IETF Logo Mail Archive

Re: [mile] Alissa Cooper's Discuss on draft-ietf-mile-rfc5070-bis-22: (with DISCUSS and COMMENT)

"Roman D. Danyliw" <rdd@cert.org> Mon, 20 June 2016 14:56 UTC

Return-Path: <rdd@cert.org>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 679B712B064; Mon, 20 Jun 2016 07:56:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OjzrySygGXTB; Mon, 20 Jun 2016 07:56:19 -0700 (PDT)
Received: from shetland.sei.cmu.edu (shetland.sei.cmu.edu [192.58.107.44]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1051612D08E; Mon, 20 Jun 2016 07:56:18 -0700 (PDT)
Received: from pawpaw.sei.cmu.edu (pawpaw.sei.cmu.edu [10.64.21.22]) by shetland.sei.cmu.edu (8.14.4/8.14.4/1543) with ESMTP id u5KEuGFB026202; Mon, 20 Jun 2016 10:56:16 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cert.org; s=jthatj15xw2j; t=1466434576; bh=TRh1zDIkIKm/3h4UaxUY8AOrtNMXsHLmhuire91b4MM=; h=From:To:CC:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version:Sender: Reply-To; b=Q/Kra6LmRlqB3pmIi8J78K/tZLH10HHsS8zWrN8aARy/LyL6Ep+HH6webPLnRJTiJ /lacDKBjoJq7l6YxW0ZU2m6re0dlzlPLfILjdkmuH+wSxT5z7ZJEQNOI2G32+ixTb6 EINz0WxKIN5SS+deBg+/8p+fSa7JIO1ajKWBMPOU=
Received: from CASCADE.ad.sei.cmu.edu (cascade.ad.sei.cmu.edu [10.64.28.248]) by pawpaw.sei.cmu.edu (8.14.4/8.14.4/1543) with ESMTP id u5KEuEkl029660; Mon, 20 Jun 2016 10:56:14 -0400
Received: from MARATHON.ad.sei.cmu.edu ([10.64.28.250]) by CASCADE.ad.sei.cmu.edu ([10.64.28.248]) with mapi id 14.03.0279.002; Mon, 20 Jun 2016 10:56:14 -0400
From: "Roman D. Danyliw" <rdd@cert.org>
To: "Roman D. Danyliw" <rdd@cert.org>, Alissa Cooper <alissa@cooperw.in>, The IESG <iesg@ietf.org>
Thread-Topic: Alissa Cooper's Discuss on draft-ietf-mile-rfc5070-bis-22: (with DISCUSS and COMMENT)
Thread-Index: AQHRu5WwUczmdwb9r0SVyBJ6rZUDLZ/VY1fwgB0qPOA=
Date: Mon, 20 Jun 2016 14:56:13 +0000
Message-ID: <359EC4B99E040048A7131E0F4E113AFCD97668C6@marathon>
References: <20160531232347.20263.30439.idtracker@ietfa.amsl.com> <359EC4B99E040048A7131E0F4E113AFCD974F68E@marathon>
In-Reply-To: <359EC4B99E040048A7131E0F4E113AFCD974F68E@marathon>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.22.6]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/mile/9VxSnr0KLVy6YPPrpIORm4bxbIM>
Cc: "mile@ietf.org" <mile@ietf.org>, "draft-ietf-mile-rfc5070-bis@ietf.org" <draft-ietf-mile-rfc5070-bis@ietf.org>, "mile-chairs@ietf.org" <mile-chairs@ietf.org>, "mile-chairs@tools.ietf.org" <mile-chairs@tools.ietf.org>
Subject: Re: [mile] Alissa Cooper's Discuss on draft-ietf-mile-rfc5070-bis-22: (with DISCUSS and COMMENT)
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jun 2016 14:56:22 -0000

Hello Alissa,

> -----Original Message-----
> From: Roman D. Danyliw [mailto:rdd@cert.org]
> Sent: Wednesday, June 01, 2016 10:52 PM
> To: Alissa Cooper <alissa@cooperw.in>; The IESG <iesg@ietf.org>

[snip]

> > -----Original Message-----
> > From: Alissa Cooper [mailto:alissa@cooperw.in]
> > Sent: Tuesday, May 31, 2016 7:24 PM
> > To: The IESG <iesg@ietf.org>

[snip]

> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> >
> > The Confidence class as defined in 3.12.5 seems underspecified. It
> > does not specify a max value, so some implementations might use 1 as
> > the max while others might use 100.
> 
> Inherited from RFC5070, there are no ranges specified for a valid numeric
> confidence value.  This was an explicit design choice kept in this draft to
> preserve flexibility.  Acceptable ranges and how this value should be
> interpreted are handled out of band.  This approach is consistent with the
> overall design of the data model.  Consider that almost all of the classes in
> the data model are optional.  The minimal valid document, shown is Section
> 7.1, isn't useful.  Profiling between parties in a data sharing consortium will
> determine which optional-in-the-RFC classes should be mandatory-in-the-
> consortium.  This thinking extends to the semantics of classes like
> Confidence.
> 
> 
> > It's also hard to understand how a single confidence value is supposed
> > to be applied to elements with multiple fields, as in 3.12 and 3.29.
> > What do I do if I have high confidence in my estimate of SystemImpact
> > but low confidence in my estimate of MonetaryImpact?
> 
> If the child classes don't have the same Confidence, then each can be
> expressed in a distinct instance of the parent class.  For the high confidence
> SystemImpact but low confidence MonetaryImpact do the following (per
> Section 3.12):
> 
> <Incident ...>
> ...
>   <Assessment>
>      <SystemImpact>...</SystemImpact>
>      <Confidence rating="low" />
>   </Assessment>
>   <Assessment>
>      <MonetaryImpact>...</MonetaryImpact>
>      <Confidence rating="high"/>
>   </Assessment>
> </Incident>
> 
> This same approach doesn't apply to the Indicator class (Section 3.29).  There
> is no way to granularly express a different confidence for different child
> elements that compose the Indicator.  The value expressed in
> Indicator/Confidence is a reflection of the confidence in the totality of the
> information in that Indicator class.

The following text was added to the Security considerations in -23 to reiterate the need to negotiate certain values out of band.

9.1.  Security
[snip]
   Certain classes may require out-of-band coordination to agree upon
   their semantics (e.g., Confidence@rating="low" or DefinedCOA).  This
   coordination MUST occur prior to operational data exchange to prevent
   the incorrect interpretation of these select data elements.  When
   parsing these data elements, implementations should validate, when
   possible, that they conform to the agreed upon semantics.  These
   semantics may need to be periodically reevaluated.

The Confidence class was added to IndicatorExpression in the -23 draft that will allow confidence to be set for Observable, IndicatorExpression, ObservableReference and IndicatorReference.

The following figure was added to Section 3.29.5 to clarify its use:

    1                          :    <IndicatorExpression operator="or">
    2                          :      <IndicatorExpression>
    3 [O1 with low confidence] :        <Observable>..</Observable>
    4                          :        <Confidence rating="low" />
    5                          :      </IndicatorExpression>
    6                          :      <IndicatorExpression>
    7 [O2 with high confidence]:        <Observable>..</Observable>
    8                          :        <Confidence rating="high" />
    9                          :      </IndicatorExpression>
   10                          :    </IndicatorExpression>

   Equivalent expression: ((O1) OR (O2))

          Figure 70: Varying confidence on particular Observables

> > ----------------------------------------------------------------------
> > COMMENT:
> > ----------------------------------------------------------------------
> >
> > (1) Section 1: It would be useful to define "cyber," "cyber indicator"
> > (somewhere before 3.29), "cyber threat," and "cyber event." I chuckled
> > when I wrote that, but I'm serious. The term "cyber" did not appear in
> > RFC 5070. It has clearly taken on some (mythical, perhaps) meaning in
> > venues external to the IETF. I think if this document is going to use
> > the term, it needs to explain what it means. If there are some
> > external definitions to point to or adopt, that would be fine.
> 
> After a search, it would appear that "cyber" is used in the abstract, Section
> 1.0 (Introduction), 1.3 (About the IODEF Data Model), 3.12.1 (SystemImpact),
> 3.12.2 (BusinessImpact), 3.28 (IndicatorData) and 3.29 (Indicator) -- 14 times
> total.  That can be cleaned up.  Specifically:
> 
> ** Section 1.0 uses the term "cyber security event" once.  I'm going to
> assume that isn't controversial.
> ** Sections 3.12.1 and 3.12.2 use the term "cyber physical system" four
> times.  I'm going to assume this isn't controversial.
> ** s/cyber indicator/indicator/g will address four usages of "cyber"-as-an-
> adjective in the abstract; and Sections 1.0, 3.28 and 3.29
> ** s/cyber incident report/cybersecurity incident report/g will address one
> more usage of "cyber"-as-an-adjective in Section 1.0
> ** I'll reword "cyber threats" and "cyber event mitigation" in Section 1.0; and
> reevaluate the use of "cyber intelligence"

The use of cyber was cleaned up in -23.

> > (2) Section 3.19.2: If I want to list the admin contact for a
> > particular domain in a Contact element within a DomainContacts
> > element, do I set the role in the Contact to "admin" or to "zone"? I
> > think this is not entirely clear from how the roles are specified in
> > 3.9 since most of the roles are more generic than "zone."
> 
> I'd say "admin".  You're right about the lack of symmetry of "zone" relative to
> the others.  I'll dig through the mailing list to see if I can recollect why we
> have this value.  At first blush, I'd say delete it.

The "zone" value was deleted in -23 to eliminate confusion.

Thanks for the detailed review.

Roman

v2.23.0 | Report a Bug | By Email