Re: [mile] Security alert reporting - the firstMILE
"Takeshi Takahashi" <takeshi_takahashi@nict.go.jp> Tue, 05 April 2016 04:52 UTC
Return-Path: <takeshi_takahashi@nict.go.jp>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AC8012D0FD for <mile@ietfa.amsl.com>; Mon, 4 Apr 2016 21:52:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c3Y2jAfBVbgr for <mile@ietfa.amsl.com>; Mon, 4 Apr 2016 21:52:31 -0700 (PDT)
Received: from ns1.nict.go.jp (ns1.nict.go.jp [IPv6:2001:df0:232:300::1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F81412D09F for <mile@ietf.org>; Mon, 4 Apr 2016 21:52:31 -0700 (PDT)
Received: from gw1.nict.go.jp (gw1.nict.go.jp [133.243.18.250]) by ns1.nict.go.jp with ESMTP id u354qLJi042322; Tue, 5 Apr 2016 13:52:21 +0900 (JST)
Received: from TakeVaioVJP13 (ssh1.nict.go.jp [133.243.3.49]) by gw1.nict.go.jp with ESMTP id u354qIiw042271; Tue, 5 Apr 2016 13:52:19 +0900 (JST)
From: Takeshi Takahashi <takeshi_takahashi@nict.go.jp>
To: 'Robert Moskowitz' <rgm-sec@htt-consult.com>, "'Nancy Cam-Winget (ncamwing)'" <ncamwing@cisco.com>, "'Panos Kampanakis (pkampana)'" <pkampana@cisco.com>, tony@yaanatech.com, mile@ietf.org
References: <56F166CC.4020103@htt-consult.com> <56F17DC8.8000800@yaanatech.com> <56F183BB.1020306@htt-consult.com> <653a830eff764cf382a3ea10b0b90273@XCH-ALN-010.cisco.com> <56F2140F.9020706@htt-consult.com> <D319BD0B.16101F%ncamwing@cisco.com> <56F53423.7050005@htt-consult.com>
In-Reply-To: <56F53423.7050005@htt-consult.com>
Date: Tue, 05 Apr 2016 01:52:28 -0300
Message-ID: <075301d18ef6$f66c0b70$e3442250$@nict.go.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQIwtAXOjQ/CnXa4TkqPkCaJ6jszzAI0jRkkAtt/I+YBhvs5eAEVuONhAXvmTRUB9JyBRZ5jlLfw
Content-Language: ja
X-Virus-Scanned: clamav-milter 0.98.7 at zenith1
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/mile/iOH4BTeJlvrkQ5iCaEZpmyUvQeQ>
Subject: Re: [mile] Security alert reporting - the firstMILE
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Apr 2016 04:52:34 -0000
Hi Bob and all, My understanding on netconf is rather shallow, but netconf is another XML-based messaging, and it could be interesting to see how the model (developed by the XMPP draft) will be applied to the netconf messages. By the way, in Section 3 (whose title is "Problem Space") of the draft, you identified the following problem. "It is recognized that many of these alerts are too detailed to be actionable. Some implementations of the alert monitor will include analytic tools to select the actionable information from the alerts. Alerts which are too detailed to be actionable or alerts which include analytical tools are outside of any standardizing process." IMHO, it is a viable concern, and I am wondering how deeply you are trying to work on this issue in this draft. FYI, we have an draft that provides the guideline of the usage of IODEF document. https://datatracker.ietf.org/doc/draft-ietf-mile-iodef-guidance/ Current version of the guidance draft does not cope with the issue you raised. If you are trying to provide some solution, the guidance draft could refer your draft. But if you are trying to provide only a couple of sentences, the guidance draft could address this issue. Take > -----Original Message----- > From: mile [mailto:mile-bounces@ietf.org] On Behalf Of Robert Moskowitz > Sent: Friday, March 25, 2016 9:51 AM > To: Nancy Cam-Winget (ncamwing) <ncamwing@cisco.com>; Panos Kampanakis > (pkampana) <pkampana@cisco.com>; tony@yaanatech.com; mile@ietf.org > Subject: Re: [mile] Security alert reporting - the firstMILE > > Past two days I have been busy with the holiday of Purim; next week is my youngest > son's wedding, so responses from me until IETF will be scattered (physically > as well as mentally!). > > On 03/24/2016 06:51 PM, Nancy Cam-Winget (ncamwing) wrote: > > Hi Bob, > > > > The general architecture of the xmpp-draft can cover other protocols > > (like Netconf or TAXII), but as we are defining it in MILE, the draft > > speaks to the applicability for IODEF. > > > > >From your draft, am not sure if you¹re creating yet another pub/sub > > mechanism? If so, would like to see it compared to others (most of > > which could be adapted to carry different data models). > > I was leaving MOST of the higher layer stuff alone for first. Only Sub is > partially done using NETCONF and that is Sue Hares' contribution from work being > done elsewhere like in I2RS. > > So taking your work on XMPP and changing the transport model to UDP and the > security to SSLS, is of interest to me. Over in DOTS we have discussed > extensively messaging challenges during attacks. MILE would also benefit from > that design work. > > Plus the NETCONF for sub has a lot to consider. > > As I said, I have a personal bias concerning XMPP; but if the shoe fits.... > Just want to fix up its soles a bit! So to speak. > > > > > > Regards, Nancy > > > > On 3/22/16, 8:57 PM, "mile on behalf of Robert Moskowitz" > > <mile-bounces@ietf.org on behalf of rgm-sec@htt-consult.com> wrote: > > > >> Which is a more complete effort than firstMILE and covers some more > >> areas, but has the challenge of TCP during congestion attacks. Does not > >> leverage NETCONF for configuration. Has a registration function... > >> > >> Maybe I just have an historical bias with XMPP as I go back to the > >> origin of MQ series from IBM and where they lifted it from work we did > >> at Chrysler... ;)' > >> > >> But I will read through that draft again. > >> > >> On 03/22/2016 11:24 PM, Panos Kampanakis (pkampana) wrote: > >>> Also overlaps with the XMPP pub/sub model suggested in > >>> https://tools.ietf.org/html/draft-appala-mile-xmpp-grid-00 specifically > >>> for IODEF. > >>> > >>> > >>> > >>> -----Original Message----- > >>> From: mile [mailto:mile-bounces@ietf.org] On Behalf Of Robert Moskowitz > >>> Sent: Tuesday, March 22, 2016 1:41 PM > >>> To: tony@yaanatech.com; mile@ietf.org > >>> Subject: Re: [mile] Security alert reporting - the firstMILE > >>> > >>> My reading of ROLLE here, or the limited information I can find > >>> googling TAXII is that neither address the start of the incident at the > >>> firewall/IPS/IDS/router. > >>> > >>> firstMILE is to get the attack event into the monitoring systems. There > >>> analytics and/or an admin will determine if mitigation action is needed > >>> and then start action in RID/ROLLE/TAXII. > >>> > >>> Or that is my take on reading existing documents and conversations at > >>> the past two IETFs. > >>> > >>> On 03/22/2016 01:15 PM, Tony Rutkowski wrote: > >>>> Hi Bob, > >>>> > >>>> There is a lot of puzzlement to go around. > >>>> In trying to track all the parallel universes, are you creating an > >>>> alternative to TAXII here? > >>>> Or ROLLE come to life? > >>>> > >>>> How would you differentiate firstMILE? > >>>> > >>>> -t > >>>> > >>>> > >>>> On 2016-03-22 11:37 AM, Robert Moskowitz wrote: > >>>>> I have been puzzled by the lack of a standardized security alert > >>>>> reporting process. After a few discussions and a lot of thought on > >>>>> the problem, I have come up with firstMILE: > >>>> > >>>> > >>> _______________________________________________ > >>> mile mailing list > >>> mile@ietf.org > >>> https://www.ietf.org/mailman/listinfo/mile > >>> > >> _______________________________________________ > >> mile mailing list > >> mile@ietf.org > >> https://www.ietf.org/mailman/listinfo/mile > > > > _______________________________________________ > mile mailing list > mile@ietf.org > https://www.ietf.org/mailman/listinfo/mile
- Re: [mile] Security alert reporting - the firstMI… Robert Moskowitz
- [mile] Security alert reporting - the firstMILE Robert Moskowitz
- Re: [mile] Security alert reporting - the firstMI… Tony Rutkowski
- Re: [mile] Security alert reporting - the firstMI… Tony Rutkowski
- Re: [mile] Security alert reporting - the firstMI… Robert Moskowitz
- Re: [mile] Security alert reporting - the firstMI… Panos Kampanakis (pkampana)
- Re: [mile] Security alert reporting - the firstMI… Robert Moskowitz
- Re: [mile] Security alert reporting - the firstMI… Nancy Cam-Winget (ncamwing)
- Re: [mile] Security alert reporting - the firstMI… Robert Moskowitz
- Re: [mile] Security alert reporting - the firstMI… Takeshi Takahashi
- Re: [mile] Security alert reporting - the firstMI… Robert Moskowitz