Proposed F19 Feature: Trusted Network Connect (TNC)

Jaroslav Reznik jreznik at
Tue Jan 29 15:35:06 UTC 2013

= Features/Trusted Network Connect (TNC) =

Feature owner(s): Avesh Agarwal <avagarwa at> 

This feature provides Trusted Network Connect(TNC) framework that can be used 
to assess and verify clients' posture (or integrity measurements or 
configuration) and its compliance to a predefined policy with existing network 
access control (NAC) solutions.

== Detailed description ==
Traditionally network access control (NAC) has lacked the ability in its 
decision making to asses endpoint's security posture and its compliance to 
enterprise policies. This lack of assessment may leave an enterprise's network 
vulnerable to malicious attacks. Trusted Computing Group (TCG) (and IETF too) 
has defined an open architecture called Trusted network connect (TNC) (IETF's 
Network Endpoint Assessment (NEA)) to fill this gap. TNC, as part of its 
architectural components, includes integrity measurement collectors (IMCs) and 
TNC client at endpoint and integrity measurement verifiers (IMVs) and TNC 
server at enterprise network side communicating over NAC solutions such as EAP 
with 802.1X to evaluate and verify the security posture of the endpoint 
against the enterprise policies before allowing network access. For this, TCG 
has released transport (IF-T), session (IF-TNCCS) and messaging (IF-M) 
standards which are open and interoperable. TNC architecture by virtue of it's 
IF-M protocol can leverage NIST's SCAP's (OpenSCAP) automated security aspects 
for measurement collection, verification and remediation. In addition, TCG has 
defined IF-PTS and PTS protocol specifications to integrate platform trust 
services (PTS) with TNC for TPM based attestation of integrity measurements. 
PTS protocol defines messaging payloads to be used over IF-M protocol.

This feature includes the aforementioned functionalities and aims to provide 
an end-to-end network based client assessment, verification and remediation. 

More information about the devel-announce mailing list