Re: [Panic] notes on Panic Draft

Jessica Fitzgerald-McKay <> Wed, 26 July 2017 18:46 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 089CF131E3B for <>; Wed, 26 Jul 2017 11:46:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id OuLa9NXMmRyV for <>; Wed, 26 Jul 2017 11:46:06 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400c:c08::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2E834131E3A for <>; Wed, 26 Jul 2017 11:46:06 -0700 (PDT)
Received: by with SMTP id f9so124013607uaf.4 for <>; Wed, 26 Jul 2017 11:46:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=CDK+Ef98KXhVhplGWx/Mgm+AZXn5BUryQI3Malk5KKw=; b=UD59TNg0OAU6VIKiNSuOHEGotLSzSq21wmq8yEMq7kBmM05VpDW9oUwGpNDEZxNZRT Z6V9bfKfXmxtuKeG6FQbNQK3YSqQBGFIylHtaxERXZ3tgjPbxVT7F6J8FsT0TCNwM76H 1FX3RktPDQ7P3nqDNBD1VgXIgpcPuaY9CSOnSMfPjIXjl399c+E+H2wUNOGD9qfpDxta 9sxKKJLx9/BxOYv30zgfNivadVTaQRLpzAPjBzWtm80GBgTmEf8wn6d93/BVX5dE8ufM ZtVXS7rwlZZo0xbPqaknLsyC5ntyssXJinGzcjeKnYJMVxvvCVMxcCADliBTL48GMi1Y lPtQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=CDK+Ef98KXhVhplGWx/Mgm+AZXn5BUryQI3Malk5KKw=; b=Bi7kCNTCUVwhnAfPR1xiRysNZFigMNJpMIP2/vXqfhES8gTOdb/UntLVALh4jnrG/p 71/Q/yuk7UOkSxtJplzA37VsTlwKVwG3dAJmYTYTD+Z3F+G4IowpVi4pTa98q3pdKJce VGkRGWlACTIx41sRrm57rwCJ0kvHUrQUzZXk26vmxjXlzq3rAEBqBXE4skp2D9vaoehC +qVf5SbNruEd07WNZR/nVTuCeGP3B23RUmeGc0OidYHBpzAsaxhtH1FlmKP/SJ/9elSe g9lGyL4FYuqSJQaTTZFIqhy2vt1qdpDtNkI04qzKZ+mkyTLix+3H00RtM1/2wRrzeAlD +QFg==
X-Gm-Message-State: AIVw112AWFMrWN1MDkJYJuLPahS24xvN+G6bn2cH07qhWYeY0gevXjKD CCSP5+5Au2eYLcN9XAu3C4NyNj6gdg==
X-Received: by with SMTP id i44mr1279049uaa.57.1501094764932; Wed, 26 Jul 2017 11:46:04 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Wed, 26 Jul 2017 11:46:04 -0700 (PDT)
In-Reply-To: <>
References: <>
From: Jessica Fitzgerald-McKay <>
Date: Wed, 26 Jul 2017 14:46:04 -0400
Message-ID: <>
To: Guy Fedorkow <>
Content-Type: multipart/alternative; boundary="94eb2c18f6d83cf49805553cdc7c"
Archived-At: <>
Subject: Re: [Panic] notes on Panic Draft
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Posture Assessment Through Network Information Collection \(panic\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 26 Jul 2017 18:46:09 -0000

Thanks for the feedback, Guy. Responses in-line. I have more questions than
answers, and I'd like others on the list to weigh in. Looking forward to
hearing from everyone.

On Fri, Jul 21, 2017 at 5:18 PM, Guy Fedorkow <> wrote:

> Hi Dave, Jessica,
>   Thanks for updating the PANIC draft…  I think it’s starting to take
> shape!
>   It seems that the next step in moving this forward might be to outline
> the kind of information we want to retrieve from the endpoints.  I’d assume
> you’d want some kind of info to identify the device – manufacturer, serial
> number, etc, plus something that shows the software revision of the
> relevant modules.  Could that be something like a set of SWID tags?

