[mile] SHOULD/RECOMMENDED Analysis / Suggestions
Eric Burger <eburger@standardstrack.com> Mon, 01 April 2013 14:27 UTC
Return-Path: <eburger@standardstrack.com>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06DA311E80BA for <mile@ietfa.amsl.com>; Mon, 1 Apr 2013 07:27:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.999
X-Spam-Level:
X-Spam-Status: No, score=-100.999 tagged_above=-999 required=5 tests=[AWL=1.000, BAYES_50=0.001, GB_I_LETTER=-2, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00lq68WnxevZ for <mile@ietfa.amsl.com>; Mon, 1 Apr 2013 07:27:20 -0700 (PDT)
Received: from biz104.inmotionhosting.com (biz104.inmotionhosting.com [173.247.246.244]) by ietfa.amsl.com (Postfix) with ESMTP id BF2CA11E80B8 for <mile@ietf.org>; Mon, 1 Apr 2013 07:27:20 -0700 (PDT)
Received: from ip68-100-199-8.dc.dc.cox.net ([68.100.199.8]:57565 helo=[192.168.15.177]) by biz104.inmotionhosting.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.80) (envelope-from <eburger@standardstrack.com>) id 1UMfhY-0005Jy-GP for mile@ietf.org; Mon, 01 Apr 2013 07:27:14 -0700
From: Eric Burger <eburger@standardstrack.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_02649D8A-869C-4816-A4B4-13F862C5E8C4"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Message-Id: <B3540424-4B78-4A6A-956D-B59BFF6CCF03@standardstrack.com>
Date: Mon, 01 Apr 2013 10:27:10 -0400
To: MILE <mile@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
X-Mailer: Apple Mail (2.1503)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - biz104.inmotionhosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - standardstrack.com
X-Source:
X-Source-Args:
X-Source-Dir:
Subject: [mile] SHOULD/RECOMMENDED Analysis / Suggestions
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mile>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2013 14:27:22 -0000
SHOULD's: 3.4. AlternativeID Class [...] The incident tracking numbers of the CSIRT that generated the IODEF document should never be considered an AlternativeID. Two schools of thought. The first is either one is saying something or one is not. In that case, we should say: [...] The incident tracking numbers of the CSIRT that generated the IODEF document must never be considered an AlternativeID. The second is this is not describing protocol behavior, and as such there is no enforcement. In that case, we should say: [...] Do not use the incident tracking numbers of the CSIRT that generated the IODEF document as an AlternativeID. 3.8.4. ReportTime The ReportTime class represents the time the incident was reported. This timestamp SHOULD coincide to the time at which the IODEF document is generated. What other time can the timestamp refer to? Why would it be something different? Say so or turn this into a MUST. The ReportTime class represents the time the incident was reported. This timestamp MUST be the time at which the IODEF document is generated. 3.8.5. DateTime The DateTime class is a generic representation of a timestamp. Its semantics should be inferred from the parent class in which it is aggregated. Although not normative, this is very loose. When would one ever NOT infer the DateTime class for a particular timestamp class (start/end/report/detect)? Is there a reason not to just say: The DateTime class is a generic representation of a timestamp. Infer its semantics from the parent class in which it is aggregated. 3.10.4. Confidence Class [...] The element content expresses a numerical assessment in the confidence of the data when the value of the rating attribute is "numeric". Otherwise, this element should be empty. What else can it be? I do not think it could be anything: The element content expresses a numerical assessment in the confidence of the data when the value of the rating attribute is "numeric". Otherwise, this element MUST be empty. 3.13. Expectation Class [...] StartTime Zero or one. The time at which the action should be performed. A timestamp that is earlier than the ReportTime specified in the Incident class denotes that the expectation should be fulfilled as soon as possible. The absence of this element leaves the execution of the expectation to the discretion of the recipient. I would offer we not use the word 'should' here, as it is confused with 'SHOULD.' How about rewording this to say: StartTime Zero or one. The time at which the sender would like the action performed. A timestamp that is earlier than the ReportTime specified in the Incident class denotes that the sender would like the action performed as soon as possible. The absence of this element indicates no expectations of when the recipient would like the action performed. EndTime Zero or one. The time by which the action should be completed. If the action is not carried out by this time, it should no longer be performed. Or else what? We should be brutal here. I would offer: EndTime Zero or one. The time by which the sender expects the recipient to complete the action. If the recipient cannot complete the action before EndTime, the recipient MUST NOT carry out the action. NOTE: Because of tranist delays, clock drift, and so on, the sender MUST be prepared for the recipient to have carried out the action, even if it completes past EndTime. 