Post on 17-Jan-2016
Mutual Network Endpoint Assessment
Jiwei Wei jiwei.wei@huawei.comHan Yin ayinhan@huawei.comKe Jia jiake.cn@huawei.com
IETF 70
Goals and Non-Goals
• Goal for Today:– Discuss MNEA Concept– Gather Feedback
• Not a Goal:– Change NEA Charter– Change NEA Model or Requirements
Current NEA
1, Focused on the scenarios where the owner of the endpoint is the same as the owner of the network.
2, A very common model for enterprises which provide equipment to employees to perform their duties.3, For some applications like online business and file
sharing, the current assessment is not enough to ensure the two communication parties are both secure.
4, Especially in P2P application, the endpoints perform equal responsibility and hence the mutual network endpoint assessment seems more necessary.
Current NEA Flows
NEA Client NEA Server | | | client requests network access | | --------------> | | | | Request | | <-------------- | | | | Posture | | --------------> | | | | Result | | <-------------- | | |
Mutual NEA
• Every network endpoint can perform the assessment of the peer as well as can assist the peer in assessing itself.
• Every endpoint can decide whether or not to continue the subsequent interaction according to the peer's compliance with its security policy.
Mutual NEA Reference Model
• PA, PB and PT layer is the same as the current NEA model
• Posture Peer (PP) has the function of both PC and PV
• Posture Broker Peer (PBP) has the function of both PBC and PBS
• Posture Transport Peer (PTP) has the function of both PTS and PTC
Mutual NEA Reference Model
Posture Peer
Posture Peer
PostureTransportPeer
Posture Attribute (PA) protocol
Posture Broker (PB) protocol
NEA Peer NEA Peer
Posture Transport (PT) protocolsPostureTransportPeer
PostureBrokerPeer
PostureBrokerPeer
MNEA Flows
Endpoint A EndpointB | | | 1,ReqB | | <------------ | | | | 2,PosA ReqA | | ------------> | | | | 3,ResB PosB | | <------------ | | | | 4,ResA | | ------------> | | |
MNEA Flows
• Step2: As requested by Endpoint BEndpoint A returns its posture information (PosA) with the permission of the Endpoint A’s privacy policy. At the same time, Endpoint A responds a Posture Request (ReqA) to indicate what posture information the Endpoint B should provide.
MNEA Flows
• Step 3:Endpoint B assesses its received PosA according to the security policy and returns its assessment result (ResB). At the same time, Endpoint B returns the related posture information (PosB) requested by Endpoint A with the permission of the Endpoint B’s privacy policy.
Questions
• Do you find this useful?
• Should NEA support this use case?
• Any other feedback?
Thanks