IETF Logo Mail Archive

Re: [Gen-art] Genart telechat review of draft-ietf-sacm-nea-swima-patnc-02

"Schmidt, Charles M." <cmschmidt@mitre.org> Wed, 21 February 2018 20:50 UTC

Return-Path: <cmschmidt@mitre.org>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 127C012D94A; Wed, 21 Feb 2018 12:50:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mitre.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vpQjuiVXtxyI; Wed, 21 Feb 2018 12:50:11 -0800 (PST)
Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) by ietfa.amsl.com (Postfix) with ESMTP id 7987D126C0F; Wed, 21 Feb 2018 12:50:08 -0800 (PST)
Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id BC65E6C00A6; Wed, 21 Feb 2018 15:50:07 -0500 (EST)
Received: from imshyb01.MITRE.ORG (unknown [129.83.29.2]) by smtpvmsrv1.mitre.org (Postfix) with ESMTP id A38766C00BD; Wed, 21 Feb 2018 15:50:07 -0500 (EST)
Received: from imshyb02.MITRE.ORG (129.83.29.3) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Wed, 21 Feb 2018 15:50:07 -0500
Received: from gcc01-dm2-obe.outbound.protection.outlook.com (10.140.19.249) by imshyb02.MITRE.ORG (129.83.29.3) with Microsoft SMTP Server (TLS) id 15.0.1263.5 via Frontend Transport; Wed, 21 Feb 2018 15:50:07 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitre.onmicrosoft.com; s=selector1-mitre-org; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=CUyORSTgu5GPfblbVfQuXlcsamiyia4KhHwVWKdgXv8=; b=jZ7wx5YpuQGThVWWCLSSl7p/qkvhN89c2BdftQzGbGHeUZwToXsftP9MHhkNiaaykSlbGWBi6Y0BONTjikgl77ZgiZqxQhq/LE9Ye80sVAjtUnxv4XSjidT/QmLO3U8vEnWhdOjphI4l8ewz1wxfPrXAwZTgdiKw+tVx+vHTxY8=
Received: from DM5PR0901MB2375.namprd09.prod.outlook.com (52.132.133.18) by DM5PR0901MB2375.namprd09.prod.outlook.com (52.132.133.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.506.18; Wed, 21 Feb 2018 20:50:05 +0000
Received: from DM5PR0901MB2375.namprd09.prod.outlook.com ([fe80::21b9:ccf6:187e:85e1]) by DM5PR0901MB2375.namprd09.prod.outlook.com ([fe80::21b9:ccf6:187e:85e1%13]) with mapi id 15.20.0506.023; Wed, 21 Feb 2018 20:50:05 +0000
From: "Schmidt, Charles M." <cmschmidt@mitre.org>
To: Dan Romascanu <dromasca@gmail.com>, "gen-art@ietf.org" <gen-art@ietf.org>
CC: "draft-ietf-sacm-nea-swima-patnc.all@ietf.org" <draft-ietf-sacm-nea-swima-patnc.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "sacm@ietf.org" <sacm@ietf.org>
Thread-Topic: Genart telechat review of draft-ietf-sacm-nea-swima-patnc-02
Thread-Index: AQHTqOtgzUqOYfCzUkSlOOeD0r00CaOvOIjQ
Date: Wed, 21 Feb 2018 20:50:05 +0000
Message-ID: <DM5PR0901MB237578DCF3767768F610B046ABCE0@DM5PR0901MB2375.namprd09.prod.outlook.com>
References: <151898069815.27864.8612208400996416492@ietfa.amsl.com>
In-Reply-To: <151898069815.27864.8612208400996416492@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=cmschmidt@mitre.org;
