Re: [Panic] Scope Draft is Available

"Waltermire, David A. (Fed)" <david.waltermire@nist.gov> Fri, 19 May 2017 14:09 UTC

Return-Path: <david.waltermire@nist.gov>
X-Original-To: panic@ietfa.amsl.com
Delivered-To: panic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 342AF1270A0 for <panic@ietfa.amsl.com>; Fri, 19 May 2017 07:09:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mIBwlwzj7Qt0 for <panic@ietfa.amsl.com>; Fri, 19 May 2017 07:09:52 -0700 (PDT)
Received: from gcc01-dm2-obe.outbound.protection.outlook.com (mail-dm2gcc01on0099.outbound.protection.outlook.com [23.103.201.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 275A6120454 for <Panic@ietf.org>; Fri, 19 May 2017 07:09:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=qRV28mwBs4q8fWVMyc5TZRdmtvVMiyjmasWI6ceIS9c=; b=O/o7jeDYnMfyPW7AIhNE37F5pXPS+eUEo9apO+O4YaT+LEC37G622GEqlBLD+XpnEdd+D1DBtXHb9xuS+HcPjAWuC2MpOzpoujWAUvnMLERA0C0Ea5Teq3XXI7/VU1VrmYB3qB5M4WVo/Jvwb5iD7aILjS+FPOkxwD3ubTKhJGQ=
Received: from MWHPR09MB1440.namprd09.prod.outlook.com (10.173.50.14) by MWHPR09MB1440.namprd09.prod.outlook.com (10.173.50.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1101.14; Fri, 19 May 2017 14:09:50 +0000
Received: from MWHPR09MB1440.namprd09.prod.outlook.com ([10.173.50.14]) by MWHPR09MB1440.namprd09.prod.outlook.com ([10.173.50.14]) with mapi id 15.01.1101.019; Fri, 19 May 2017 14:09:50 +0000
From: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
To: "Diego R. Lopez" <diego.r.lopez@telefonica.com>
CC: "Panic@ietf.org" <Panic@ietf.org>, "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
Thread-Topic: [Panic] Scope Draft is Available
Thread-Index: AdLNjFoi4UJSdMycRuOkrf0darmESQBj41DwADKpxpAAAE3vkAAGERdgABoV6IAAECSYQA==
Date: Fri, 19 May 2017 14:09:50 +0000
Message-ID: <MWHPR09MB1440FED81B63AC5103EA7B17F0E50@MWHPR09MB1440.namprd09.prod.outlook.com>
References: <MWHPR09MB14403A4D4118D9D685B31B8DF0E10@MWHPR09MB1440.namprd09.prod.outlook.com> <2c391fc46bca4900875ee3b0514df42b@XCH-ALN-010.cisco.com> <MWHPR09MB14404051B8C07A6F1205B7B2F0E40@MWHPR09MB1440.namprd09.prod.outlook.com> <7ddec0441a2d492f979c27325dfe1fdb@XCH-ALN-010.cisco.com> <MWHPR09MB14406D7D3B3505F6DD476366F0E40@MWHPR09MB1440.namprd09.prod.outlook.com> <D4EE3E29-4B4D-4B64-8328-2755E1E17353@telefonica.com>
In-Reply-To: <D4EE3E29-4B4D-4B64-8328-2755E1E17353@telefonica.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: telefonica.com; dkim=none (message not signed) header.d=none;telefonica.com; dmarc=none action=none header.from=nist.gov;
x-originating-ip: [129.6.219.73]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR09MB1440; 7:yTCamnKt3x7TCXusg9BUhq/La3KkEqEsgFiL013Ue/NaQeSgCuxe2XqroIF09AkSgVewObiJVPWYuSrRyGr1YAMgQioeV06hi+O2Bqgns8prAGlJm8uw5aokCNGNTB9cBkG51vSxJUhskwsStzuvTLPq5Wo1SIWpkhxeGWuiA6yEZ9+Xm69jCeFB7Lr8cnHZZRkTfPFQ7G1zo1K7Y0FAspKVUEuLDxWeHzPfJdeLE4tStrWfwhRgrzvAXIt4v9CNqO8QnatC9ApmixXxepNyE4eERmL05xksv2JQFX+N9SjKGLTjqxSoKigy1fvrbwcH4QTmL48b+l7ebLQQzaK+3w==
x-ms-traffictypediagnostic: MWHPR09MB1440:
x-ms-office365-filtering-correlation-id: c0645a8e-d022-4e36-a09a-08d49ec0b708
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081)(201703131423075)(201703031133081); SRVR:MWHPR09MB1440;
x-microsoft-antispam-prvs: <MWHPR09MB1440AB68DC2C2083B68FA908F0E50@MWHPR09MB1440.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(40392960112811)(65766998875637)(120809045254105)(192374486261705)(131327999870524)(95692535739014)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040450)(601004)(2401047)(8121501046)(5005006)(10201501046)(93006095)(93001095)(3002001)(6055026)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123555025)(20161123564025)(20161123562025)(20161123558100)(6072148); SRVR:MWHPR09MB1440; BCL:0; PCL:0; RULEID:; SRVR:MWHPR09MB1440;
x-forefront-prvs: 031257FE13
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39850400002)(39400400002)(39410400002)(39840400002)(39450400003)(39860400002)(252514010)(377454003)(13464003)(24454002)(51914003)(40134004)(6436002)(606005)(110136004)(38730400002)(4326008)(66066001)(122556002)(77096006)(6306002)(478600001)(966005)(2900100001)(6506006)(345774005)(86362001)(6246003)(19609705001)(790700001)(189998001)(99286003)(54896002)(102836003)(3846002)(8676002)(54906002)(236005)(2950100002)(81166006)(8936002)(93886004)(25786009)(50986999)(55016002)(76176999)(54356999)(3660700001)(7736002)(6916009)(7906003)(74316002)(229853002)(7696004)(2906002)(53936002)(3280700002)(33656002)(9686003)(561944003)(5660300001)(53546009); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR09MB1440; H:MWHPR09MB1440.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_MWHPR09MB1440FED81B63AC5103EA7B17F0E50MWHPR09MB1440namp_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 May 2017 14:09:50.5646 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR09MB1440
Archived-At: <https://mailarchive.ietf.org/arch/msg/panic/G1zgRL7gET2cxWqySmY2Xe_5Oow>
Subject: Re: [Panic] Scope Draft is Available
X-BeenThere: panic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Posture Assessment Through Network Information Collection \(panic\)" <panic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/panic>, <mailto:panic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/panic/>
List-Post: <mailto:panic@ietf.org>
List-Help: <mailto:panic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/panic>, <mailto:panic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 May 2017 14:09:55 -0000

