Re: [OPSAWG] Roman Danyliw's Discuss on draft-ietf-opsawg-sbom-access-15: (with DISCUSS and COMMENT)
Roman Danyliw <rdd@cert.org> Tue, 25 April 2023 20:19 UTC
Return-Path: <rdd@cert.org>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91F73C151B29; Tue, 25 Apr 2023 13:19:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wuamQipEmwS5; Tue, 25 Apr 2023 13:19:40 -0700 (PDT)
Received: from USG02-BN3-obe.outbound.protection.office365.us (mail-bn3usg02on0711.outbound.protection.office365.us [IPv6:2001:489a:2202:c::711]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64C71C151B24; Tue, 25 Apr 2023 13:19:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=gsoFwPcOo+USKOJok84x/YX4oFgukUZLh2rRFghF1+Hcqcs/ycC97FAnml9TMEvy6RhfT12tYN6l7CLcFjMA0y7yPJnPk/YszJFExkzph9ZiiF89lTo/18IlzVXviDiRiHsknZj8oJjQQV1OLZowvGVDPgg28Mi9n5UXmPzw0iJO6eV4xbe+pnh6T73FXxi+X6jpJBp2r4vfsONi8Wbs2/3zXmS4FUg2laBw4HlwrqcE/M1+bve8xjjrYSxdQBFa3GwX8GlilGUjwp3k6H2fVtHNP7dNRhi8WYWtQkzifBDA1AraBNwPXJNzSflxj/FQXWE63ef39kKLOUnFBQZxJg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=fav+dm2Zh+rLmXE4CgCp/ZHlMdSiRQUSPUhgGQ/d6Ts=; b=cN+/H9A0+WcOjI/T9BAvfMXOXn7rbjf9xOE3afngewC8+DQisYbxw/7ellg+X5k53PsbTynLP/MewRIs0mA46wlfFbNEEqOpZQhcjrcAYCnLAmPhnFn6bS13z6HCDp/QhgxORuQNwu+5CbOXiEYXjZiI38kvyuaWhOadi23Orm/dNAXoAjZA3xU+vLj60W8IGcg3YNwnrl4vZXNGIpaOCIPMy/Ci/KMzeMTdRYzZK2qcJrgbYnFcl2Albdx26pCmig+T+hl+41MBRvf1q3jdkggghfrbXxVYKaIFzlA0eZoR3Cd8sdKDUeN0iDyN44z1IEWDA057m1LrfV5SCSGhGw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fav+dm2Zh+rLmXE4CgCp/ZHlMdSiRQUSPUhgGQ/d6Ts=; b=lrr5UcSC+NUfV8Tctl/ed+B2g/RCV0TJZ2/HhBX1LCQCaJ2RtSCLMtn5cp1K/9migeSP2vZvEaSl624iZjJ4wWdFFSyMG0OITwSBYd2bLB+bIP3xnUvZ7z/ASiAHRLmUBY1IKBnroReGFjdJSqOOwjEZj9xgcJgW0f4eieGbXtg=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1624.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:17e::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6319.33; Tue, 25 Apr 2023 20:19:35 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::29b2:8307:6a90:c79f]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::29b2:8307:6a90:c79f%6]) with mapi id 15.20.6319.034; Tue, 25 Apr 2023 20:19:35 +0000
From: Roman Danyliw <rdd@cert.org>
To: Eliot Lear <lear@lear.ch>, The IESG <iesg@ietf.org>
CC: "draft-ietf-opsawg-sbom-access@ietf.org" <draft-ietf-opsawg-sbom-access@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>, "opsawg-chairs@ietf.org" <opsawg-chairs@ietf.org>
Thread-Topic: [OPSAWG] Roman Danyliw's Discuss on draft-ietf-opsawg-sbom-access-15: (with DISCUSS and COMMENT)
Thread-Index: AQHZd44dNiqduI/FtEazI3mvU0l+AK88aCsAgAALVSA=
Date: Tue, 25 Apr 2023 20:19:35 +0000
Message-ID: <BN2P110MB1107F35F644430E145C1954CDC649@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
References: <168243799365.6036.7037004985148874900@ietfa.amsl.com> <9b944fc2-edf3-aa66-2f1d-2622d04058f4@lear.ch>
In-Reply-To: <9b944fc2-edf3-aa66-2f1d-2622d04058f4@lear.ch>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1624:EE_
x-ms-office365-filtering-correlation-id: ac175c04-406f-4ade-cfac-08db45ca6385
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 9KKEhs1yTIaKj+DInq8qs4FhGNwxAJ3jNKMKd+ruOfh+UMpEcZ5y9KeGCsGP0Gowbv3Lb2r0iR4/k33ekcWpbOJtfD+VuiWMci+DkJkVj4LolSMSR3Z9kiPH5Dx+t7E1448vz7FiVd/T2klCnXhuUmwnXWEAWK+e/VhWs7VOBATcS08fJy/R0TULoj2x53UVOKo+4UcV0OlCSPdnwRvk92mNYmqx25lYU728NJ8zSKQ9sPBuyWzR1t7Iug/yr3Xybv1PLfj7EOwxmbsCrYfp238O7g8ruLl6GAejjtOlIllJKekT2FNJzdiQnhmJhO9q/eDgrsGvfQuLfwp4O3IYt5BPMORP/EMzZQQmYV7gvWbd3AIr9Kkk/Dib/f4kEkX/hc5RX9nhlkQLeyXQZoIbj6iQyoaTv+fPFc2He+nc3xsuAAAyBcbc0ZQ5XaOx49YV156R/XNbFG+iQYPtq9Bb9BN8cFmuDu3fVXO+3z8nqMF7oLPmZSJ89cORHQSQ5oY4MunBpbPHgXBCJog6u7ffjgj9pHtyR2hm8q3zP5DKezhbKJ41OHtgw2xqH4SIU39DYEBPVcxsP7MTu6s/a73+grma9SynAheBTpEhBOomaO4=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230028)(39830400003)(396003)(136003)(366004)(451199021)(38100700002)(966005)(54906003)(7696005)(4326008)(38070700005)(71200400001)(110136005)(508600001)(66946007)(41300700001)(64756008)(66446008)(66556008)(76116006)(86362001)(66476007)(55016003)(26005)(83380400001)(186003)(6506007)(122000001)(53546011)(82960400001)(9686003)(8936002)(8676002)(33656002)(2906002)(30864003)(52536014)(41320700001)(5660300002)(66574015); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Q2AsoO0j8UoGyGh8F30e3qH7ffRwOe60e0J/kY395UveyiYd1l5g+ybukUuN53cVn1s5luChn3Af+DHxeTItxBacJ5Rfcm+qms5nF1YKRxU8727SAOPYeNrKZcM5gpV4QrArXOtIlqHk+6HqO87ux6ZUGKwdhMycolJ9mJm7wcS+afF5Bj85IQzItrhwfSGzpxB6u5FgZLEXbYK3slTGvdl/cHMPSwsiLcBGeG91yc0imvK3ObkiI259S4ki7zfKiD9ZPwJJulQZHv1yUefabYs/HPouAbj7LRzgI4e281XAxCEv3KfcaUeFGOF7O1JQTae55k5/YcEx+gsVhF7efpx2Pr4pw3CoDHaTUohfa2IZycxAtfNIuWgltZkBlPBDbdmouETDqw2YzPHGhVziz36a5yny4A4ycmlWMRIepNg=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: ac175c04-406f-4ade-cfac-08db45ca6385