​Personally, I would be delighted if software load could be captured in a
SWID tag. Failing that, I would like to be able to collect a swid-like set
of information from​ the network device. I took a look at NISTIR 8060
(which you can read here:
nistpubs/ir/2016/NIST.IR.8060.pdf) and it looks like-- ignoring data about
the tag itself, like tagID, entity information about the tag creator, etc--
 required fields for a primary tag are:

   - software name and
   - software version,

which should be easy enough to collect on their own.

But, SWID tags offer additional information that could be useful to us.
Evidence and payload fields, for instance, can be used to communicate file
hashes that comprise the software. Tag signatures could allow us to have
move trust in the entity that created the tag (for example, a tag from the
software vendor is potentially more trust worthy than one created by a
third party). And SWIDs allow us to easily communicate what patches are
installed on the product, which is necessary for vulnerability and
compliance assessments.

All things considered, I'd like to use SWID tags. I would like a sense of
how widely implemented they are for network device software and operating
systems. Anyone have any insight there?

  It might be good to pattern the device information on IEEE 802.1AR.
> Using a cryptographic ID might not be a ‘must’, but it’s probably a
> desirable option, so making sure it would fit might be helpful.

802.1ar requires installation ​
​of an IDevID, from which many LDevIDs can be created. I'm happy to geek
out on the added security of cryptographic IDs, but, can we talk though the
workflow of getting the initial IDevID installed (who would be responsible
for that? Do network equipment vendors use IDevIDs today? If not, could the
device owner install one without a lot of hassle?)​.

Also, secure though 802.1ar is, it often has no relation to any observable
device identities on the network. I'm thinking about a behavior monitoring
use case here, in which I notice a device behaving in an unexpected manner,
and want to investigate it's posture while I figure out what is going on.
Is there a way to gather many identities from an network device using

>   It might be good to add a note saying whether the draft should extend to
> virtualized devices, e.g., NFV instances.  I’d assume that it should, but
> that might make identity a bit more complicated.

​In section 3 of the draft, we say "​Virtualized network functions are
currently considered in scope". Of course, I worded it that way because I,
too, am concerned about whether their inclusion makes our solution overly
complicated. Are there any netconf experts that can speak to this concern?

>   On the topic of scope, I suppose it might be good to say if “Things”, as
> in IoT, are in scope or not.  I can’t guess if that has an impact on the
> technical spec, but there certainly could be an impact on implied scaling
> needs, and it might help remind readers that figuring out what’s running in
> the IoT is a getting to be a big problem.

​Agreed that IoT is a problem. Do many "Things" that compose the Internet
of Things implement netconf?​ It's such a broad space, I worry that some
"Things" could handle netconf, and others (things like "smart dust", etc.)
couldn't handle the added weight.

>   The diagram in the front of the draft shows an interconnect between
> Posture Server and Data Store…  seems like there could be some complicated
> transactions across that link…  Do you think there’s existing practice that
> could be used for this?

​Sadly, I know of nothing we could easily point to and say "that is the
protocol we will use for server-datastore communication". But, what I do
not know could fill volumes. Maybe others have ideas where we can start?

>   The draft also mentions methods that Endpoints can use to find Posture
> servers.  I wonder if Zeroconf or some kind of DHCP trick might work for
> this?

​Zeroconf is an option. TCG has some prior art here (
I am happy to consider all viable options.​

>   Finally, in Security Considerations, I wonder if there should be
> something about how much we do or don’t trust the endpoint to report its
> Information truthfully. The combination of 802.1AR and signed SWID tags
> might help with a way to assess the reliability of the information.

​Agreed, I will add that to the next revision. ​

>   Great start, let’s try to start breaking down some of the top-level
> topics to get to the next level of requirements.
> Thx,
> /guy
> _______________________________________________
> Panic mailing list