[I2nsf] AD Review of draft-ietf-i2nsf-nsf-monitoring-data-model-08

Roman Danyliw <rdd@cert.org> Fri, 25 June 2021 18:26 UTC

From: Roman Danyliw <rdd@cert.org>
To: "i2nsf@ietf.org" <i2nsf@ietf.org>
Thread-Topic: AD Review of draft-ietf-i2nsf-nsf-monitoring-data-model-08
Thread-Index: Addp7gh6ZhFVPYipQbq6D6p2yE6mow==
Date: Fri, 25 Jun 2021 18:25:36 +0000
Message-ID: <BN3P110MB0529A954AF73D32734FABD5FDC069@BN3P110MB0529.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 99d33bea-01a4-4c82-f8e5-08d93806a0fd
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jun 2021 18:25:36.9954 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3P110MB0276
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/iNN0bkhm69GuhxnDXGQuPMK5EMs>
Subject: [I2nsf] AD Review of draft-ietf-i2nsf-nsf-monitoring-data-model-08
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jun 2021 18:26:45 -0000

Hi!

I conducted an AD review of draft-ietf-i2nsf-nsf-monitoring-data-model-08. Thanks for this detailed info and data model.

My high-level comments are as follows:

** There is a lot of flexibility in this data model in the cardinality of the fields and the sheer number of free form fields. The positive of this approach is that it should be able to represent a wide variety of tools/NSF. The negative of this is that significant profiling or out of band knowledge will be needed to make many of these field machine readable. It would be helpful to discuss this in the text

** There are a number of taxonomies in this data model. They will be helpful to parse and triage alarms. However, I have some concerns about the completeness of those currently specified and the lack of discussion on how they might be extended. It would also be helpful to cover this in the text.

** (Mentioned below in detail) I found the philosophically framing in Section 3 and 4, not entirely in sync. Additionally, the taxonomy of different kinds of data introduction in Section 4 did not clearly align for me against the data model in Section 10.

** (Mentioned below in detail) I found a few places where there were assumption and architectural elements outside of the base I2NSF architecture (RFC8329 and draft-ietf-i2nsf-applicability-18). Where that occurs more detail would be helpful, or reconsideration if this is necessary.

Now the more specific comments:

** This document provides both an information model and seemingly a YANG module to implement it. I may have missed it, but it would be helpful to state that obvious fact

** Section 1. Editorial. s/Monitoring procedures intent to acquire/Monitoring procedures acquire/

** Section 1. This sentence didn't parse for me:

OLD
Monitoring procedures
intent to acquire vital types of data with respect to NSFs, (e.g.,
alarms, records, and counters) via data in motion (e.g., queries,
notifications, and events)

NEW
This interface enables the sharing of vital data from the NSFs (e.g., alarms, records, and counters) to the Security Controller through a variety of mechanisms (e.g., queries, notifications, and events).

** Section 1. s/for an NSF for an NSF/for an NSF/

** Section 1. Recommend sticking to the named I2NSF architecture of RFC8329 so s/e.g., Security Controller and NSF Data Analyzer/e.g., Security Controller/

** Section 1. Is the phrase "... provides visibility for an NSF for an NSF data collector ...", the same thing as saying "...provides visibility into an NSF for the NSF data collector"?

** Section 1. How important is it to introduce the new architectural element of the "NSF data controller" as a super-set of the previously defined Security Controller, and the never previously mentioned or defined "NSF Data Analyzer". I asked because the I2NSF reference architectures in RFC8329 and draft-ietf-i2nsf-applicability don't have it.
I see value in keeping the language consistent with previous drafts by defining a new role for the Security Controller (from draft-ietf-i2nsf-applicability) or Network Management Operator System (from RFC8329) instead. If it's imperative to invent this new architecture term, please explain how it is architecturally different than these previously defined components.

** Section 1. Editorial. Per "The information model for the NSF monitoring interface presented in this document is a complementary information model to the information model ...", recommend against using the term "information model" three times in the same sentence for readability.

** Section 3. I found these use cases clear. However, after reading Section 4, I had trouble relating the terminology and nuances to this section.

-- There is discussion of "events" and "activity logs" in these use cases. However, in Section 4 notes events, notifications and records. How do notifications and records align with these use cases?

-- These use cases discuss primary discuss acting on events and triggered by activity. However, in subsequent sections (e.g., Section 7), there is note of "alerts" and "alarms". How are they related?