3.16. Node Class [...] DateTime Zero or one. A timestamp of when the resolution between the name and address was performed. This information SHOULD be provided if both an Address and NodeName are specified. What is this used for? Is it important? Are we worried about DNS changes? What if the authoritative server does an update but the resolver's TTL has not expired? What is the use case? Assuming it is useful (I am doubtful), I would offer: DateTime Zero or one. A timestamp of when the resolution between the name and address was performed. This information MUST be provided if both an Address and NodeName are specified. Otherwise, drop the element. 3.17. Service Class [...] For a given source, System@type="source", a corresponding target, System@type="target", maybe defined, or vice versa. When a Portlist class is defined in the Service class of both the source and target in a given instance of the Flow class, there MUST be symmetry in the enumeration of the ports. Thus, if n-ports are listed for a source, n-ports should be listed for the target. Likewise, the ports should be listed in an identical sequence such that the n-th port in the source corresponds to the n-th port of the target. This symmetry in listing and sequencing of ports applies whether there are 1-to-1, 1-to-many, or many-to-many sources-to-targets. In the 1-to-many or many-to-many, the exact order in which the System classes are enumerated in the Flow class is significant. There MUST be symmetry, but it is only a good idea to actually do it? Either there MUST be symmetry, or not. In being conservative in what one sends, I would move everything to MUSTs. Also note a few typographical errors that get fixed: For a given source, System@type="source", a corresponding target, System@type="target", may be defined, or vice versa. When a Portlist class is defined in the Service class of both the source and target in a given instance of the Flow class, there MUST be symmetry in the enumeration of the ports. Thus, if N ports are listed for a source, N ports MUST be listed for the target. Likewise, the ports MUST be listed in an identical sequence such that the n-th port in the source corresponds to the n-th port of the target. This symmetry in listing and sequencing of ports applies whether there are 1-to-1, 1-to-many, or many-to-many sources-to-targets. In the 1-to-many or many-to-many, the exact order in which the System classes are enumerated in the Flow class is significant. Since the document brings it up, what does it mean to have a 1:1 correspondence of sources-to-targets if there can be more targets than sources? 3.19. Record Class The Record class is a container class for log and audit data that provides supportive information about the incident. The source of this data will often be the output of monitoring tools. These logs should substantiate the activity described in the document. What else can this class do? Take out one word and it is fine: The Record class is a container class for log and audit data that provides supportive information about the incident. The source of this data will often be the output of monitoring tools. These logs substantiate the activity described in the document. 3.19. Record Class [...] RecordData One or more. Log or audit data generated by a particular type of sensor. Separate instances of the RecordData class SHOULD be used for each sensor type. If there is ever a reason not to have separate insances of RecordData, then enumerate them or explain how they get aggregated. Otherwise: RecordData One or more. Log or audit data generated by a particular type of sensor. Separate instances of the RecordData class MUST be used for each sensor type. 4.2. IODEF Namespace The IODEF schema declares a namespace of "urn:ietf:params:xml:ns:iodef-1.0" and registers it per [4]. Each IODEF document SHOULD include a valid reference to the IODEF schema using the "xsi:schemaLocation" attribute. An example of such a declaration would look as follows: When would one EVER not include a valid reference on purpose? The IODEF schema declares a namespace of "urn:ietf:params:xml:ns:iodef-1.0" and registers it per [4]. Each IODEF document MUST include a valid reference to the IODEF schema using the "xsi:schemaLocation" attribute. An example of such a declaration would look as follows: Remember, later on we say this whole thing is a joke and you should not even try to dereference the URN, so it is safe to include the 32 bytes the URN takes up. We are already paying the XML tax, so we might as well really use it. 4.3. Validation The IODEF documents MUST be well-formed XML and SHOULD be validated against the schema described in Section 8. Here, finally, is a legitimate use of SHOULD. Well, actually, it should be a recommendation: The IODEF documents MUST be well-formed XML. Recipients are RECOMMENDED to validate the received document against the schema described in Section 8. Situations where the recipient may choose not to validate the received document include deployments where there is limited Internet connectivity and as such access to the schemas is not available or timely; implementations where concerns about accessing external files at run time may conflict with local policies; and situations where the integrity of the data is of little importance to the recipient. 