IETF Logo Mail Archive

Re: [sacm] Benjamin Kaduk's practice ballot (No Objection) on draft-ietf-sacm-nea-swima-patnc-02: (with COMMENT)

"Schmidt, Charles M." <cmschmidt@mitre.org> Sat, 24 February 2018 06:00 UTC

Return-Path: <cmschmidt@mitre.org>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B92CB126D45; Fri, 23 Feb 2018 22:00:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.209
X-Spam-Level:
X-Spam-Status: No, score=-4.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mitre.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C11KFP5DjDaA; Fri, 23 Feb 2018 22:00:18 -0800 (PST)
Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) by ietfa.amsl.com (Postfix) with ESMTP id 0F73E1204DA; Fri, 23 Feb 2018 22:00:17 -0800 (PST)
Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 168CA6C0010; Sat, 24 Feb 2018 01:00:17 -0500 (EST)
Received: from imshyb01.MITRE.ORG (unknown [129.83.29.2]) by smtpvmsrv1.mitre.org (Postfix) with ESMTP id 02BA96C000C; Sat, 24 Feb 2018 01:00:17 -0500 (EST)
Received: from imshyb02.MITRE.ORG (129.83.29.3) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Sat, 24 Feb 2018 01:00:16 -0500
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (10.140.19.249) by imshyb02.MITRE.ORG (129.83.29.3) with Microsoft SMTP Server (TLS) id 15.0.1263.5 via Frontend Transport; Sat, 24 Feb 2018 01:00:16 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitre.onmicrosoft.com; s=selector1-mitre-org; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=acN0Y9Q8CDzXQI+J0usBZklM4oOZLngcHT+8774InEQ=; b=NwUQCuHtx0E5N56RKGk4EAmoCbZb3m6hh/MxgTVcQzky8o2XMFTHdP9AcTXjen07/e1AW1FeR63H/YYY+ITBFjmbWRxALKFuYjttUTYGO5ZImjUjvWY22iqHf3M3a3gVxAtpeYktA6SYo8gPKPwlNNB/1rPerbnwuUw0ix+31ak=
Received: from DM5PR0901MB2375.namprd09.prod.outlook.com (52.132.133.18) by DM5PR0901MB2375.namprd09.prod.outlook.com (52.132.133.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.506.18; Sat, 24 Feb 2018 06:00:13 +0000
Received: from DM5PR0901MB2375.namprd09.prod.outlook.com ([fe80::21b9:ccf6:187e:85e1]) by DM5PR0901MB2375.namprd09.prod.outlook.com ([fe80::21b9:ccf6:187e:85e1%13]) with mapi id 15.20.0506.023; Sat, 24 Feb 2018 06:00:13 +0000
From: "Schmidt, Charles M." <cmschmidt@mitre.org>
To: Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>
CC: "sacm-chairs@ietf.org" <sacm-chairs@ietf.org>, "draft-ietf-sacm-nea-swima-patnc@ietf.org" <draft-ietf-sacm-nea-swima-patnc@ietf.org>, "odonoghue@isoc.org" <odonoghue@isoc.org>, "sacm@ietf.org" <sacm@ietf.org>
Thread-Topic: Benjamin Kaduk's practice ballot (No Objection) on draft-ietf-sacm-nea-swima-patnc-02: (with COMMENT)
Thread-Index: AQHTq2eLIuFyyJBvDUmqOOjlymQHVKOzDfwg
Date: Sat, 24 Feb 2018 06:00:12 +0000
Message-ID: <DM5PR0901MB2375263C5375E6438FA0A70BABC30@DM5PR0901MB2375.namprd09.prod.outlook.com>
References: <20180221225835.GG54688@mit.edu>
In-Reply-To: <20180221225835.GG54688@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=cmschmidt@mitre.org;
x-originating-ip: [192.160.51.86]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR0901MB2375; 6:C4PGsMW8YR/COqXGKMTrRPs6onV+DTiSG4EqU+6hOjUsURgG3I40ZgpYMoSwIjb9prT30BM/pJzAkix1qWy2GYEx6Hyn4PfUopBoLcuurYPRITxYKjb5rYlWQl/YZu0KZtjf/wEzgqsQcJo6EZXlXkaDrGxszH5p5AnORO/F7PF3tnYxKc24eCI0ojnB5xbvN9nIl9A6WhtGE8p9OcXEyHu5JWczIz3NKEgrA9sE8rIPjCOH/jzkJgaz/cm7MG7HVaQo4Vf0Haq+dpCrwdUsyMalDyLwCKv2aE7U/BfUs7DThXxKf/PqJ4JhvW4ozWo7/BsIVNmqX1KuPcNg03V3Gbu3jIYJNihaO/kpbu7Q3ojRXlbgyXVLX5MxyFiEZNl1; 5:8ifdYxDHT5EiY+yQIvpL9XIwvz1YjaNcegYOQYO2Twsbx7basRHyvVsxHFMGg1nSwa8vg4K0AKW6UzJRi4XOO5VSctiU/Q714F9EENhq3nV/84GSeE28NUS6cimaTqkwOKbGBHLsuZ8guYpPPliNHr1MKMdMCA9uncp5j1tWRYM=; 24:uWZf39I88nLRCqUtZ5rzWYgye/h8UyEIRxjoXWFbj13qKGBKfvxuf6Di65NWB8+ddj0H5mbs2DZeHMBRzEyeuTH3hR7j4YUYlyxADmocKrQ=; 7:6JaGaqsys0ovMdGVZL3ObvTV3IpHgLTlsKhFcrFF4ReGh9hOF7nGxr3q2+D43bVZOaa+FMK670CJXY6UIsD+b8JzitdBFc5XY6goZfVyLvtmIwXjkwQgW2FyoPVBID6WyLkoW8dEflbn93KhwN6YjLfGnjIUmuloop63elUU9DEKD+aJTuJjIqt726o+7CqUp3qImB0r4QkyVHY9kX9Zoqe8NKvHgXFm75/omLYluiP27cx0WwG9SkT5t94rXwpp
