Server Discovery and Validation TCG Copyright 2013-2017
Specification Version 1.0
Revision 25 Page iv of 40
TCG PUBLISHED
Table of Contents
1 Introduction ............................................................................................................ 6
1.1 Scope and Audience ..................................................................................................................... 6
1.2 Motivation ...................................................................................................................................... 6
1.3 Keywords ....................................................................................................................................... 6
2 Background ............................................................................................................ 7
2.1 Overview ....................................................................................................................................... 7
2.2 Supported Use Cases ................................................................................................................... 7
2.3 Non-supported Use Cases ............................................................................................................ 8
2.4 Requirements ................................................................................................................................ 8
2.5 Non-requirements ......................................................................................................................... 8
2.6 Assumptions .................................................................................................................................. 9
3 Endpoint Provisioning ......................................................................................... 10
3.1 Why Perform Server Discovery If Provisioning Is Needed? ....................................................... 10
3.2 Client Connection Policy ............................................................................................................. 10
3.2.1 Actions ..................................................................................................................................... 11
3.2.2 Criteria ..................................................................................................................................... 13
3.2.3 A Worked Example.................................................................................................................. 13
3.3 Trust Parameters ........................................................................................................................ 14
3.4 Provisioning ................................................................................................................................. 15
4 Server Discovery .................................................................................................. 17
4.1 When to Use Each Server Discovery Technique ........................................................................ 17
4.2 Discovery via IF-TNCCS ............................................................................................................. 17
4.2.1 TNCCS-Server-Referral .......................................................................................................... 18
4.2.2 Server Types ........................................................................................................................... 20
4.2.3 Local Group IDs ...................................................................................................................... 21
4.2.4 Server Identifier Types ............................................................................................................ 21
4.3 Discovery via DNS SRV Records ............................................................................................... 26
5 Server Validation .................................................................................................. 28
5.1.1 Server Validation Procedure ................................................................................................... 28
6 Examples .............................................................................................................. 30
6.1 Server Discovery and Validation with TNCCS-Server-Referral .................................................. 30
6.2 Server Discovery and Validation with DNS SRV ........................................................................ 31
7 Security Considerations ...................................................................................... 32
7.1 Trust Model for Discovery and Validation of Servers .................................................................. 32
7.1.1 Network ................................................................................................................................... 32
7.1.2 Policy Servers ......................................................................................................................... 32
7.1.3 Other TNC Servers.................................................................................................................. 32
7.1.4 Endpoints ................................................................................................................................ 33
7.1.5 DNS Servers ........................................................................................................................... 33
7.1.6 Certification Authorities ........................................................................................................... 33
7.2 Threat Model for Discovery and Validation of Servers................................................................ 33
7.2.1 Network Attacks ...................................................................................................................... 33
7.2.2 Policy Server Attacks .............................................................................................................. 34
7.2.3 Other TNC Server Attacks ...................................................................................................... 34
7.2.4 Endpoint Attacks ..................................................................................................................... 34
7.2.5 Certification Authority Attacks ................................................................................................. 35
7.3 Countermeasures ........................................................................................................................ 35
7.3.1 Securing the Network .............................................................................................................. 35
7.3.2 Securing Policy Servers .......................................................................................................... 35
7.3.3 Securing Other TNC Servers .................................................................................................. 36
7.3.4 Securing Endpoints ................................................................................................................. 36
7.3.5 Securing DNS Servers ............................................................................................................ 37
7.3.6 Securing CAs .......................................................................................................................... 37
