As TCG’s Trusted Network Communications (TNC)-enabled technology is deployed in real-world environments, we’re learning that deployers have the need to collect robust posture information to support endpoint compliance, security automation, and continuous monitoring. IF-M is the communication layer of the TNC architecture used to connect the endpoint components that collect information about the endpoint, and the corresponding components on a policy server that receive that information and act on it. IF-M is designed to be flexible to support communication of virtually any type of information about the endpoint that the enterprise might wish to know.

While this information can be used to make better connectivity decisions and help protect network resources, the size of the collected information can prove burdensome. IF-M attributes can be up to 4GB in size; this can be unsustainable across certain networks or in certain circumstances. This has resulted in a compelling need to control message sizes, and to do so in a way that doesn’t disrupt existing TNC interactions.

In response to this need, the Trusted Computing Group has released the IF-M Segmentation 1.0 specification. This specification provides a standard means to manage the size of IF-M messages between TNC clients and servers. It also provides a mechanism by which large messages can be delivered in segments, to avoid overwhelming the network connection and/or the memory capacity of either the client or the server. As such, the IF-M Segmentation specification allows more efficient network and memory management within a TNC architecture implementation. More information about IF-M Segmentation is available in this FAQ.

IF-M Segmentation is designed to be used with existing IF-M message structures and is agnostic as to the nature of the messages it manages. Implementers of endpoint Integrity Measurement Collectors (IMCs) and server Integrity Measurement Verifiers (IMVs) can add IF-M Segmentation support to their products without disrupting the underlying data exchange. IF-M Segmentation may be useful to any TNC implementer, especially those whose tools collect or process data that can lead to large IF-M messages.

For a real-world example, consider the SWID Message and Attributes for IF-M specification, which allows communication of SWID tags (information about endpoint software inventory) across the TNC IF-M transport. A complete inventory of SWID tags from a single endpoint could easily approach the 4GB size limit on IF-M messages.  IF-M segmentation enables efficient, network-friendly communication of this endpoint information, facilitating the evaluation of endpoints and protection of critical network resources.