Re: [Cacao] playbooks for ending-quarantines of residential IoT devices
"Jason Keirstead" <Jason.Keirstead@ca.ibm.com> Thu, 04 April 2019 19:57 UTC
Return-Path: <Jason.Keirstead@ca.ibm.com>
X-Original-To: cacao@ietfa.amsl.com
Delivered-To: cacao@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E4591204EB for <cacao@ietfa.amsl.com>; Thu, 4 Apr 2019 12:57:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.236
X-Spam-Level:
X-Spam-Status: No, score=-1.236 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, KHOP_DYNAMIC=1.363, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HJ2Ny06jFOy8 for <cacao@ietfa.amsl.com>; Thu, 4 Apr 2019 12:57:44 -0700 (PDT)
Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDF281201D4 for <cacao@ietf.org>; Thu, 4 Apr 2019 12:57:44 -0700 (PDT)
Received: from pps.filterd (m0098393.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x34JsCpK070048 for <cacao@ietf.org>; Thu, 4 Apr 2019 15:57:44 -0400
Received: from smtp.notes.na.collabserv.com (smtp.notes.na.collabserv.com [192.155.248.74]) by mx0a-001b2d01.pphosted.com with ESMTP id 2rnqehu315-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <cacao@ietf.org>; Thu, 04 Apr 2019 15:57:44 -0400
Received: from localhost by smtp.notes.na.collabserv.com with smtp.notes.na.collabserv.com ESMTP for <cacao@ietf.org> from <Jason.Keirstead@ca.ibm.com>; Thu, 4 Apr 2019 19:57:43 -0000
Received: from us1a3-smtp01.a3.dal06.isc4sb.com (10.106.154.95) by smtp.notes.na.collabserv.com (10.106.227.92) with smtp.notes.na.collabserv.com ESMTP; Thu, 4 Apr 2019 19:57:37 -0000
Received: from us1a3-mail191.a3.dal06.isc4sb.com ([10.146.77.51]) by us1a3-smtp01.a3.dal06.isc4sb.com with ESMTP id 2019040419573688-1024312 ; Thu, 4 Apr 2019 19:57:36 +0000
In-Reply-To: <8855.1554405384@localhost>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: cacao@ietf.org, Cacao <cacao-bounces@ietf.org>, Joseph Salowey <joe@salowey.net>
From: Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Thu, 04 Apr 2019 15:57:36 -0400
References: <11776.1553995012@dooku.sandelman.ca> <CAOgPGoB=i6ndONKMZ-X5_+R+hvcGDUVBmo2PZtihz9pRbKa7+w@mail.gmail.com> <8855.1554405384@localhost>
MIME-Version: 1.0
X-KeepSent: 7723EED4:0DCC3D92-842583D2:006D3E19; type=4; name=$KeepSent
X-Mailer: IBM Notes Release 9.0.1EXT SHF993 September 20, 2018
X-LLNOutbound: False
X-Disclaimed: 19639
X-TNEFEvaluated: 1
Content-Type: multipart/alternative; boundary="=_alternative 006DA3BC842583D2_="
x-cbid: 19040419-7581-0000-0000-00000B988321
X-IBM-SpamModules-Scores: BY=0; FL=0; FP=0; FZ=0; HX=0; KW=0; PH=0; SC=0.415652; ST=0; TS=0; UL=0; ISC=; MB=0.037524
X-IBM-SpamModules-Versions: BY=3.00010873; HX=3.00000242; KW=3.00000007; PH=3.00000004; SC=3.00000284; SDB=6.01184346; UDB=6.00620118; IPR=6.00965099; BA=6.00006273; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00026298; XFM=3.00000015; UTC=2019-04-04 19:57:41
X-IBM-AV-DETECTION: SAVI=unsuspicious REMOTE=unsuspicious XFE=unused
X-IBM-AV-VERSION: SAVI=2019-04-04 17:28:35 - 6.00009765
x-cbparentid: 19040419-7582-0000-0000-000072CFCAE8
Message-Id: <OF7723EED4.0DCC3D92-ON842583D2.006D3E19-842583D2.006DA518@notes.na.collabserv.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-04-04_11:, , signatures=0
X-Proofpoint-Spam-Reason: safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/cacao/kPGsDAoFovrNeY9MeLjfi8rQNg8>
Subject: Re: [Cacao] playbooks for ending-quarantines of residential IoT devices
X-BeenThere: cacao@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Collaborative Automated Course of Action Operations <cacao.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cacao>, <mailto:cacao-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cacao/>
List-Post: <mailto:cacao@ietf.org>
List-Help: <mailto:cacao-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cacao>, <mailto:cacao-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2019 19:57:46 -0000
The current understanding is definitely that playbooks and playbook steps will both require paramters. You can see that in the current introduction draft at https://tools.ietf.org/html/draft-jordan-cacao-introduction-00 Example: Project-Step: o Id:3 o Type: Machine * Operation: Vlan-Move * Variable: "HostVLANID ="infected-host.vlan * Target: $$infected-host * Destination: Quarantine VLAN ID - Jason Keirstead Lead Architect - IBM Security Connect www.ibm.com/security "Things may come to those who wait, but only the things left by those who hustle." - Unknown From: Michael Richardson <mcr+ietf@sandelman.ca> To: Joseph Salowey <joe@salowey.net> Cc: cacao@ietf.org Date: 04/04/2019 04:16 PM Subject: Re: [Cacao] playbooks for ending-quarantines of residential IoT devices Sent by: "Cacao" <cacao-bounces@ietf.org> Joseph Salowey <joe@salowey.net> wrote: mcr> Yet, if CACAO wants to be able to describe and sign operations, it mcr> behoves it to know what kind of things need to be done, with enough mcr> detail that we can describe the inputs to those operations. So mcr> specifically, I'm thinking that we need to have a some kind of mcr> parametric interface to the signed snippets, rather like SQL mcr> ?-parameters. > [Joe] It seems to me that we will need parameters. If you are > addressing an issue with a specific host, that host needs to be > identified to the systems or users running the playbooks. Another > example, might be "move to quarantine VLAN". I wouldn't expect the > exact VLAN ID to be input to a CACAO run book, but rather the component > taking action would know how to resolve the Quarantine VLAN to a VLAN > ID. I find it credible that the playbook will know what the intended quarantine VLAN is. That it's not a parameter. But, the address of the machine to move clearly needs to be mentioned in some way. There are quite a few addresses that could matter: 1) IPv4 address and IPv6 address (but they can change) 2) MAC address (but device could change it, either maliciously, or because mac randomization) 3) switch number and port number 4) 802.1X login (if appropriate) These seem like parameters to the playbook code. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =- [attachment "signature.asc" deleted by Jason Keirstead/CanEast/IBM] -- Cacao mailing list Cacao@ietf.org https://www.ietf.org/mailman/listinfo/cacao
- [Cacao] playbooks for ending-quarantines of resid… Michael Richardson
- Re: [Cacao] playbooks for ending-quarantines of r… Joseph Salowey
- Re: [Cacao] playbooks for ending-quarantines of r… Bret Jordan
- Re: [Cacao] playbooks for ending-quarantines of r… Michael Richardson
- Re: [Cacao] playbooks for ending-quarantines of r… Michael Richardson
- Re: [Cacao] playbooks for ending-quarantines of r… Jason Keirstead
- Re: [Cacao] playbooks for ending-quarantines of r… Michael Richardson
- Re: [Cacao] playbooks for ending-quarantines of r… Bret Jordan