[Asrg] Development of an object assessment format/protocol

Rich Kulawiec <rsk@gsp.org> Mon, 04 March 2013 13:29 UTC

Return-Path: <rsk@gsp.org>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC2F121F89EF for <asrg@ietfa.amsl.com>; Mon, 4 Mar 2013 05:29:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PEmAenRuP-kK for <asrg@ietfa.amsl.com>; Mon, 4 Mar 2013 05:29:27 -0800 (PST)
Received: from taos.firemountain.net (taos.firemountain.net [207.114.3.54]) by ietfa.amsl.com (Postfix) with ESMTP id F19F021F89EE for <asrg@irtf.org>; Mon, 4 Mar 2013 05:29:26 -0800 (PST)
Received: from gsp.org (localhost.firemountain.net [127.0.0.1]) by taos.firemountain.net (8.14.6/8.14.6) with SMTP id r24DTO2k020476 for <asrg@irtf.org>; Mon, 4 Mar 2013 08:29:25 -0500 (EST)
Date: Mon, 4 Mar 2013 08:29:24 -0500
From: Rich Kulawiec <rsk@gsp.org>
To: asrg@irtf.org
Message-ID: <20130304132924.GA27928@gsp.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.20 (2009-06-14)
Subject: [Asrg] Development of an object assessment format/protocol
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Mar 2013 13:29:27 -0000

I've been thinking about this for a long time, and would like to find
out what others have been doing in this area (if anything) and whether
this is a topic we can or should collectively pursue.

Here's the problem statement:

We've been using DNS to communicate information about the assessment
of certain objects -- IP addresses, host names, domain names -- and
while that has its advantages (notably that most of the software already
exists, is already installed, is reasonably well-understood, etc.) it
also limits the vocabulary we can use.  Moreover, there are objects
that we might want to talk about whose information isn't easily
communicated via DNS -- e.g., web pages, email addresses.  We use other
kinds of methods for communicating those, including downloadable files,
APIs, etc.

We need, I think, a mechanism via which we can ask more complex questions
and get more comprehensive answers.  We need a mechanism which isn't
a hack on top of DNS, but which has been developed from the ground up
specifically for this purpose.

At the moment, there are a number of ad hoc ways that this happens:
for example, Joe Wein maintains a rather large list of spammer/phisher
email addresses.  (And domains, too.)   The Malwaredomains folks have
lists of domains.  The Stopforumspam folks have lists of domains and
IP addresses.  There are DNSBLs and RHSBLs like the ones run by Spamhaus.
There are various projects to identify malicious web pages.  And so on.

And all of these are great, except: they all use different ways to
express information.  Some of them can be queried; some can't.  Some
of them carry metadata like "how did we decide this?" or 'when did
we decide this?" or "for further reference, see:" and some don't.
Some of them support methods for asking narrower/broader questions,
some of them don't.

What I'm suggesting, therefore, is that we need (a) a standardized
way to express these things and (b) a standardized protocol by which
we can ask questions and get answers.  For instance:

	Does the web page at http://example.com/foo.html contain malware?

	Is the address fred@example.net associated which phishing?

	What can you tell me about the domain example.com?

	Has the IP address 192.168.0.20 sent spam recently?

Certainly all of these things are possible today, by asking various
information sources in various ways.  But not in an integrated,
unified fashion which would yield results that could be compared
to each other or integrated with each other programatically.

(For example, I might wish to ask 5 different information sources
about 192.168.0.20 and weight their opinions.  Or I might want
to ask an open-ended question like "what do you know about example.com?")

In all these instances, opinions come with metadata: whose opinion
is this?  At what time was it rendered?  Is there are time at which
it should be considered no-longer-valid?  Is there a confidence
level associated with this opinion?  Is the answer specific to
the object that was asked about or does it apply more broadly?
(e.g., I asked about 192.168.0.20 but got back an opinion that
applies not only to that, but to all of 192.168.0.0/24.)

Where I'm going, probably predictably, is that the format for
both questions and answers may be XML-based in order to provide
sufficient expressive power.   (Yes, that's verbose.  Very much
the antithesis of the terse Q/A format we use with DNS.  I haven't
been able to decide if that's a good, bad or neutral thing,
other than noting that using XML has the advantage of making
information immediately palatable to a wide range of software.)

So let me see if I can phrase the questions this way:

1. Is such a format needed?
2. Is a query-response protocol needed to transmit it?
3. If so, does anything already exist which would lend itself
to (1) and (2) with minimal changes?  If so, is it desirable
to run that experiment?
4. If not, then is there sufficient utility in this approach
that it's worth pursuing?
5. If this exists, will it be used?  Is there sufficient reason
for changes from what already exists?

(I'm aware of draft-dskoll-reputation-reporting, but it doesn't
cover all kinds of objects I have in mind here.  I'll note in
passing though that it attempts to be as concise as possible,
which is a good thing and a fine thing, but does limit the
scope of both questions and answers.)

---rsk