Re: [OPSAWG] Roman Danyliw's Discuss on draft-ietf-opsawg-sbom-access-15: (with DISCUSS and COMMENT)
Eliot Lear <lear@lear.ch> Tue, 25 April 2023 19:25 UTC
Return-Path: <lear@lear.ch>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3951C15154F; Tue, 25 Apr 2023 12:25:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.888
X-Spam-Level:
X-Spam-Status: No, score=-5.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=lear.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VR4QLuWBn4bA; Tue, 25 Apr 2023 12:25:36 -0700 (PDT)
Received: from upstairs.ofcourseimright.com (upstairs.ofcourseimright.com [IPv6:2a00:bd80:aa::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C88EC14CF1B; Tue, 25 Apr 2023 12:25:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lear.ch; s=upstairs; t=1682450713; bh=SY2S6txoNK+R6qDgbAUcRERwE/4OZHqaPtT5aNjxXrY=; h=Date:To:Cc:References:From:Subject:In-Reply-To:From; b=Kc0+J2SmnxbIsf2quUmkklnqkBY0aY4YF1kwnJhnf+piNBR+VJDR2WzTRTOp4brV6 beE8qCw151dwyPI0WiDXseHy+et8zXErhz1R5rW3FTesSckP/kZHobEbjIX2x6tjkE 6w/YJosaikkZ5fAfODIozoY7/hVXTkr2BSj0+psM=
Received: from [IPV6:2001:420:c0c0:1011::b] ([IPv6:2001:420:c0c0:1011:0:0:0:b]) (authenticated bits=0) by upstairs.ofcourseimright.com (8.15.2/8.15.2/Debian-22ubuntu3) with ESMTPSA id 33PJP8jO209045 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Tue, 25 Apr 2023 21:25:12 +0200
Message-ID: <9b944fc2-edf3-aa66-2f1d-2622d04058f4@lear.ch>
Date: Tue, 25 Apr 2023 21:25:06 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.10.0
To: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>
Cc: draft-ietf-opsawg-sbom-access@ietf.org, opsawg@ietf.org, opsawg-chairs@ietf.org
References: <168243799365.6036.7037004985148874900@ietfa.amsl.com>
Content-Language: en-US
From: Eliot Lear <lear@lear.ch>
In-Reply-To: <168243799365.6036.7037004985148874900@ietfa.amsl.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/dYJkN3usL6XJbkCLvH7LdLyJJOc>
Subject: Re: [OPSAWG] Roman Danyliw's Discuss on draft-ietf-opsawg-sbom-access-15: (with DISCUSS and COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Apr 2023 19:25:41 -0000
Hi Roman, On 25.04.23 17:53, Roman Danyliw via Datatracker wrote: > Roman Danyliw has entered the following ballot position for > draft-ietf-opsawg-sbom-access-15: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-opsawg-sbom-access/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > ** Section 1.2. > When both vulnerability and software inventory > information is available from the same location, both sbom and vuln > nodes MUST indicate that. > > What are “sbom and vuln nodes”? Those names don’t map to YANG model described > in Section 3. Is this “sbom-url” and “vuln-url”? You are correct. And I will correct as stated. > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thank you to Christian Huitema for the SECDIR review. > > ** Section 1. Editorial. > > These two classes of information can be used in concert. For > instance, a network management tool may discover that a system makes > use of a particular software component that has a known > vulnerability, and a vulnerability report may be used to indicate > what if any versions of software correct that vulnerability, or > whether the system exercises the vulnerable code at all. > > Both classes of information elements are optional under the model > specified in this memo. One can provide only an SBOM, only > vulnerability information, or both an SBOM and vulnerability > information. > > The second paragraph seems to suggest that the classes of information are SBOM > and vulnerability information. That's right. > However, the example provided in paragraph one > doesn’t make that distinction clear since the “network management tool” > implicitly bundled SBOM+vulnerability information into one information element > by both knowing what software was loaded and that it was vulnerable. > Editorially, the case isn’t make that “these two classes of information can be > used in concert.” I think there are two issues here. The first is that it helps to have a source of vulnerabilities such as the NVD. The second is to use the manufacturer-provided status of those vulnerabilities (a'la CSAF). I will clarify this point. > > ** Section 1.1 > In the first few reads of the text, it was obvious that there were different > interfaces, but not that they served different content. Likewise, the title of > the section “How This Information Is Retrieved” didn’t match the text which > covered the properties of the retrieval rather than explicitly summarize it. I > would recommend adding something explicit about the role of the interfaces with > appropriate forward references at the start of the section. > > PROPOSED NEW: > Section 4 describes a data model to extend the MUD file format to carry SBOM > and vulnerability information. Section 1.5 of RFC8520 describes mechanisms by > which devices can emit a URL to point to this file. Additionally, devices can > share this URL either through documentation or within a QR code on a box. > Section 2 describes a well-known URL from which an SBOM could be served from > the local device. Used, thank you. > > ** Section 1.2 > When these are retrieved either directly from the > device or directly from a web server > > Recommend being clearer about the location of the web-server. Retrieval from > the device could be from its internal web. > > PROPOSED NEW > When these are retrieved either directly from the device or from a remote web > server. Used, thank you. > > ** Section 1.2. Editorial. > ... tools will need to observe the > content-type header to determine precisely which format is being > transmitted. > > Is it “content-type” or “Content-Type”? Corrected, thanks. > ** Section 1.2. > When both vulnerability and software inventory > information is available from the same location > > Recommend being precise by saying: s/from the same location/from the same URL/. Corrected. > > ** Section 4. sbom-archive-list. Does this list have a recommend sort