5.2. Extending Classes [...] 4. When a parser encounters an IODEF document with an extension it does not understand, this extension MUST be ignored (and not processed), but the remainder of the document MUST be processed. Parsers will able to identify these extensions for which they have no processing logic through the namespace declaration. Parsers that encounter an unrecognized element in a namespace that they do support SHOULD reject the document as a syntax error. When would they not reject the document? Enumerate likely scenarios, like: Parsers that encounter an unrecognized element in a namespace that they do support SHOULD reject the document as a syntax error unless they can do meaningful processing without the element in question. If this is a real sitution, I would offer we would be better served with a mechanism similar to the machinery described by RFC 3459. Say what we mean, and if a sender sends something the recipient MUST understand, mark it as such. If a sender sends optional, "value added" information that can be ignored, mark it as such. Otherwise: Parsers that encounter an unrecognized element in a namespace that they do support MUST reject the document as a syntax error. 5.2. Extending Classes [...] 5. Implementations SHOULD NOT download schemas at runtime due to the security implications, and extensions MUST NOT be required to provide a resolvable location of their schema. This is incompatible with "The IODEF document ... SHOULD be validated." Is it really validated or is it not? I would offer this gets deployed in the real world: it will NOT be validated. That said, paragraph 5 does not help the implmentor. We need some meat around the strictures. For example: 5. There are security implications of requiring implementations to dynamically download schemas at run time. For example, malformed IODEF documents may launch a denial of service attack on a recipient by specifying bogus or numerous schema definition references in the document. Thus, implementations SHOULD NOT download schemas at runtime, unless implementations take appropriate precautions and are prepared for potentially significant network, processing, and time-out demands. 6. Some users of the IODEF may have private schema definitions that might not be available on the Internet. In this situation, if a IODEF document leaks out of the private use space, references to some of those document schemas may not be resolvable. This has two implications. First, references to private schemas may never resolve. As such, in addition to the suggestion that implementations do not download schemas at runtime mentioned above, recipients MUST be prepared for a schema definition in an IODEF document never to resolve. I think the new #6 above is what we are really saying when we say, "extensions MUST NOT be required to provide a resolvable location of their schema." If I am wrong, then the old #5 is not clear and needs to be fixed. 6. Internationalization Issues [...] The IODEF parser SHOULD extract the appropriate language relevant to the recipient. Two schools of thought. The first is this is an implentation issue: The IODEF parser can extract the appropriate language relevant to the recipient. - or - The IODEF parser extracts the most relevant language for the recipient. The second school of thought is this is a protocol issue: The IODEF parser MUST extract the appropriate language relevant to the recipient or return an error to the sender. I do not like this approach. RECOMMENDED's, all in Section 5.2, Extending Classes: [...] It is RECOMMENDED that the extension be placed in the most closely related class to the new information. Unless what? Will there ever be extensions that are not related to any existing class? Say so if so. 2. The extension schema MUST declare a separate namespace. It is RECOMMENDED that these extensions have the prefix "iodef-". Sensible, but let us at least say why: 2. The extension schema MUST declare a separate namespace. It is RECOMMENDED that these extensions have the prefix "iodef-". This recommendation makes readability of the document easier by allowing the reader to infer which namespaces relate to IODEF by inspection. 3. It is RECOMMENDED that extension schemas follow the naming convention of the IODEF data model. The names of all elements are capitalized. For composed names, a capital letter is used for each word. Attribute names are lower case. Again, sensible, and again we should say why: 3. It is RECOMMENDED that extension schemas follow the naming convention of the IODEF data model. This makes reading an extended IODEF document look like any other IODEF document. The names of all elements are capitalized. For composed names, a capital letter is used for each word. Attribute names are lower case.
- [mile] SHOULD/RECOMMENDED Analysis / Suggestions Eric Burger
- Re: [mile] SHOULD/RECOMMENDED Analysis / Suggesti… Roman D. Danyliw