x-originating-ip: [192.160.51.89]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR0901MB2375; 6:ExBoYBtEkNQ6IhTXVpnttHRR2ujBerTgtXXFbRBy2lS3k+Bup4LyNwOC33ggVSscsvfnLWXRJ5JuP+Y6YTiOcMKFQD+nuQiWZwdkohsR+F5mTmvA2fCKkD0BAT59+nQHw/I6f4xSbDyzd8r2HYUhf4GVnVoMNRwvRzlAaSBcmH2iJlQ/yeSveM/CJy+Tcj/NSAmD9z+cOaX32lUejeQUE6yA17pjKWFjD6redQ7mGbxLhO2J7VwJtlIdyhABcCpCpfsMmFqfOluck9RgiGHPvxFGBhDBdN6Cq32hkV40V6IA5wuUvfA8F9EVOs1sr2vrkVZlN7pYdhgVAiTjyw9r5Xn8HJe0ozwa8v8pVGSecKMVm1DNaXSBV8VGVA0uPq2W; 5:MDO7h3AIgax4m308bOk8SooVowRYUBNureGcE5xr9/Dk1VjklivE1qrkBdknFFPUKFamDyA8YoIBo9YY87zmT1kOyKTa/RXdUA43BfKjizbKGdRCmYHifX+1jDHjqZZAezuufQKCfdEtURqRoN+lj5+uC41khH3Nep0AiPHYNUM=; 24:orJzIJPxVbuYRrDdxc5uzTn/1LVKxSFVwQahbTEQrdpOnMAVMpzjDYY0VoAHKrZG+apn7e7hYvqrcBlUTD8zEkmWoD62uuMtZEw+/xnePyo=; 7:GB0QMoTT1sf3hTyzfhdp06f34Lidib6C9vwdi87LSJVWdudkQNvgshPoNm0rBEDaZh2gcjZ3naB9xFKsz9cQ/7XjoOckAvg0i48VopZB2bOq6BhTizvJLi7aEG9wJoJq5E4Y6ZBH458czjL5a+Eo94UeH67ghEgBKFckMVFsAdUr3QSi6HFQQpibpct9fybqtQP7yupkdBVNPrHDDHgwqJSvSEgQvNOSeU2kC/xgh26FAfX/iytp5Jab7c2jyRUg
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: a6be1e73-1de7-455a-163d-08d5796cafcc
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(4604075)(3008032)(2017052603307)(7153060)(7193020); SRVR:DM5PR0901MB2375;
x-ms-traffictypediagnostic: DM5PR0901MB2375:
x-microsoft-antispam-prvs: <DM5PR0901MB2375946E432BA79DC3A98A28ABCE0@DM5PR0901MB2375.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705)(85827821059158);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040501)(2401047)(8121501046)(5005006)(10201501046)(3231101)(944501161)(3002001)(93006095)(93001095)(6055026)(6041288)(20161123558120)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123560045)(6072148)(201708071742011); SRVR:DM5PR0901MB2375; BCL:0; PCL:0; RULEID:; SRVR:DM5PR0901MB2375;
x-forefront-prvs: 0590BBCCBC
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(39860400002)(396003)(376002)(366004)(39380400002)(13464003)(377424004)(199004)(189003)(97736004)(8936002)(7736002)(2906002)(8676002)(478600001)(25786009)(66066001)(55016002)(26005)(106356001)(99286004)(3280700002)(6506007)(68736007)(39060400002)(102836004)(53546011)(81156014)(4326008)(5250100002)(14454004)(81166006)(2501003)(86362001)(305945005)(105586002)(186003)(2900100001)(74316002)(59450400001)(76176011)(3660700001)(229853002)(2950100002)(54906003)(316002)(110136005)(9686003)(5660300001)(6246003)(6306002)(33656002)(6436002)(6116002)(3846002)(53936002)(7696005); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR0901MB2375; H:DM5PR0901MB2375.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: mitre.org does not designate permitted sender hosts)
x-microsoft-antispam-message-info: pyiTs/v1j/UhuJW2trHOgSqzqMZgg4bSpvRSWZ2/0L05p9d7i3Qpf7or+0oKZlf2K+/wCvtJ9t79HuAAjD6pM3Ut6f0x/GXmeuLHSeBRSHY90u+TIw8tSn2YFRawZX0z3BCy20qVeKwdsPGcQWuqBjLqfUOXH70cCXKi9fF1Jcc=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: a6be1e73-1de7-455a-163d-08d5796cafcc
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Feb 2018 20:50:05.4828 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR0901MB2375
X-OriginatorOrg: mitre.org
X-MITRE: 8GQsMWxq66rxk57w
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/fdbby0XWPT6rhWfUzSfI2Yi7jkc>
Subject: Re: [Gen-art] Genart telechat review of draft-ietf-sacm-nea-swima-patnc-02
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Feb 2018 20:50:14 -0000

Hello,

Thanks a bunch for the comments. I'm glad that you feel that it looks like a solid contribution.