** Section 4. Editorial. Per "In order to maintain ...", this sentence has a double negative (two "not")

** Section 4. Per "Three basic domains about the monitoring information originating from a system entity [RFC4949] or an NSF are highlighted in this document", what is the relationship between a "system entity" and NSF? What's a "system entity" in the I2NSF framework/architecture?

** Section 4.

The Alarm Management Framework in [RFC3877] defines an Event as
something that happens as a thing of of interest.

-- Typo. s/of of/of/

-- The definition from RFC3877 "Something that happens which may be of interest"? Editorially, the exact words are clearer.

** Section 4. The citation doesn't seem right. Per:

It defines a fault
as a change in status, crossing a threshold, or an external input to
the system.

Section 3.1 of RFC3877 says a fault is "Lasting error or warning condition." The quoted text of "... as a change in status, crossing a threshold, or an external input to the system" comes from the definition of an event and it states them as examples: "A fault, a change in status, crossing a threshold, or an external input to the system, for example."

** Section 4. Per "... the scope of the Alarm Management Framework's Events is still applicable due to its broad definition", can you please clarify what is being invoked from RFC3877 beyond these definitions.

** Section 4.1. The section used term "retention" in a way I didn't expect. I'm most familiar with retention practices in the area of alerts and logs as discussing what information is kept and for how long. Does that need to be covered here?

** Section 4.1. Editorial.
Typically, a system entity populates standardized interface, such as
SNMP, NETCONF, RESTCONF or CoMI to provide and emit created
information directly via NSF Monitoring Interface
New
Typically, a system entity populates standardized interfaces, such as
SNMP, NETCONF, RESTCONF or CoMI to emit information via the NSF Monitoring Interface

** Section 4.1. Per "Alternatively, the created information is ...", is it "alternatively" or "additionally"?

** Section 4.1. Typo. s/ Monistoring/Monitoring/

** Section 4.1. Per the paragraph beginning with "Information retained on a system entity ...", I had trouble following this guidance -- Is the text suggesting that the data be emitted in some way other than the standardized data model described in this document?

** Section 4.1. Per "An I2NSF User is required to process fresh [RFC4949] records ...",

-- how does an I2NSF user know the records are fresh?

-- what is a "homogenizing function"?

-- per the architecture, how is the I2NSF user "...proving[ing] them to other I2NSF Components", as the user only interacts with the Controller?

** Section 4.1. Per "When retained or emitted, the information required to support monitoring processes has to be processed by an I2NSF User at some point in the workflow. Typical locations of these I2NSF Users are: ...", unless I'm misunderstanding that it meant by location, this behavior doesn't seem to align with the reference architecture of Figure 1 of draft-ietf-i2nsf-applicability or Section 3 of RFC8329, which suggest that only the security controller is directly interacting with the NSF.

** Section 4.2. There is a distinction being made between an event and a notification, but that distinction isn't clear to me - are events and notifications the same things except events come from an I2NSF component, but notifications do not? If notifications aren't part of the I2NSF architecture, how are they in scope to this data model? Do multiple notifications aggregate to be an event?

** Section 4.2. There deliberate taxonomy being created around events, notifications and records with each having significantly different properties to warrant distinct categories. This distinction is not clear to me when manifested in the YANG module. Are all top level containers with "*-event-*" in their names events? Are records the containers with "log" in their name? What are notifications?

Additionally, "alarms" are later introduced in the text, how do they relate?

** Section 4.4. It isn't clear from the text whether records are shared via the monitoring interface?

** Section 4.4. Per "Unlike information emitted via notifications and events, records do not require immediate attention from an analyst but may be useful for visibility and retroactive cyber forensic":
-- I don't see text in Section 4.2 is it noted that notifications required immediate attention from an analyst

-- What is the relationship between the analyst and the "I2NSF user"?

** Section 5. This section appears to be restating very similar information to Section 4.3. Are both needed?

** Section 5. Per the various examples of "data model and interaction model for data in motion", their applicability to I2NSF isn't clear. This document is specifying the encoding of data in a particular information and data model. IPFIX and NetFlow don't seem germane, and represent an alternative to some of the information described here.

** Section 5.1. This section explicitly calls out YANG Push and YANG Subscribed Notification. Are these recommended protocols? I ask because the previous sections (4.3 and 5.0), already described the generic utility of push and notification capabilities. Here the capabilities are being described again specifically.

** Section 6 and 7. There is no guidance on whether any of these data items are mandatory.

** Section 6. Per the Basic Information model:

-- message: is this field identifying the type of message or the message itself?

