Mutual Network Endpoint Assessment

Jiwei Wei jiwei.wei@huawei.comHan Yin ayinhan@huawei.comKe Jia jiake.cn@huawei.com

IETF 70

Goals and Non-Goals

• Goal for Today:– Discuss MNEA Concept– Gather Feedback

• Not a Goal:– Change NEA Charter– Change NEA Model or Requirements

Current NEA

1, Focused on the scenarios where the owner of the endpoint is the same as the owner of the network.

2, A very common model for enterprises which provide equipment to employees to perform their duties.3, For some applications like online business and file

sharing, the current assessment is not enough to ensure the two communication parties are both secure.

4, Especially in P2P application, the endpoints perform equal responsibility and hence the mutual network endpoint assessment seems more necessary.

Current NEA Flows

NEA Client NEA Server | | | client requests network access | | --------------> | | | | Request | | <-------------- | | | | Posture | | --------------> | | | | Result | | <-------------- | | |

Mutual NEA

• Every network endpoint can perform the assessment of the peer as well as can assist the peer in assessing itself.

• Every endpoint can decide whether or not to continue the subsequent interaction according to the peer's compliance with its security policy.

Mutual NEA Reference Model

• PA, PB and PT layer is the same as the current NEA model

• Posture Peer (PP) has the function of both PC and PV

• Posture Broker Peer (PBP) has the function of both PBC and PBS

• Posture Transport Peer (PTP) has the function of both PTS and PTC

Mutual NEA Reference Model

Posture Peer

Posture Peer

PostureTransportPeer

Posture Attribute (PA) protocol

Posture Broker (PB) protocol

NEA Peer NEA Peer

Posture Transport (PT) protocolsPostureTransportPeer

PostureBrokerPeer

PostureBrokerPeer

MNEA Flows

Endpoint A EndpointB | | | 1,ReqB | | <------------ | | | | 2,PosA ReqA | | ------------> | | | | 3,ResB PosB | | <------------ | | | | 4,ResA | | ------------> | | |

MNEA Flows

• Step2: As requested by Endpoint BEndpoint A returns its posture information (PosA) with the permission of the Endpoint A’s privacy policy. At the same time, Endpoint A responds a Posture Request (ReqA) to indicate what posture information the Endpoint B should provide.

MNEA Flows

• Step 3:Endpoint B assesses its received PosA according to the security policy and returns its assessment result (ResB). At the same time, Endpoint B returns the related posture information (PosB) requested by Endpoint A with the permission of the Endpoint B’s privacy policy.

Questions

• Do you find this useful?

• Should NEA support this use case?

• Any other feedback?

Thanks