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Apr 2023 20:19:35.8121 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1624
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/jDIa6QJsc0R03sAG273R2ssoNJI>
Subject: Re: [OPSAWG] Roman Danyliw's Discuss on draft-ietf-opsawg-sbom-access-15: (with DISCUSS and COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Apr 2023 20:19:44 -0000
Hi Eliot! Thanks for the quick and detailed follow-up. Everything you described below looks great. Thanks, Roman > -----Original Message----- > From: iesg <iesg-bounces@ietf.org> On Behalf Of Eliot Lear > Sent: Tuesday, April 25, 2023 3:25 PM > To: Roman Danyliw <rdd@cert.org>; The IESG <iesg@ietf.org> > Cc: draft-ietf-opsawg-sbom-access@ietf.org; opsawg@ietf.org; opsawg- > chairs@ietf.org > Subject: Re: [OPSAWG] Roman Danyliw's Discuss on draft-ietf-opsawg-sbom- > access-15: (with DISCUSS and COMMENT) > > Hi Roman, > > On 25.04.23 17:53, Roman Danyliw via Datatracker wrote: > > Roman Danyliw has entered the following ballot position for > > draft-ietf-opsawg-sbom-access-15: Discuss > > > > When responding, please keep the subject line intact and reply to all > > email addresses included in the To and CC lines. (Feel free to cut > > this introductory paragraph, however.) > > > > > > Please refer to > > https://www.ietf.org/about/groups/iesg/statements/handling-ballot-posi > > tions/ for more information about how to handle DISCUSS and COMMENT > > positions. > > > > > > The document, along with other ballot positions, can be found here: > > https://datatracker.ietf.org/doc/draft-ietf-opsawg-sbom-access/ > > > > > > > > ---------------------------------------------------------------------- > > DISCUSS: > > ---------------------------------------------------------------------- > > > > ** Section 1.2. > > When both vulnerability and software inventory > > information is available from the same location, both sbom and vuln > > nodes MUST indicate that. > > > > What are “sbom and vuln nodes”? Those names don’t map to YANG model > > described in Section 3. Is this “sbom-url” and “vuln-url”? > > You are correct. And I will correct as stated. > > > > > > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > Thank you to Christian Huitema for the SECDIR review. > > > > ** Section 1. Editorial. > > > > These two classes of information can be used in concert. For > > instance, a network management tool may discover that a system makes > > use of a particular software component that has a known > > vulnerability, and a vulnerability report may be used to indicate > > what if any versions of software correct that vulnerability, or > > whether the system exercises the vulnerable code at all. > > > > Both classes of information elements are optional under the model > > specified in this memo. One can provide only an SBOM, only > > vulnerability information, or both an SBOM and vulnerability > > information. > > > > The second paragraph seems to suggest that the classes of information > > are SBOM and vulnerability information. > That's right. > > However, the example provided in paragraph one doesn’t make that > > distinction clear since the “network management tool” > > implicitly bundled SBOM+vulnerability information into one information > > element by both knowing what software was loaded and that it was > vulnerable. > > Editorially, the case isn’t make that “these two classes of > > information can be used in concert.” > > I think there are two issues here. The first is that it helps to have a source of > vulnerabilities such as the NVD. The second is to use the manufacturer- > provided