order? > Is random ok? Newest to old? Yes, because the order would duplicate (and might well get wrong) information that would be in the SBOMs themselves. > > ** Section 5.1 > The second example demonstrates that just SBOM information is > included. > > { > "ietf-mud:mud": { > "mud-version": 1, > "extensions": [ > "transparency" > ], > "mudtx:transparency": { > "sbom-local-well-known": "https" > }, > "mud-url": "https://iot.example.com/modelX.json", > "mud-signature": "https://iot.example.com/modelX.p7s", > "last-update": "2022-01-05T13:29:47+00:00", > "cache-validity": 48, > "is-supported": true, > "systeminfo": "retrieving vuln and SBOM info via a cloud service", > "mfg-name": "Example, Inc.", > "documentation": "https://iot.example.com/doc/modelX", > "model-name": "modelX" > } > } > > The “systeminfo” text is not accurate (“retrieving vuln and SBOM info via a > cloud service”) as no vulnerability information appears to be provided in the > MUD file and the text describing the example also says no vulnerability > information is provided. Thanks. Cut and paste error. > > ** Section 5.2 > In this example, the SBOM is retrieved from the device, while > vulnerability information is available from the cloud. This is > likely a common case, because vendors may learn of vulnerability > information more frequently than they update software. > > { > "ietf-mud:mud": { > "mud-version": 1, > "extensions": [ > "transparency" > ], > "mudtx:transparency": { > "sbom-local-well-known": "https", > "vuln-url": "https://iot-device.example.com/info/modelX/csaf.json" > }, > "mud-url": "https://iot-device.example.com/modelX.json", > "mud-signature": "https://iot-device.example.com/modelX.p7s", > "last-update": "2022-01-05T13:25:14+00:00", > "cache-validity": 48, > "is-supported": true, > "systeminfo": "retrieving vuln and SBOM info via a cloud service", > "mfg-name": "Example, Inc.", > "documentation": "https://iot-device.example.com/doc/modelX", > "model-name": "modelX" > } > } > > The “systeminfo” text in this example is not accurate ( “retrieving vuln and > SBOM info via a cloud service”) as the SBOM appears to be locally served per > the file MUD file text and the text description of this example. Fixed. > > ** Section 6 > In particular, the YANG > module specified in this document is not necessarly intended to be > accessed via regular network management protocols, such as the > NETCONF [RFC6241] or RESTCONF [RFC8040], and hence the regular > security considerations for such usage are not considered here. > > -- Typo. s/necessarly/necessarily/ Fixed here. > -- Can a stronger statement be made here? Is this YANG module intended or not > to be access via NETCONF/RESTCONF? The MUD mechanisms are not intended to be used by NETCONF/RESTCONF, but that's this document. But it's a YANG model. So someone might try it. > ** Section 6 > If an attacker modifies the elements, they may misdirect automation > to retrieve a different set of URLs than was intended by the > designer. This in turn leads to two specific sets of risks: > > * the information retrieved would be false. > > * the URLs themselves point to malware. > > Additionally, there is a tracking/asset identification risk. If the attacker > can control the target of the URL (without having access or prior knowledge of > the devices), they could potentially discover the existence of particular > hardware at a given netblock/organization. That's a MUD issue, not specific to this model. > > ** Section 6 > SBOMs provide an inventory of software. If software is available to > an attacker, the attacker may well already be able to derive this > very same software inventory. > > Recommend being explicit on why knowing the SBOM helps the attacker. > > PROPOSED NEW > SBOMs provide an inventory of software. Knowledge of which specific software > is loaded on a system can aid an attacker in identifying an appropriate exploit > for a known vulnerability or guide the development of novel exploit against > this system. Sure. > > ** Section 6 > SBOMs provide an inventory of software. > … > When this information resides on the > endpoint itself, the endpoint SHOULD NOT provide unrestricted access > by default. > > Is this text referencing the “.well-known” interface? If so, please be clear. Ack. > > ** Section 6 > In > particular, if a system attempts to retrieve an SBOM via HTTP and the > client is not authorized, the server MUST produce an appropriate > error, with instructions on how to register a particular client. > > Assuming this sentence is talking about the “.well-known” interface, does this > same kind of guidance apply to CoAP? Good point. Added. > > ** Section 6 > To further mitigate attacks against a device, manufacturers SHOULD > recommend access controls. > > Good guidance. What’s the context of this recommendation given that this > specification is about an API to retrieve SBOM/vulnerability information. > Access controls on what? That should be "network access controls." > > ** Section 6 > Vulnerability information is generally made available to such > databases as NIST's National Vulnerability Database. It is possible > that vendor may wish to release information early to some customers. > We do not discuss here whether that is a good idea, but if it is > employed, then appropriate access controls and authorization SHOULD > be applied to the vulnerability resource. > > -- Please provide a reference for the NIST NVD Ok. > > -- Per “vulnerability resource”, is that a typo and it should be “vulnerable > resource” or is the text saying that the pre-release vulnerability information > needs to be protected? > Clarified. Thanks! Eliot > > _______________________________________________ > OPSAWG mailing list > OPSAWG@ietf.org > https://www.ietf.org/mailman/listinfo/opsawg >
- [OPSAWG] Roman Danyliw's Discuss on draft-ietf-op… Roman Danyliw via Datatracker
- Re: [OPSAWG] Roman Danyliw's Discuss on draft-iet… Eliot Lear
- Re: [OPSAWG] Roman Danyliw's Discuss on draft-iet… Roman Danyliw