-- nsf-name: is the name a FQDN? Or any arbitrary string?

-- Should there be a timestamp?

** Section 7. Editorial. s/as alarm/as an alarm/ and s/with basic information/with the basic information/

** Section 7.*. The definition of "acquisition method", "emission-type" or "dampening-type" aren't clear from the one-word descriptions. Earlier text hints at acquisition method and emission type, but dampening isn't mentioned. Recommend up front definition before use here.

** Section 7.1.*.
-- A simple definition of memory, cpu, disk, etc. would be helpful to explicitly say in the text
-- each of these alarms has a "message" field. Is the proposed text the actual message? The text seems to read like the definition of that type of alarm.

** Section 7.1.5. interface-state. "up, down and congested" seems to be mixing different properties. Are the underlying semantics up-not-congested, up-but-congested, and down?

** Section 7.2.1 and 7.2.2.
-- Can a user only belong to one group?
-- Recommend defining "authentication"
-- per "login-ip-address" - is this the true "login IP" or the IP address of the action that triggered the alarm?

** Section 7.2.2. Recommend defining the scope of "configuration change"

** Section 7.2.3. Should there be some indicator as to why this flow was shared?

** Section 7.3 and 7.5. I was expecting to find symmetry between the NSF events described here and those described by the "content-security-controls" and "attack-mitigation-control" in draft-ietf-i2nsf-nsf-facing-interface. I assumed that if the NSF has a certain capability then it would be able to generate events for it using this info/data model. Instead I found representations for modeling an alert for which capabilities doesn't seem to exist; and capabilities for which there wasn't a corresponding way to created alarms. Specifically:

-- voip-volte, pkt-capture and mail-filtering don't seem to have an analog here
-- here there is an intrusion event but draft-ietf-i2nsf-nsf-facing-interface makes a distinction between ids and ips
-- botnet, session and vulnerability scanning are defined here don't have an analog in draft-ietf-i2nsf-nsf-facing-interface

** Section 7.3.1. Per attack-type
-- saying "Any one of ..." and then ending it with an "and etc" is confusing because this is no longer an enumerated list.
-- was it intentional to have this list not align with the types of DDOS attacks enumerated in draft-ietf-i2nsf-nsf-facing-interface?

** Section 7.3.1. Per dst-ip, should this be expressed as a network mask or domain name for additional flexibility?

** Section 7.3.1. Rule-name
-- Why is the "rule-name" encoded here but not in any of the other types of events (as it seems like it would be useful)?
-- Is this the name of the I2NSF Policy Rule or rule specific to the configuration on the NSF?

** Section 7.3.1. Per "profile", can "security profile" please be defined.

** Section 7.3.3 and 7.3.4 (and same applies to YANG module)
-- What is a src/dst-zone?
-- Should the IP/port/raw_info fields describe the flow in which the malware was seen rather than a packet? (Per Section 7.3.4) I ask because it would seem unlikely that a network-based malware inspection tech would operate on a per-packet basis (or that the file with the malware payload actually fit in a single packet). Per Section 7.3.4, most modern IDS/IPS also operate on streams/flows.

** Section 7.3.5. role.
-- The roles seem like the would benefit from further generalization. Given the diversity of C2 servers approaches, would it be cleared to s/IRC and Web/C2/
-- How would peer-to-peer zombie be handled, that is where the compromised hosts can talk to each other?
-- Is an "other" needed to catch additional cases?

** Section 7.4. What is the relationship of a system log to the event, notification and record taxonomy introduced earlier

** Section 7.4.1, Per "Administrator"
-- Editorially, this is one of the few uppercase field names
-- is this a user name?

** Section 7.4.2.
-- Are the CPU, disk, sessions, traffic rates, traffic speed numbers aggregates across all CPUs and interfaces on a system?
-- How does one provide per CPU/interface/disk stats?

** Section 7.4.3
-- what is "access"? Is this describing the means by which the user accessed the system? Is PPP, Point-to-Point Protocol? I don't recognized "SVN"?
-- What is "online-duration"? and "logout-duration"?

** Section 7.5.2 Editorial. Using the term "victim-id" suggests to me that a particular system has been exploited. I was under the impression that a "vulnerability scanning log" merely found a vulnerability.

** Section 7.6.1. What is the temporal frame of reference for these counters? For example, is the peak computed since the last time the counter was polled? Since some internal state was reset?