status of those vulnerabilities (a'la CSAF). I will clarify this point. > > > > > > > ** Section 1.1 > > In the first few reads of the text, it was obvious that there were > > different interfaces, but not that they served different content. > > Likewise, the title of the section “How This Information Is Retrieved” > > didn’t match the text which covered the properties of the retrieval > > rather than explicitly summarize it. I would recommend adding > > something explicit about the role of the interfaces with appropriate forward > references at the start of the section. > > > > PROPOSED NEW: > > Section 4 describes a data model to extend the MUD file format to > > carry SBOM and vulnerability information. Section 1.5 of RFC8520 > > describes mechanisms by which devices can emit a URL to point to this > > file. Additionally, devices can share this URL either through documentation > or within a QR code on a box. > > Section 2 describes a well-known URL from which an SBOM could be > > served from the local device. > > Used, thank you. > > > > > ** Section 1.2 > > When these are retrieved either directly from the > > device or directly from a web server > > > > Recommend being clearer about the location of the web-server. > > Retrieval from the device could be from its internal web. > > > > PROPOSED NEW > > When these are retrieved either directly from the device or from a > > remote web server. > > Used, thank you. > > > > > > ** Section 1.2. Editorial. > > ... tools will need to observe the > > content-type header to determine precisely which format is being > > transmitted. > > > > Is it “content-type” or “Content-Type”? > Corrected, thanks. > > ** Section 1.2. > > When both vulnerability and software inventory > > information is available from the same location > > > > Recommend being precise by saying: s/from the same location/from the same > URL/. > > Corrected. > > > > > ** Section 4. sbom-archive-list. Does this list have a recommend sort order? > > Is random ok? Newest to old? > > Yes, because the order would duplicate (and might well get wrong) information > that would be in the SBOMs themselves. > > > > > ** Section 5.1 > > The second example demonstrates that just SBOM information is > > included. > > > > { > > "ietf-mud:mud": { > > "mud-version": 1, > > "extensions": [ > > "transparency" > > ], > > "mudtx:transparency": { > > "sbom-local-well-known": "https" > > }, > > "mud-url": "https://iot.example.com/modelX.json", > > "mud-signature": "https://iot.example.com/modelX.p7s", > > "last-update": "2022-01-05T13:29:47+00:00", > > "cache-validity": 48, > > "is-supported": true, > > "systeminfo": "retrieving vuln and SBOM info via a cloud service", > > "mfg-name": "Example, Inc.", > > "documentation": "https://iot.example.com/doc/modelX", > > "model-name": "modelX" > > } > > } > > > > The “systeminfo” text is not accurate (“retrieving vuln and SBOM info > > via a cloud service”) as no vulnerability information appears to be > > provided in the MUD file and the text describing the example also says > > no vulnerability information is provided. > > > Thanks. Cut and paste error. > > > > > > ** Section 5.2 > > In this example, the SBOM is retrieved from the device, while > > vulnerability information is available from the cloud. This is > > likely a common case, because vendors may learn of vulnerability > > information more frequently than they update software. > > > > { > > "ietf-mud:mud": { > > "mud-version": 1, > > "extensions": [ > > "transparency" > > ], > > "mudtx:transparency": { > > "sbom-local-well-known": "https", > > "vuln-url": "https://iot-device.example.com/info/modelX/csaf.json" > > }, > > "mud-url": "https://iot-device.example.com/modelX.json", > > "mud-signature": "https://iot-device.example.com/modelX.p7s", > > "last-update": "2022-01-05T13:25:14+00:00", > > "cache-validity": 48, > > "is-supported": true, > > "systeminfo": "retrieving vuln and SBOM info via a cloud service", > > "mfg-name": "Example, Inc.", > > "documentation": "https://iot-device.example.com/doc/modelX", > > "model-name": "modelX" > > } > > } > > > > The “systeminfo” text in this example is not accurate ( “retrieving > > vuln