Transcript Mutual Network Endpoint Assessment Han Yin

Mutual Network Endpoint
Assessment
Jiwei Wei [email protected]
Han Yin [email protected]
Ke Jia
[email protected]
IETF 70
Goals and Non-Goals
• Goal for Today:
– Discuss MNEA Concept
– Gather Feedback
• Not a Goal:
– Change NEA Charter
– Change NEA Model or Requirements
Current NEA
1, Focused on the scenarios where the owner of the
endpoint is the same as the owner of the network.
2, A very common model for enterprises which provide
equipment to employees to perform their duties.
3, For some applications like online business and file
sharing, the current assessment is not enough to ensure
the two communication parties are both secure.
4, Especially in P2P application, the endpoints perform
equal responsibility and hence the mutual network
endpoint assessment seems more necessary.
Current NEA Flows
NEA Client
|
|
|
|
|
|
|
|
|
|
|
|
|
client requests network access
-------------->
Request
<--------------
Posture
-------------->
Result
<--------------
NEA Server
|
|
|
|
|
|
|
|
|
|
|
|
|
Mutual NEA
• Every network endpoint can perform the
assessment of the peer as well as can
assist the peer in assessing itself.
• Every endpoint can decide whether or not
to continue the subsequent interaction
according to the peer's compliance with its
security policy.
Mutual NEA Reference Model
• PA, PB and PT layer is the same as the
current NEA model
• Posture Peer (PP) has the function of both
PC and PV
• Posture Broker Peer (PBP) has the
function of both PBC and PBS
• Posture Transport Peer (PTP) has the
function of both PTS and PTC
Mutual NEA Reference Model
NEA Peer
Posture
Peer
Posture
Broker
Peer
NEA Peer
Posture Attribute (PA) protocol
Posture Broker (PB) protocol
Posture
Peer
Posture
Broker
Peer
Posture
Posture Transport (PT) protocols Posture
Transport
Transport
Peer
Peer
MNEA Flows
Endpoint A
|
|
1,ReqB
|
<-----------|
|
2,PosA ReqA
|
------------>
|
|
3,ResB PosB
|
<-----------|
|
4,ResA
|
------------>
|
EndpointB
|
|
|
|
|
|
|
|
|
|
|
|
|
MNEA Flows
• Step2: As requested by Endpoint B
Endpoint A returns its posture information
(PosA) with the permission of the Endpoint
A’s privacy policy. At the same time,
Endpoint A responds a Posture Request
(ReqA) to indicate what posture
information the Endpoint B should provide.
MNEA Flows
• Step 3:Endpoint B assesses its received
PosA according to the security policy and
returns its assessment result (ResB). At
the same time, Endpoint B returns the
related posture information (PosB)
requested by Endpoint A with the
permission of the Endpoint B’s privacy
policy.
Questions
• Do you find this useful?
• Should NEA support this use case?
• Any other feedback?
Thanks