** Section 7.7.1, What are "*-regions"?

** YANG. typedef dpi-type. What is the difference between "data-filtering" and "application-behavior-control"? Wouldn't a subset of application behavior be filtering data it sends?

** YANG. typedef operation-type. "Configuration" seems underspecified, unless it is intended to mean any operation done by a user beyond login or logout. For example, if a I list the contents of a data store, I'm not doing a configuration. Is that something that would be in scope to log?

** YANG. typedef operation-type. The information model distinguishes between a privileged and unprivileged user. Does that distinction apply here?

** YANG. typedef login-mode.
-- Saying "root" seems Unix-centric.
-- "mode" doesn't seem like the right term. Root, user and guest are roles, but the means of logging in is the same.

** YANG. identity periodical. Editorial. Should this be "periodic"?

** YANG. There are a number of enumerations whose descriptions are simply repetitions of the name. Please scrub the model and add improved descriptions. For example:
-- YANG. identity dampening-type, no-dampening and on-repetition. The descriptions for these identities are not meaningful as they simply repeat their names.
-- YANG. identity authentication-mode and event-type he specific authentications modes do not have meaningful descriptions and merely repeat their names.
-- YANG. identity access-mode. The description does not make it clear what this or the derived enums are.

** YANG. identity virus-type.
-- Typo. s/caan/can/
-- the taxonomy of virus-type seems to be incomplete. How does one characterize non-self replicating, non-trojan and pure binary malware?
-- the descriptions of the derived virus-type enums are not meaningful and simply repeat their names

** YANG. identity req-method. Is there a reason why the HTTP request methods are incomplete?

** YANG. identity whitelist and blacklist. In the spirit of inclusive language, please do not use these terms. Consider accept/allow vs. deny-list.

** YANG. identity user-defined. What does a "user-defined" list mean when compared to an accept or deny list?

** YANG. identity malicious-category. How is this different than a deny list ("identity blacklist")

** YANG. Per the various protocol identities (i.e., identity ftp, icmpv6, etc.), can you explain how these are used (not saying there is an issue, I'm just don't understand).

** YANG. identity http. s/HTPP/HTTP/

** YANG. grouping common-monitoring-data. In this grouping, the severity type uses enums of critical, high, middle and low. However, in the information model, Section 6, the severity is described as a number from 0..3. Shouldn't they be the same?

** YANG. leaf vendor-name. Is this field also free form, like "leaf message"

** YANG. leaf nsf-name. Is this either an IP and a FQDN (or host name), or is the "name" here an arbitrary label?

** YANG. grouping i2nsf-nsf-event-type-content-extended. What are "src-zone" and "dst-zone"?

** YANG. When "grouping log-action" is invoked in various cases in the model, should there be flexibility to have multiple actions (if I'm reading the YANG correctly, it's 0..1)

** YANG. grouping attack-rates. Editorial. Please spell out PPS and BPS in the description.

** YANG. grouping traffic-rates. What are the units and phenomenon measured by the "leaf total-traffic"?

** YANG. grouping traffic-rates. For the counters that are *-average-*, how is the time horizon conveyed?

** YANG. leaf src-user. Is that the I2NSF user? A user name?

** YANG. case i2nsf-traffic-flows.
-- This container represents flows, but all of the leaves seems to talk about packets. Recommend s/of the packet/of the flow/
-- per "leaf arrival-rate", how is this computed? Is this the average arrival rate for all packets in the flow?

** YANG. notification i2nsf-log. Case i2nsf-nsf-system-access-log.
-- Per "leaf administrator", is this the username of the "administrator"?
-- Per "leaf result", how would a binary result be encoded?
-- is there some what to convey the format of the input or output (e.g., the content is a bash shell command)

** YANG. container i2nsf-system-res-util-log.
-- per "leaf system-status", what kind of text would be extended in this free form string?
-- per "cpu, memory, disk-usage", what are the units of the uint8 value?
-- per "session, process-num", is uint8 sufficiently large to represent a session a process count?

** YANG. container i2nsf-system-user-activity-log.
-- what do the field online-duration and logout-duration mean?
-- per additional-info, how should the list of values after the "e.g., Successful User ..." be read? It seems to be suggesting a set of enumerated values.

** YANG. container i2nsf-nsf-detection-ddos.
-- Per "leaf attack-src/dst-ip", can the text "... If there are a large number of IPv4 (or IPv6) addresses, then pick a certain number of resources according to different rules" be clarified. I didn't follow the guidance about picking resources?

