Re: [mile] Stephen Farrell's Discuss on draft-ietf-mile-rfc5070-bis-22: (with DISCUSS and COMMENT)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 02 June 2016 15:53 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C504F12D52C; Thu, 2 Jun 2016 08:53:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.727
X-Spam-Level:
X-Spam-Status: No, score=-5.727 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HSsxEx7Xh7_7; Thu, 2 Jun 2016 08:53:51 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE10412D535; Thu, 2 Jun 2016 08:53:50 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id B7FCBBE2D; Thu, 2 Jun 2016 16:53:49 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cwL3ESztmZp2; Thu, 2 Jun 2016 16:53:49 +0100 (IST)
Received: from [134.226.36.93] (bilbo.dsg.cs.tcd.ie [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 5F2CDBE2F; Thu, 2 Jun 2016 16:53:47 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1464882827; bh=illbHXVe5ydAr/8JepURo+poKaXA3tgJBuEQ9CRqkI4=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=1GGNhzHgZ+InK3lq62WwsdLVw8yTyaDD1MSW3Wr3xc3A3J14vLduU+OIJFuJsC6QG IWPBHsoETTjMPsQM/SK5M82ocwzGLIC/bXaiesqwwMYvd3jGok2ayFF3Ka1xoz7PY0 FgAco2EKmWPO+W1Q2JQELky+fejyZDhRTIdfCp2Y=
To: "Roman D. Danyliw" <rdd@cert.org>, The IESG <iesg@ietf.org>
References: <20160601234150.16188.9970.idtracker@ietfa.amsl.com> <359EC4B99E040048A7131E0F4E113AFCD974F737@marathon>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <5750568A.7020302@cs.tcd.ie>
Date: Thu, 02 Jun 2016 16:53:46 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0
MIME-Version: 1.0
In-Reply-To: <359EC4B99E040048A7131E0F4E113AFCD974F737@marathon>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms010101090806080305090806"
Archived-At: <http://mailarchive.ietf.org/arch/msg/mile/Yhe6vBOnr_2xjy3LMEbQhtHqPfc>
Cc: "mile@ietf.org" <mile@ietf.org>, "draft-ietf-mile-rfc5070-bis@ietf.org" <draft-ietf-mile-rfc5070-bis@ietf.org>, "mile-chairs@ietf.org" <mile-chairs@ietf.org>, "mile-chairs@tools.ietf.org" <mile-chairs@tools.ietf.org>
Subject: Re: [mile] Stephen Farrell's Discuss on draft-ietf-mile-rfc5070-bis-22: (with DISCUSS and COMMENT)
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jun 2016 15:53:54 -0000
Hiya, On 02/06/16 04:36, Roman D. Danyliw wrote: > Hello Stephen! > > Thanks for the review. A response to the DISCUSS and COMMENTs is > inline ... > >> -----Original Message----- From: Stephen Farrell >> [mailto:stephen.farrell@cs.tcd.ie] Sent: Wednesday, June 1, 2016 >> 7:42 PM To: The IESG <iesg@ietf.org> Cc: >> draft-ietf-mile-rfc5070-bis@ietf.org; Roman D. Danyliw >> <rdd@cert.org>; mile-chairs@tools.ietf.org; mile@ietf.org; >> mile-chairs@ietf.org; takeshi_takahashi@nict.go.jp; mile@ietf.org >> Subject: Stephen Farrell's Discuss on >> draft-ietf-mile-rfc5070-bis-22: (with DISCUSS and COMMENT) > > [snip] > >> ---------------------------------------------------------------------- >> >> DISCUSS: >> ---------------------------------------------------------------------- >> >> >> (1) 3.6: Does one confidence value apply to all of these? >> That seems wrong. And over-confidence is attributing threat actor >> identity is a real issue with real consequences, hence the discuss >> to make sure we bottom out on this. I think it's just too >> error-prone to be ablve to associate one confidence value with two >> things about which one can have very different concreteness. Mixing >> up high confidence in a campaign with a lack of confidence in >> threat actor identification is precisely the kind of thing that >> goes wrong, or that could be deliberately manipulated (for >> eventual media/marketing reasons). (This overlaps with but isn't >> quite the same as Alissa's 2nd discuss point. In this case, I'm >> explicitly worried about the threat actor identity confidence, as >> that has possibly severe impacts, so the resolution here could >> differ from what results from Alissa's discuss.) > > The RelatedActivity class (Section 3.6) does have the ability to > provide a single confidence value on all of the child classes in it. > Per your example, yes, a single confidence value could be made both > on the campaign and the actor. However, if more granularity was > desired, one can express different confidence values for both the > campaign and actor as follows (ThreatActor with low confidence but > the Campaign with high confidence): > > <Incident ...> ... <RelatedActivity> <ThreatActor>...</ThreatActor> > <Confidence rating="low" /> </RelatedActivity> <RelatedActivity> > <Campaign>...</Campaign> <Confidence rating="high"/> > </RelatedActivity> </Incident> Right, it's clear one can do the right thing, but it's not clear what semantics apply when one does not do that. You could address that in various ways, but I think in particular for the confidence/ threat-actor combination, the draft does need to say how to interpret whatever the document contains. > >> (2) 3.18.1 - you provide a way to specify e.g. an address and >> netmask, or v6 prefix. But you don't specify any way to say that >> some of the address (or prefix) bits are not real or are >> additionally masked for privacy reasons. E.g. If everyone in >> 2001:1:1:beef::/64 is misbehaving, but I don't (yet) want to >> specify the exact prefix, I might want to say " some >> 2001:1:1:xxxx::/64" is misbehaving, meaning one /64 in >> 2001:1:1::/48 is being bad and not the entire /48. Why is support >> for that not required? (IPFIX does have that as an option, and >> it's been added to CDNI too.) Same idea can apply to other address >> forms too. > > Makes sense. A few new Address@category enumerated value can be > created, say "ipv6-net-sanitized" and "ipv4-net-sanitized" where "x" > has the significance of masking bits