and SBOM info via a cloud service”) as the SBOM appears to be > > locally served per the file MUD file text and the text description of this > example. > > Fixed. > > > > > > ** Section 6 > > In particular, the YANG > > module specified in this document is not necessarly intended to be > > accessed via regular network management protocols, such as the > > NETCONF [RFC6241] or RESTCONF [RFC8040], and hence the regular > > security considerations for such usage are not considered here. > > > > -- Typo. s/necessarly/necessarily/ > Fixed here. > > -- Can a stronger statement be made here? Is this YANG module > > intended or not to be access via NETCONF/RESTCONF? > > The MUD mechanisms are not intended to be used by NETCONF/RESTCONF, > but that's this document. But it's a YANG model. So someone might try it. > > > ** Section 6 > > If an attacker modifies the elements, they may misdirect automation > > to retrieve a different set of URLs than was intended by the > > designer. This in turn leads to two specific sets of risks: > > > > * the information retrieved would be false. > > > > * the URLs themselves point to malware. > > > > Additionally, there is a tracking/asset identification risk. If the > > attacker can control the target of the URL (without having access or > > prior knowledge of the devices), they could potentially discover the > > existence of particular hardware at a given netblock/organization. > > That's a MUD issue, not specific to this model. > > > > > > ** Section 6 > > SBOMs provide an inventory of software. If software is available to > > an attacker, the attacker may well already be able to derive this > > very same software inventory. > > > > Recommend being explicit on why knowing the SBOM helps the attacker. > > > > PROPOSED NEW > > SBOMs provide an inventory of software. Knowledge of which specific > > software is loaded on a system can aid an attacker in identifying an > > appropriate exploit for a known vulnerability or guide the development > > of novel exploit against this system. > > > Sure. > > > > > > ** Section 6 > > SBOMs provide an inventory of software. > > … > > When this information resides on the > > endpoint itself, the endpoint SHOULD NOT provide unrestricted access > > by default. > > > > Is this text referencing the “.well-known” interface? If so, please be clear. > > Ack. > > > > > ** Section 6 > > In > > particular, if a system attempts to retrieve an SBOM via HTTP and the > > client is not authorized, the server MUST produce an appropriate > > error, with instructions on how to register a particular client. > > > > Assuming this sentence is talking about the “.well-known” interface, > > does this same kind of guidance apply to CoAP? > > Good point. Added. > > > > > > ** Section 6 > > To further mitigate attacks against a device, manufacturers SHOULD > > recommend access controls. > > > > Good guidance. What’s the context of this recommendation given that > > this specification is about an API to retrieve SBOM/vulnerability information. > > Access controls on what? > > That should be "network access controls." > > > > > > ** Section 6 > > Vulnerability information is generally made available to such > > databases as NIST's National Vulnerability Database. It is possible > > that vendor may wish to release information early to some customers. > > We do not discuss here whether that is a good idea, but if it is > > employed, then appropriate access controls and authorization SHOULD > > be applied to the vulnerability resource. > > > > -- Please provide a reference for the NIST NVD > > Ok. > > > > > > -- Per “vulnerability resource”, is that a typo and it should be > > “vulnerable resource” or is the text saying that the pre-release > > vulnerability information needs to be protected? > > > Clarified. Thanks! > > Eliot > > > > > _______________________________________________ > > OPSAWG mailing list > > OPSAWG@ietf.org > > https://www.ietf.org/mailman/listinfo/opsawg > >
- [OPSAWG] Roman Danyliw's Discuss on draft-ietf-op… Roman Danyliw via Datatracker
- Re: [OPSAWG] Roman Danyliw's Discuss on draft-iet… Eliot Lear
- Re: [OPSAWG] Roman Danyliw's Discuss on draft-iet… Roman Danyliw