With regard to your feedback, I have developed wording to address both your major concerns and wanted to run it by you:

---
With regard to the lack of mention of SACM, I agree that it was an oversight not to mention it in the Relationship to Other Standards section. I propose adding the following paragraph at the end of that section:

"The NEA architecture is intended to support a broad range of activities and, as such, might be employed by other specifications. For example, requirement T-001 in the SACM Requirements document (RFC 8248) notes that NEA can support data collection from endpoints within the broader SACM architecture. (Other parts of the NEA architecture, which SWIMA uses, meet the other SACM data transport requirements.) In the SACM architecture, a SWIMA-PV corresponds to a “SACM Collector” and a SWIMA-PC is a “SACM Internal Collector”. In the SACM architecture, the SWIMA specification can support activities relating to software inventory collection. Specifically, SWIMA supports the SACM “Endpoint Posture Attribute Value Collection” use case (section 2.1.3 or RFC 7632) by describing a collection mechanism that enables event driven, scheduled, and ad-hoc data collection of software inventory information. SWIMA’s flexibility with regard to the format of inventory data records means that it is compatible with virtually any data format that implements SACM’s “Define, Publish, Query, and Retrieve Security Automation Data” (section 2.1.1 in RFC 7632). This is just one example of how SWIMA can support broader security solution standards. Note that, while SWIMA can support these SACM use cases, SWIMA has no dependencies upon the SACM architecture or any other context in which NEA might reasonably be applied."

I believe this addresses most of the specific points you wanted to include. I did not include a terminology mapping to "evidence record" and "software identifier" because the SACM Terminology definition of "attribute" is not internally consistent: it states "Attribute - Is a data element, as defined in [RFC5209], that is
atomic" and "equivalent to attribute-value-pairs". However, RFC 5209 (NEA) attributes are not atomic in nature, and will consist of many name-value pairs. (I'll send a separate comment to the SACM list regarding this.) As such, I'm not sure the terminology draft has a good parallel at this time and I stuck to the clearer mappings. 

-----

With regard to firmware and OS information, I added the following to the introduction:

" Note that while this specification focuses on “software inventory”, the mechanisms it describes could also be used to convey information about firmware and operating systems associated with an endpoint. The focus on software throughout this document should not be read as excluding the use of SWIMA for these other purposes."

---------

Do these additions adequately address your concerns?

Finally, with regard to the following question:

> 2. Section 3.3
> '   In the case that it is possible to do so, the SWIMA-PC SHOULD send
>    its SWIMA Response attribute to the SWIMA-PV that requested it using
>    exclusive delivery ...'
> Assuming that 'it is possible to do so' means support for the mechanism, why
> is this a SHOULD, and not a MUST?

In the NEA specification, the EXCL flag is only a recommendation to the Posture Broker Server/Client, and the recipient of a message with the flag set only "SHOULD" deliver it to a single party. (I realize that, in retrospect, my assertion that exclusive delivery "ensures" a behavior is incorrect and will fix that.) As such, saying that implementations MUST set a flag that only SHOULD be obeyed seems to be of questionable use, especially given that the specification clearly describes what to do if messages are not exclusively delivered.

Let me know if you disagree - I don't feel too strongly about this, but wanted to explain my thoughts.

----

Thanks again for the comments.

