IETF Logo Mail Archive

Re: [mile] Working Group Last Call for IODEF Guidance

"Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com> Thu, 11 May 2017 15:29 UTC

Return-Path: <ncamwing@cisco.com>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A34412EC76 for <mile@ietfa.amsl.com>; Thu, 11 May 2017 08:29:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.522
X-Spam-Level:
X-Spam-Status: No, score=-14.522 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9Iz8F_2TAULK for <mile@ietfa.amsl.com>; Thu, 11 May 2017 08:29:23 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96CAC129436 for <mile@ietf.org>; Thu, 11 May 2017 08:23:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=29626; q=dns/txt; s=iport; t=1494516226; x=1495725826; h=from:to:subject:date:message-id:mime-version; bh=TLfBL9LoeNHRz+CVWRtdLjUOOoq6jW7P+QQc0fJt4YA=; b=hUqXOPRFE0FrMwV5oEKycGKvvd2iU3wYe6TgJlVl3p1EjzH9mRXm7ycm oGOyex9y/3V6ibFyUQkR1c8txUGjj+VAQvrBxpNr0pIxcPtZEIQ25QYD1 NGCALygkJWOimn7b66kldlcifhdOHyUROUy+XeSQ9F1C4UprzwMNE48na I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AaAQBpgRRZ/5ldJa1cGQEBAQEBAQEBAQEBBwEBAQEBgm5nYoEMB4NiihiROyGVdIIPLIV4AhqEcj8YAQIBAQEBAQEBayiFFQEBBR0GaAEIEQMBAQEhBwMCBDAUCQoEARKKIg6xHoImK4pLAQEBAQEBAQEBAQEBAQEBAQEBAQEBGAWIPSsLgmWFAxYCglovgjEFiUuNJIcbAYcbi3+CBIFhg1qDZoZGlEIBHziBCnAVHDwBhGMcgWN2AYYgK4EDgQ0BAQE
X-IronPort-AV: E=Sophos;i="5.38,324,1491264000"; d="scan'208,217";a="424876247"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 11 May 2017 15:23:45 +0000
Received: from XCH-RTP-008.cisco.com (xch-rtp-008.cisco.com [64.101.220.148]) by rcdn-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id v4BFNjFV025537 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 11 May 2017 15:23:45 GMT
Received: from xch-rtp-015.cisco.com (64.101.220.155) by XCH-RTP-008.cisco.com (64.101.220.148) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Thu, 11 May 2017 11:23:44 -0400
Received: from xch-rtp-015.cisco.com ([64.101.220.155]) by XCH-RTP-015.cisco.com ([64.101.220.155]) with mapi id 15.00.1210.000; Thu, 11 May 2017 11:23:44 -0400
From: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>
To: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>, Roman Danyliw <rdd@cert.org>, "mile@ietf.org" <mile@ietf.org>, "inacio@cert.org" <inacio@cert.org>
Thread-Topic: [mile] Working Group Last Call for IODEF Guidance
Thread-Index: AQHSymqTzaOykKabgkq+aGKpuqOHZA==
Date: Thu, 11 May 2017 15:23:44 +0000
Message-ID: <0A771EFD-1790-4C2A-9DBB-721F1D71935B@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.1a.0.160910
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.155.84.51]
Content-Type: multipart/alternative; boundary="_000_0A771EFD17904C2A9DBB721F1D71935Bciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/mile/3o95E79BfCHeqRHJNujM_Iy2dhI>
Subject: Re: [mile] Working Group Last Call for IODEF Guidance
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 May 2017 15:29:26 -0000

Chris:  you had also volunteered to review the draft.  Can you let us know if you have any comments on the latest revision?  Would like to conclude the WGLC as the deadline was May 1st ☺

Meanwhile, thanks to Adam and Roman for providing your comments!

                Nancy

From: mile <mile-bounces@ietf.org> on behalf of Panos Kampanakis <pkampana@cisco.com>
Date: Thursday, May 11, 2017 at 6:26 AM
To: Roman Danyliw <rdd@cert.org>, "mile@ietf.org" <mile@ietf.org>
Subject: Re: [mile] Working Group Last Call for IODEF Guidance

Thank you for all the comments Roman.

We made all the changes you suggested and expanded some of the text that were not clear. The new version will be posted soon.


The only objection I had was on your comment (3). The xml:lang attribute in the iodef document is optional in the text in https://tools.ietf.org/html/rfc7970#section-3.1 but I see that in the XML schema it is not optional. Hmm, maybe this should be errata for RFC7090?