** YANG. i2nsf-nsf-detection-virus.
-- per "leaf file-type", could this be expressed as a https://www.iana.org/assignments/media-types/media-types.xhtml?
-- should a hash of the file also be an option?
-- per "leaf os", what is meant by the "simple" adjective for "Simple OS information"?

** YANG. container i2nsf-nsf-detection-web-attack
-- What is the "uri-category"?
-- What is the "rsp-code", is that the HTTP response code?
-- Is the req-client-app, the user agent string?
-- recommend that the descriptions reflect the precise HTTP header field names if appropriate

** YANG. container i2nsf-nsf-log-vuln-scan.
-- is there a reason why there isn't a mechanism for structure vulnerability information (e.g., CVE) or severity (e.g., CVSS)?

** Section 14. Per the usual YANG template, this text is silent on read operations and RPC. Please clarify.

** Section 14. Clarifying text.
OLD
... which can be created, modified and deleted ... are considered sensitive

NEW
... which can be created, modified and deleted ... are considered sensitive as they all could potentially impact security monitoring and mitigation activities. Write operations (e.g., edit-config) applied to these data nodes without proper protection could result in missed alarms or incorrect alarms information being returned to the NSF collector.

** Section 14. Per "The monitoring YANG module should be protected by the secure communication channel, to ensure its confidentiality and integrity.", can the intent of this sentence please be clarified. The first paragraph of this section already established that either SSH or TLS must be used.

** Section 14.

In another side, the NSF and NSF data collector can
all be faked, which lead to undesirable results (i.e., leakage of an
NSF's important operational information, and faked NSF sending false
information to mislead the NSF data collector). The mutual
authentication is essential to protected against this kind of attack.
The current mainstream security technologies (i.e., TLS, DTLS, IPsec,
and X.509 PKI) can be employed appropriately to provide the above
security functions.

There are a few threats here and they should be separated. Mutual authentication doesn't appear to mitigate all of them.
-- compromised NSF (valid credentials): can send falsified information to the NSF collector to mislead detection or mitigation activities; and/or to hide activity. There is no in-framework mechanism to mitigate this and an issue for all monitoring infrastructures.
-- compromised NSF collection (has valid credentials): has visibility into all collected security alarms; entire detection and mitigation infrastructure may be suspect
-- impersonating NSF: system trying to send false information; client authentication would help the NSF collector identify this invalid NSF in the "push" model (NSF-to-collector); "pull" model (collector-to-NSF) should already be addressed
-- impersonating NSF collector: legitimate NSF is tricked into communicating with a rouge NSF collector; for "push" (NSF-to-collector), without valid credentials, this should already not work; for "pull" (collector-to-NSF), mutual auth would mitigate

** ID nits returned the following:
== Unused Reference: 'RFC2119' is defined on line 3817, but no explicit
reference was found in the text

[Roman] This means the boilerplate text on RFC2119 is not used correctly

== Unused Reference: 'I-D.ietf-i2nsf-capability' is defined on line 3944,
but no explicit reference was found in the text

[Roman] This should be removed.

** Downref: Normative reference to an Unknown state RFC: RFC 956

[Roman] This document is referenced in the introductory paragraph of Section 10, but doesn't appear to be used.

** Obsolete normative reference: RFC 2616 (Obsoleted by RFC 7230, RFC 7231,
RFC 7232, RFC 7233, RFC 7234, RFC 7235)

** Downref: Normative reference to an Informational RFC: RFC 3954

[Roman] This reference can be informative

** Downref: Normative reference to an Informational RFC: RFC 4949

[Roman] This reference can be informative

** Downref: Normative reference to an Historic RFC: RFC 6587

[Roman] This reference can be informative. However, are you sure it shouldn't be rfc5425 (syslog over TLS)?

** Downref: Normative reference to an Informational RFC: RFC 8329

[Roman] This reference can be informative

== Outdated reference: draft-ietf-netconf-subscribed-notifications has been
published as RFC 8639

== Outdated reference: draft-ietf-netconf-yang-push has been published as
RFC 8641
[Roman] These two reference just need to be replaced by their corresponding RFC.

Regards,
Roman

[I2nsf] AD Review of draft-ietf-i2nsf-nsf-monitor… Roman Danyliw
Re: [I2nsf] AD Review of draft-ietf-i2nsf-nsf-mon… Mr. Jaehoon Paul Jeong
Re: [I2nsf] AD Review of draft-ietf-i2nsf-nsf-mon… Mr. Jaehoon Paul Jeong