Diego, thanks for the edits.

All,

I am going to drop this text into an update of the scope draft. I’ll wait until Monday to work on posting the draft update. Please let me know if any other changes to the draft are desired.

Thanks,
Dave

From: Panic [mailto:panic-bounces@ietf.org] On Behalf Of Diego R. Lopez
Sent: Friday, May 19, 2017 2:23 AM
To: Waltermire, David A. (Fed) <david.waltermire@nist.gov>;
Cc: Panic@ietf.org; Panos Kampanakis (pkampana) <pkampana@cisco.com>;
Subject: Re: [Panic] Scope Draft is Available

Hi,

I agree with David’s proposal, with just a few minor changes with respect to the original text, to make it more general, completely covering the virtual cases (NFV) and eliminating the term “device” to avoid too many equivalences...

Network operators need to know what is connected to their organization's networks so that they can properly manage those network elements. Managing these network endpoints, consisting of physical and virtual network infrastructure, requires access to information pertaining to them, including endpoint identity, the identity of software installed on the element, and the configuration setting values for the installed software. This information can be collected from different classes of elements over different protocols and using different data models. PANIC will identify a standardized solution to collect posture information for network element, and allow that information to be shared with authorized users and elements on the network supporting security automation. PANIC aims to reuse available standards for posture assessment where possible. The PANIC effort will avoid redefining information exchange technologies for use cases that have already been defined.

Be goode,

On 18 May 2017, at 20:01 , Waltermire, David A. (Fed) <david.waltermire@nist.gov<mailto:david.waltermire@nist.gov>> wrote:

Panos, thanks for providing text.

We have participants that are approaching this problem space that are accustomed to using endpoint and network element. How about the following introduction text to draw an equivalence between these terms?

Network operators need to know what is connected to their organization's networks so that they can properly manage those network elements. Managing these network elements, consisting of physical and virtual network infrastructure devices, requires access to information pertaining to these endpoint devices, including device identity, the identity of software installed on the endpoint, and the configuration setting values for the installed software. This information can be collected from different classes of endpoints over different protocols and using different data models. PANIC will identify a standardized solution to collect posture information for network devices, and allow that information to be shared with authorized users and devices on the network supporting security automation. PANIC aims to reuse available standards for posture assessment where possible. The PANIC effort will avoid redefining information exchange technologies for use cases that have already been defi
ned.

Also, I added your text to the security considerations section. I will post this in the -02 revision once we sort out the Introduction.