in an otherwise valid > address/prefix. So I think supporting something like that would be a good thing. If the WG consider it but decide to not add it, I'll just clear. > >> ---------------------------------------------------------------------- >> >> COMMENT: >> ---------------------------------------------------------------------- >> >> >> >> - My review is based on [1] >> [1] >> https://tools.ietf.org/rfcdiff?url1=rfc5070&url2=draft-ietf-mile-rfc5070-bis-22 >> >> >> - "cyber" galore - yuk! Which of the fourteen (14!) uses of that ill-defined >> marketing term are useful or even well defined? RFC5070 had zero >> uses of such terms. Why is it a good plan for us to damage the RFC >> series via the use of such marketing nonsense? Someone may answer >> that this is accepted in industry these days, and that is true, but >> is nonetheless not a good enough reason for us to assist with the >> promulgation of anti-scientific non-concepts. My suggestion is to >> try s/cyber//g and then to see what if anything is less clear - >> perhaps we'll find that things are more clear. (And yes, it's a bit >> of a bugbear of mine:-) The use of "cyber indicator" instead of >> just "indicator" in 3.19 is a good example of how that phrase makes >> the spec less clear. > > Alissa commented on the same thing. Please see my response there > (https://www.ietf.org/mail-archive/web/mile/current/msg01886.html). > Long story short, IMO, there are a few instances where cyber is the > appropriate adjective (e.g., a "cyber-physical system"). > >> - 2.5.1, does base64 need a reference and aren't there multiple >> variants (url- encoded, etc, sorry for being vague - I have to look >> that stuff up afresh every time I need to write code to handle >> it;-) > > You're right, there are base64 variants. However, in this case the > text is really specific of which variant to use -- the one used by > xs:base64Binary per Section 3.2.16 of [W3C.SCHEMA.DTYPES]. > Therefore, I think we are fine. > >> - 2.8: So you don't like leap-seconds? It's often good to be clear >> if that bit of ABNF is expected to be enforced along with schema >> validation or not. > > As currently specified, if the schema is validated, this regex will > be enforced. It's baked into the schema with the iodef:TimezoneType. > Whether the schema should be validated is a separate issue that you > also brought up in another COMMENT (see below). That's fine - what about leap seconds? The rest below is fine, Cheers, S. > >> - 2.12: What about EAI? > > Good point. I'll change the reference to RFC5336. > >> - 3.13.1 - is CoA expanded somewhere? (See, I just looked at the >> diff:-) > > The write-up of the class in 3.13.1 says "DefinedCOA = Zero or more. > STRING. An identifier meaningful to the sender and recipient of this > document that references a course of action." I can make that > clearer by saying "... references a course of action (COA)". > >> - 3.18.1 - I think it'd be good to refer to the RFC for wriing down >> IPv6 addresses and prefixes. I forget it's number though:-) And who >> uses ipv6- net-mask? Don't we all use prefixes? > > Ipv6-net-mask is a hold over form rfc5070. I'll find the right > reference and drop it here. > >> - 3.21 - the hash and signature data are underspecified. You could >> mean any of pgp, smime or dkim. Or you could mean this is just a >> crypto binary value and you don't care about semantics, just >> pattern matching. > > Exactly. This class is the place to drop the crypto blob of your > choice. > >> - 4.3 - I also think that recommending schema validation of input >> documents is a bad plan. (Even if that was already in 5070.) > > Robert Sparks security review > (https://www.ietf.org/mail-archive/web/mile/current/msg01869.html) > and Alexey's review hinted at this issue but in the context of > dynamically generated schemas. I'll start the conversation on this > issue on that thread. > >> - section 9: defining how to format privacy sensitive data means >> that this spec absolutely does introduce privacy issues. >> >> - 9.1: you could not here the DoS and possible other attacks (e.g. >> spoofed .xsd files loaded over port 80) that follow on from on-line >> schema > > Good point. If the underlying schema is to be dynamically generated, > there is an IANA-to-schema-generator channel to secure that should be > covered here. This will need new text, the substance of which will > depend on the clarifying conversation that needs to happen on how > these dynamic updates should be handled. > >> - 9.2: Have there been any cases of people using IODEF for bad >> reasons? I mean that e.g. sending info about attacks or phish >> emails is good. But using this format to send information about >> tracking an individual for marketing purposes would be bad. Has the >> latter occurred though? (Just wondering, I don't know.) >> validation. > > I'm not aware of such use of IODEF (RFC5070) or this draft. > > Roman >
- Re: [mile] Stephen Farrell's Discuss on draft-iet… Kathleen Moriarty
- Re: [mile] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [mile] Stephen Farrell's Discuss on draft-iet… Roman D. Danyliw
- Re: [mile] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [mile] Stephen Farrell's Discuss on draft-iet… Roman D. Danyliw
- Re: [mile] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [mile] Stephen Farrell's Discuss on draft-iet… Kathleen Moriarty
- Re: [mile] Stephen Farrell's Discuss on draft-iet… Roman D. Danyliw
- Re: [mile] Stephen Farrell's Discuss on draft-iet… Kathleen Moriarty
- [mile] Stephen Farrell's Discuss on draft-ietf-mi… Stephen Farrell
- Re: [mile] Stephen Farrell's Discuss on draft-iet… Roman D. Danyliw
- Re: [mile] Stephen Farrell's Discuss on draft-iet… Stephen Farrell