Got the NAC
Showing results for 
Search instead for 
Do you mean 

IETF Picks Up TNC Standards

by Juniper Employee on ‎09-05-2008 12:06 PM

I’m happy to say that the IETF NEA Working Group has decided to adopt several of the latest TNC standards as Working Group drafts! Let me answer some frequently asked questions about the process and the drafts. If you have more questions, please post them and I will try to answer them.


Q. Does this mean that these TNC standards are now IETF RFCs?


A. No, there’s still a long path to follow before they can be published as RFCs (the IETF’s term for their officially published documents). But it does mean that the NEA WG is working to develop RFCs based on them.


Q. Where can I get a copy of these specs?


A. In the cryptic manner of standards groups, there are two versions of each spec: the IETF version and the TCG version. The IETF specs are PA-TNC and PB-TNC. The TCG specs are IF-M 1.0 and IF-TNCCS 2.0. The only difference is the formatting and terminology!


Q. What if the NEA WG wants to change these specs before they become RFCs?


A. That’s OK. Everyone expects that. All standards go through changes and revisions, like HTTP 1.0 and 1.1. The protocols and products are designed to support such changes with a smooth and gradual transition. It’s worth it to get everyone on board.


Q. I have another question!


A. Ask it below in a comment and I’ll answer it.

by Grant Hartline
on ‎09-15-2008 12:21 PM
I’m happy to see the movement towards unification of standards and appreciate all of the effort you’ve put into NAC standards adoption, both within the TCG and the IETF. However, one TNC standard that is conspicuous in its absence is IF-PEP. Is there an IETF working group that may pull in IF-PEP for the purposes of triggering enforcement actions? Alternatively, or at least in the meantime, do you see any movement within what we’ll call “the industry” on adoption of RFC 3576 within Ethernet switches?
by Tarek Amr
on ‎09-15-2008 12:21 PM

It’s really great that Juniper and TNC are doing their best to standardize the NAC. I believe this will really help in speeding up the adoption of such new technology.

I’ve noticed that most of the standards are focusing on how the PDP communicates with the PEP when the PEP is a LAN switch or Access Point. Correct me if I am wrong, but when the UAC communicates with Juniper Firewalls they do it in a non standard way. So, are you planning to come out with another standard for communicating with Firewalls? Or are you going to re-use what is currently done when dealing with LAN switches in the Firewalls? I’ve noticed that the new ScreeOS version support IEEE 802.1x, so I was thinking that you may be planning to make your Firewalls support EAP-JUAC, and may be then you can come out with some extensions in the JUAC to help in pushing policies to the firewalls. Then it may be easier for other Firewall vendors (or any network-based security products) to interoperate with Juniper’s UAC or any TCG-TNC compliant NAC solution.

Juniper Networks Technical Books
About the Author
  • I'm a Distinguished Engineer at Juniper Networks. My main focus is security standards. I'm co-chair of the Trusted Network Connect Work Group in the Trusted Computing Group and co-chair of the Network Endpoint Assessment Working Group in the Internet Engineering Task Force. I also speak at various industry events such as Interop and the RSA Conference. I have a Bachelor’s degree in Computer Science from Harvard University.
About Got the NAC

Steve Hanna
Welcome to Got the NAC, written by Juniper Networks Distinguished Engineer Steve Hanna. From his insider perspective, Steve blogs about network access control, covering the issues and trends he encounters that affect the industry as a whole.

Steve Hanna is co-chair of both the Trusted Network Connect Work Group in the Trusted Computing Group and the Network Endpoint Assessment Working Group in the Internet Engineering Task Force.

Steve is active in other networking and security standards groups, such as the Open Group and OASIS. He's also the author of several IETF RFCs and published papers, an inventor or co-inventor on 30 issued U.S. patents, and a regular speaker at industry events such as Interop and the RSA Conference.

He holds an A.B. in Computer Science from Harvard University. For more information on Steve, check out Network World’s profile (by Tim Greene)