Thanks,
Dave


-----Original Message-----
From: Panos Kampanakis (pkampana) [mailto:pkampana@cisco.com]
Sent: Thursday, May 18, 2017 12:30 PM
To: Waltermire, David A. (Fed) <david.waltermire@nist.gov<mailto:david.waltermire@nist.gov>>; Panic@ietf.org<mailto:Panic@ietf.org>
Subject: RE: Scope Draft is Available

ACK. Below some proposed text:

For the Security Considerations Section:
  Further discussion here will address the threat introduced to the network
elements by the posture information collection. There should be protections
implemented to prevent the element from being vulnerable to DoS attacks
by frequent polling or pushing of posture data.

For the Introduction Section:
  ...automation. PANIC aims to reuse available standards for posture
assessment where possible. It will avoid redefining info exchange
technologies for usecases that have already been defined.

For the Introduction Section:
  ...manage those
  endpoints. Endpoints / Elements include hardware, software of virtual
network infrastructure devices.





hardware, software or virtual (NFV fails in this

category)


-----Original Message-----
From: Waltermire, David A. (Fed) [mailto:david.waltermire@nist.gov]
Sent: Thursday, May 18, 2017 10:59 AM
To: Panos Kampanakis (pkampana) <pkampana@cisco.com<mailto:pkampana@cisco.com>>; Panic@ietf.org<mailto:Panic@ietf.org>
Subject: RE: Scope Draft is Available

Panos,

Thank you for providing feedback on the PANIC scope draft.

Comments are inline below.


-----Original Message-----
From: Panos Kampanakis (pkampana) [mailto:pkampana@cisco.com]
Sent: Thursday, May 18, 2017 10:37 AM
To: Waltermire, David A. (Fed) <david.waltermire@nist.gov<mailto:david.waltermire@nist.gov>>;
Panic@ietf.org<mailto:Panic@ietf.org>
Subject: RE: Scope Draft is Available

Hi David,

The document is clear.

One semantic objection I have is about the use of the word endpoint. I
believe the term is commonly used for user machines (laptops, cells,
tablets) . Network element or element is a little clearer.

I don't have a dog in this fight. I am happy to go either way (e.g., endpoint,
network element) if there is a preference in the group for one term or the
other. I'd like to hear other opinions on this.


A susggestion: The security section could mention the importance of
not introducing security concerns with the posture info collection.
For example a device should not be DoSable by too many polls, or it
should not push often enough that would introduce performance concerns
etc.

I think this is a good idea. Do you have some text in mind to drop in?


I think it will also be beneficial to be explicit about the types of
network elements. In the broad technologies that exist today, these
elements could be hardware, software or virtual (NFV fails in this
category). All of those should be in scope for this work.

All of these are in scope in my view.


Side comment: I would like this standardization effort to try to reuse
data formats and transports wherever possible and not come up with new
posture information descriptions. I think this is a common goal that
SACM has as well.

I share this goal as well. Should we document this in the draft?


Thanks,
Panos

Regards,
Dave


-----Original Message-----
From: Panic [mailto:panic-bounces@ietf.org] On Behalf Of Waltermire,
David A. (Fed)
Sent: Monday, May 15, 2017 11:03 AM
To: Panic@ietf.org<mailto:Panic@ietf.org>
Subject: [Panic] Scope Draft is Available

Welcome to the posture assessment through network information
collection
(PANIC) email list. At the side meeting on March 29th, we started
discussing the problem of how to measure the health of network
devices. We discussed the need to collect posture information from
network devices to support asset, software, vulnerability, and
configuration management use cases. We were asked by the group to
share a more detailed description of the intended scope for the PANIC
effort. The follow draft is an attempt to do
so:

https://datatracker.ietf.org/doc/draft-waltermire-panic-scope/

We would appreciate review of and comments on this draft. At this
point, we want to know if the this scope clearly defines the problem to be
solved.

Please let us know if you have any questions or concerns, or if you
think the scope draft is adequate.

Regards,
David Waltermire

_______________________________________________
Panic mailing list
Panic@ietf.org<mailto:Panic@ietf.org>
https://www.ietf.org/mailman/listinfo/panic

_______________________________________________
Panic mailing list
Panic@ietf.org<mailto:Panic@ietf.org>
https://www.ietf.org/mailman/listinfo/panic

--
"Esta vez no fallaremos, Doctor Infierno"

Dr Diego R. Lopez
Telefonica I+D
http://people.tid.es/diego.lopez/

e-mail: diego.r.lopez@telefonica.com<mailto:diego.r.lopez@telefonica.com>
Tel:    +34 913 129 041
Mobile: +34 682 051 091
----------------------------------


________________________________

Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.

The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.

Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição