Trusted Network Connect
The Network Endpoint Assessment (NEA) Internet standard RFC5209 defines a generic framework on how the state of health or posture of a network endpoint (NEA Client) can be assessed by a central management system (NEA Server).
The NEA architecture comprises three communications layers governed by the following generic protocols:
- PA-TNC (RFC5792): Posture Attribute Protocol with TNC
PA-TNC was derived from the TCG TNC IF-M 1.0 measurement protocol.
PA-TNC bundles standard IETF and/or vendor-specific PA-TNC attributes into PA-TNC messages on Integrity Measurement Collectors (Posture Collectors) and Integrity Measurement Verifiers (Posture Validators) according to standard IETF and/or vendor-specific PA subtypes.
- PB-TNC (RFC5793): Posture Broker Protocol with TNC
PB-TNC was derived from the TCG TNC IF-TNCCS 2.0 client-server protocol.
PB-TNC packs PA-TNC messages received from Integrity Measurement Collectors (Posture Collectors) on the NEA client side or from Integrity Measurement Verifiers (Posture Validators) on the NEA server side into PB-TNC batches that are exchanged between the TNC Client (Posture Broker Client) and the TNC Server (Posture Broker Server).
PB-TNC batches are also used to send final Assessment Results together with optional Access Recommendations and Remediation Parameters from the TNC Server to the TNC Client.
- PT-TLS (RFC6876): Posture Transport Protocol over TLS
PT-TLS is a Posture Transport (PT) protocol protected by a TLS channel.
PT-TLS is responsible for transporting PB-TNC batches over the network between the PT Client component of the NEA Client and the PT Server component of the NEA Server and is usually used for periodic posture or state-of-health assessments of an endpoint continously connected to a secured home network.
- PT-EAP (RFC7171): Posture Transport Protocol for EAP Tunnel Methods
PT-EAP is an inner EAP method (EAP type 54) used within a TLS-protected EAP tunnel method like EAP-TTLS (RFC5281) running e.g. over IKEv2 EAP (strongSwan) on layer 3 or EAPOL (wpa_supplicant) on layer 2.
PT-EAP is responsible for transporting PB-TNC batches over the network between the PT Client component of the NEA Client and the PT Server component of the NEA Server and is usually used in the early phase when an endpoint wants to connect to a secured home network via VPN (layer 3) or over LAN/WLAN (layer 2) and its posture or state-of-health has to be assessed first.
The Operating System Integrity Measurement Verifier (OS IMV) receives measurement data from an Operating System Measurement Collector (OS IMC) running on an Android endpoint.
The measurements consist of three PA-TNC attributes that are packed into a PA-TNC
message of the standard IETF subtype
Operating System. The first two PA-TNC
attributes of the IETF standard types
Product Information and
whereas the third PA-TNC attribute has the vendor-specific type
defined in the PEN namespace of the
The PA-TNC message is delivered by the TNC Client to the
TNC Server in a
CDATA (ClientData) PB-TNC batch. The
TNC Client can also request the language in which
optional Access Recommendations and Remediation Parameters are going to be
The PB-TNC batch is transported via PT-EAP tunneled in EAP-TTLS over IKEv2 EAP.
There are two ways how the strongSwan TNC Client functionality can be used to collect the state-of-health or posture of an endpoint:
There are two ways how the strongSwan TNC Server functionality can can be used to assess the state-of-health or posture of associated endpoints:
TCG Developer Blog July 2018: Use of the Software Inventory Message and Attribute (SWIMA) Standard.
Connect Security World September 2016 Marseille: Mutual Attestation of IoT Devices
TCG Members Meeting June 2016 Vienna: Mutual Attestation of IoT Devices and TPM 2.0 Support.
CeBIT 2016 Hannover: Mutual Attestation of IoT Devices via strongSwan VPN.
TCG Members Meeting June 2015 Edinburgh: Mutual Attestation of IoT Devices.
TCG Demo at RSA Conference 2015 San Francisco: Securing IoT with Trusted Computing.
TCG Members Meeting June 2014 Barcelona: TNC Endpoint Compliance and Network Access Control Profiles.
Trusted Computing Conference September 2013 Orlando: Android BYOD Security using Trusted Network Control Protocol Suite.
TCG Members Meeting June 2013 Dublin: strongSwan TNC Activities Update.
Linux Security Summit August 30 2012 San Diego: The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment.
TCG Members Meeting June 2011 Munich: The strongSwan IPsec Solution with TNC Support.