Panos



From: mile [mailto:mile-bounces@ietf.org] On Behalf Of Roman Danyliw
Sent: Wednesday, April 19, 2017 3:14 PM
To: mile@ietf.org<mailto:mile@ietf.org>
Subject: Re: [mile] Working Group Last Call for IODEF Guidance

Hello!

Here are a few suggestions from reviewing draft-ietf-mile-iodef-guidance-09.

(1) Results of XML validation on all XML examples and snippets:
** The second xml snippet in Appendix A is missing the HashData@scope attribute.  Replace both instances of '<HashData>' with '<HashData scope="file-contents">'.
** All the examples in Appendix B #1 - 5 are valid XML

(2) The abstract notes IODEF v2 [RFC7970]; but Section 2 and 6 note [RFC5070] and [RFC7970].  This raised confusion for me on which version of IODEF this draft is providing implementation guidance?  The provided examples and Section 3.1 are [RFC7970] specific.

(3) Section 3.1.  This write-up is a bit imprecise.  The parent IODEF-Document technically needs an Incident class (as noted), a version attributed (as noted), but also an xml:lang attributed (not referenced).

(4) Section 3.3, page 5, "An IndicatorData class depicts a threat indicator ... to describe ... that an exploit happened".  I'd recommend replacing 'exploit' with a 'successful attack'.  IndicatorData is shared as a watch-and-warning product for an event that did occur or not.  The use of an exploit doesn't seem material.

(5) Section 4, page 6, The sentence "When defining the IODEF use strategy practitioners need to ..." doesn't parse.  Perhaps, "IODEF implementers need to ..."

(6) Section 4.1, page 6.  I don't understand the recommendation made by the sentence, "Practitioners SHOULD only support external enumerations that are expected to be used in IODEF documents for their use-cases."

(7) Section 4.1, page 6. I'd recommend updating the sentence 'The Enumeration Reference Format specifies a format to ..." with 'The Enumeration Reference Format specifies a means to use external enumeration specifications that could define an enumeration format, specific enumeration values, or both".

(8) Section 4.2, page 6.  I'd recommend updating the sentence "Many class attributes and their values can be extended using the "ext-*" prefix." to "Many attributes with enumerated values can be extended using ...".

(9) Section 4.4, page 7. Include a reference to RFC6545 and expand the acronym RID given that this is the first reference to RID in the document.

(10) Section 4.4, page 7.  I'd recommend updating the sentence "The enforcement of the disclosure guidelines goes beyond IODEF." with "The enforcement of the disclosure guidelines is out of scope for IODEF".

(11) Section 5.1, page 7. and Section 5.3, page 11, s/CERT/Computer Security Incident Response Teams/.

(12) Section 5.2, page 8.  The opening sentence, "Various vendors organized and executed an exercise where multiple threat indicators were exchanged using IODEF" left me wanting a deeper explanation of the background on this section.  What exercise?  what vendors?  When?  Is this section an implementation report?

(12) Section 5.2, page 8.  I'm confused by the intent of this section.  It reads like an implementation report more suitable for draft-ietf-mile-implementreport-10.

(13) Section 5.2, page 8. Typo.  I'd recommend updating the text "The threat information shared included incidents like DDoS attacks.  Malware and Spear-Phishing" to read as follows: "The threat information shared included indicators from DDoS attacks; and Malware and Spear-Phishing incidents".

(14) Section 5.3, page 11.  I'm confused by the title of this section.  "*More* use cases".  The 'more' suggests that other use cases were explicitly enumerated elsewhere.

(15) Section 5.3, page 11.  Additional use cases could include “Satisfying regulatory or statutory requirements for incident reporting”

(16) Globally.  Replace "practitioners' with 'implementers'.

Roman

From: mile [mailto:mile-bounces@ietf.org] On Behalf Of Nancy Cam-Winget (ncamwing)
Sent: Tuesday, March 28, 2017 7:29 PM
To: mile@ietf.org<mailto:mile@ietf.org>
Subject: [mile] Working Group Last Call for IODEF Guidance

Colleagues,

We are doing another WGLC for https://datatracker.ietf.org/doc/html/draft-ietf-mile-iodef-guidance

Please provide comments before May 1st and provide your support and/ or raise any issue you feel are yet to be addressed.

Regards, Nancy

v2.23.0 | Report a Bug | By Email