 (IETF) PT-TLS Message Type values between 9 and 4294967294
inclusive are allocated for future assignment by the IANA.
Sangster, et al. Standards Track [Page 40]
^L
RFC 6876 PT-TLS February 2013
6.3. Registry for PT-TLS Error Codes
The name for this registry is "PT-TLS Error Codes". Each entry in
this registry should include a human-readable name, an SMI Private
Enterprise Number, a decimal integer value between 0 and 4294967295,
and a reference to the specification where this error code is
defined. This specification must define the meaning of this error
code, a PT-TLS Message Type of PT-TLS Error, the designated Private
Enterprise Number in the PT-TLS Error Code Vendor ID field, and the
designated numeric value in the PT-TLS Error Code field.
The following entries for this registry are defined in this document.
Additional entries to this registry are added following the IANA
Specification Required policy, consistent with the guidelines in
Section 6.1.
PEN Value Name Reference
--- ------------ --------------------- ---------
0 0 Reserved RFC 6876
0 1 Malformed Message RFC 6876
0 2 Version Not Supported RFC 6876
0 3 Type Not Supported RFC 6876
0 4 Invalid Message RFC 6876
0 5 SASL Mechanism Error RFC 6876
0 6 Invalid Parameter RFC 6876
0 7-4294967295 Unassigned
The PEN 0 (IETF) PT-TLS Error Codes between 7 and 4294967295
inclusive are allocated for future assignment by the IANA.
7. Acknowledgments
Thanks to the Trusted Computing Group for contributing the initial
text upon which this document was based [IFT-TLS].
The authors of this document would also like to acknowledge the
following people who have contributed to or provided substantial
input on the preparation of this document or predecessors to it: Syam
Appala, Stuart Bailey, Lauren Giroux, Steve Hanna, Josh Howlett,
Scott Kelly, Carolin Latze, Sung Lee, Lisa Lorenzin, Alexey Melnikov,
Ravi Sahita, Subbu Srinivasan, Susan Thomson, and Mark Townsend.
Sangster, et al. Standards Track [Page 41]
^L
RFC 6876 PT-TLS February 2013
8. References
8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4422] Melnikov, A., Ed., and K. Zeilenga, Ed., "Simple
Authentication and Security Layer (SASL)", RFC 4422,
June 2006.
[RFC4616] Zeilenga, K., Ed., "The PLAIN Simple Authentication and
Security Layer (SASL) Mechanism", RFC 4616, August 2006.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226,
May 2008.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation
List (CRL) Profile", RFC 5280, May 2008.
[RFC5746] Rescorla, E., Ray, M., Dispensa, S., and N. Oskov,
"Transport Layer Security (TLS) Renegotiation Indication
Extension", RFC 5746, February 2010.
[RFC5792] Sangster, P. and K. Narayan, "PA-TNC: A Posture Attribute
(PA) Protocol Compatible with Trusted Network Connect
(TNC)", RFC 5792, March 2010.
[RFC5793] Sahita, R., Hanna, S., Hurst, R., and K. Narayan,
"PB-TNC: A Posture Broker (PB) Protocol Compatible with
Trusted Network Connect (TNC)", RFC 5793, March 2010.
[RFC5929] Altman, J., Williams, N., and L. Zhu, "Channel Bindings
for TLS", RFC 5929, July 2010.
[RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
Verification of Domain-Based Application Service Identity
within Internet Public Key Infrastructure Using X.509
(PKIX) Certificates in the Context of Transport Layer
Security (TLS)", RFC 6125, March 2011.
Sangster, et al. Standards Track [Page 42]
^L
RFC 6876 PT-TLS February 2013
[RFC6520] Seggelmann, R., Tuexen, M., and M. Williams, "Transport
Layer Security (TLS) and Datagram Transport Layer
Security (DTLS) Heartbeat Extension", RFC 6520,
February 2012.
8.2. Informative References
[IFT-TLS] Trusted Computing Group, "TNC IF-T: Binding to TLS",
<http://www.trustedcomputinggroup.org/>, May 2009.
[PEN] IANA Private Enterprise Numbers (PEN) registry,
<http://www.iana.org/assignments/enterprise-numbers>.
[PT-EAP] Cam-Winget, N. and P. Sangster, "PT-EAP: Posture
Transport (PT) Protocol For EAP Tunnel Methods", Work in
Progress, January 2013.
[RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
RFC 2246, January 1999.
[RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.1", RFC 4346, April 2006.
[RFC5209] Sangster, P., Khosravi, H., Mani, M., Narayan, K., and J.
Tardo, "Network Endpoint Assessment (NEA): Overview and
Requirements", RFC 5209, June 2008.
[RFC5801] Josefsson, S. and N. Williams, "Using Generic Security
Service Application Program Interface (GSS-API)
Mechanisms in Simple Authentication and Security Layer
(SASL): The GS2 Mechanism Family", RFC 5801, July 2010.
[RFC6813] Salowey, J. and S. Hanna, "The Network Endpoint
Assessment (NEA) Asokan Attack Analysis", RFC 6813,
December 2012.
Sangster, et al. Standards Track [Page 43]
^L
RFC 6876 PT-TLS February 2013
Authors' Addresses
Paul Sangster
Symantec Corporation
6825 Citrine Dr.
Carlsbad, CA 92009
EMail: paul_sangster@symantec.com
Nancy Cam-Winget
Cisco Systems
80 West Tasman Drive
San Jose, CA 95134
US
EMail: ncamwing@cisco.com
Joseph Salowey
Cisco Systems
2901 Third Avenue
Seattle, WA 98121
US
EMail: jsalowey@cisco.com
Sangster, et al. Standards Track [Page 44]
^L
|