Charles

> -----Original Message-----
> From: Dan Romascanu [mailto:dromasca@gmail.com]
> Sent: Sunday, February 18, 2018 1:05 PM
> To: gen-art@ietf.org
> Cc: draft-ietf-sacm-nea-swima-patnc.all@ietf.org; ietf@ietf.org;
> sacm@ietf.org; dromasca@gmail.com
> Subject: Genart telechat review of draft-ietf-sacm-nea-swima-patnc-02
> 
> Reviewer: Dan Romascanu
> Review result: Almost Ready
> 
> I am the assigned Gen-ART reviewer for this draft. The General Area
> Review Team (Gen-ART) reviews all IETF documents being processed
> by the IESG for the IETF Chair. Please wait for direction from your
> document shepherd or AD before posting a new version of the draft.
> 
> For more information, please see the FAQ at
> 
> <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>.
> 
> Document: draft-ietf-sacm-nea-swima-patnc-02
> Reviewer: Dan Romascanu
> Review Date: 2018-02-18
> IETF LC End Date: 2018-02-21
> IESG Telechat date: 2018-02-22
> 
> Summary:
> 
> This is a solid and detailed specification, which extends PA-TNS with specific
> attributes and message exchanges to allow endpoints to report their
> installed
> software inventory information to a NEA server. It is Almost Ready from a
> Gen-ART point of view, but there are some problems that I recommend to
> be
> addressed before approval. The major problem is related to the complete
> lack of
> information about how this specification fits into SACM, which SACM
> requirements are addressed, how terminologies are made consistent and
> how
> entities are mapped.
> 
> Major issues:
> 
> 1. The document is labeled as a SACM document, but the text never explains
> the
> connection with the SACM work, or the relation with the SACM architecture
> and
> framework. There is no reference to SACM documents either. Section 9
> 'Relationship with other specifications' does not mention SACM either.
> 
> At a minimum, I believe that the document should:
> - relate to the use cases of SACM - RFC 7632 (it does this for NEA, but this is
> not sufficient for a SACM document) - ensure consistency, refer to the
> terminology of SACM (draft-ietf-sacm-terminology), and provide a mapping
> between the terms and entities defined in this document (e.g. SWIMA-PC,
> SWIMA-PV, Evidence Record, Software Identifier) and the SACM
> terminology -
> explain how the message exchanges fit in a SACM solution to meet the
> requirements defined by RFC 8248. As an example, RFC 5792 has a detailed
> appendix that evaluates the specifications against the requirements in RFC
> 5209
> (NEA requirements).
> 
> 2. The charter item that this WG falls under reads:
> 
> '- Define an extension of IETF NEA [https://ietf.org/wg/concluded/nea.html]
> to
> collect and deliver information about firmware, operating systems, and
> software
> installed on an endpoint.'
> 
> The document covers in detail software inventory, but is mute about
> firmware
> and operating systems. Arguably these two would fall under a broad
> interpretation of 'software' but it would be better - at least - to provide an
> explanation about these being covered and how, if not specific attributes
> related to the types of software specified in the charter.
> 
> Minor issues:
> 
> 1.Section 2.3:
> 
> I believe that the 'Interoperable' requirement is trivial and unnecessary in
> the text of a Standards-Track document.
> 
> '   Interoperable:  This specification defines the protocol for how PCs
>       and PVs can exchange and use software information to provide a NEA
>       Server with information about an endpoint’s software inventory.
>       Therefore, a key goal for this specification is ensuring that all
>       SWIMA PCs and PVs, regardless of the vendor who created them, are
>       able to interoperate in their performance of these duties.'
> 
> Interoperability is the obvious goal of any IETF standards-track document.
> There is no need to repeat such an obvious statement.
> 
> 2. Section 3.3
> 
> '   In the case that it is possible to do so, the SWIMA-PC SHOULD send
>    its SWIMA Response attribute to the SWIMA-PV that requested it using
>    exclusive delivery ...'
> 
> Assuming that 'it is possible to do so' means support for the mechanism, why
> is
> this a SHOULD, and not a MUST?
> 
> Nits/editorial comments:
> 
> 1. The Abstract section - quotation marks are open around the first
> document
> name and never closed.
> 
>

v2.23.0 | Report a Bug | By Email