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 6cdbbcf0-2812-4f2d-6e50-08d57b4bdeb7
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(4604075)(3008032)(2017052603307)(7153060)(7193020); SRVR:DM5PR0901MB2375;
x-ms-traffictypediagnostic: DM5PR0901MB2375:
x-microsoft-antispam-prvs: <DM5PR0901MB23758EB349A9995E74E28F9CABC30@DM5PR0901MB2375.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(240460790083961);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040501)(2401047)(8121501046)(5005006)(3231212)(944501161)(52105095)(3002001)(93006095)(93001095)(10201501046)(6055026)(6041288)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123562045)(20161123560045)(20161123558120)(6072148)(201708071742011); SRVR:DM5PR0901MB2375; BCL:0; PCL:0; RULEID:; SRVR:DM5PR0901MB2375;
x-forefront-prvs: 0593E261C4
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(376002)(346002)(39380400002)(39860400002)(396003)(199004)(189003)(13464003)(81166006)(8676002)(26005)(6436002)(33656002)(186003)(2900100001)(14454004)(68736007)(106356001)(2906002)(74316002)(229853002)(5250100002)(3280700002)(81156014)(2950100002)(8936002)(102836004)(66066001)(305945005)(6506007)(3846002)(6116002)(53546011)(7736002)(99286004)(86362001)(97736004)(105586002)(7696005)(9686003)(59450400001)(55016002)(4326008)(8666007)(25786009)(2171002)(53936002)(316002)(3660700001)(76176011)(54906003)(6246003)(110136005)(478600001)(5660300001); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR0901MB2375; H:DM5PR0901MB2375.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: mitre.org does not designate permitted sender hosts)
x-microsoft-antispam-message-info: wQXf9xNjY1ByaUkxbxM0A3wvktxt0u6Qn/Ii8eygcXinUCh4BVzAMonq976JLisPmJoB3r36WLFdKIO/dQpC+peGVZKG95+SbepCdjgmaRNzVwQ8DfBW2VnQ5xC+R+wiSr/FmKgYl9U+/9kfqS+NnJlnKPpIugLpog9Wju/16ZY=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 6cdbbcf0-2812-4f2d-6e50-08d57b4bdeb7
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Feb 2018 06:00:13.0048 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR0901MB2375
X-OriginatorOrg: mitre.org
X-MITRE: 8GQsMWxq66rxk57w
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/9hx-W0_XD_kAAZXM-soj0QW-GQk>
Subject: Re: [sacm] Benjamin Kaduk's practice ballot (No Objection) on draft-ietf-sacm-nea-swima-patnc-02: (with COMMENT)
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Feb 2018 06:00:21 -0000

Hello,

Thanks a bunch for the comments. I agree and have implemented most of the changes. I have a few questions/responses:

> My understanding is that the
> primary benefit of this work is in managed environments where there
> is an expectation that only a central authority within a given trust
> domain will be installing/updating software, and so this mechanism
> can be used to audit for policy compliance, in terms of things like
> whether updates are taken in a timely fashion, and blocking
> certain types of "role-based" access where the presence of certain
> software indicates a certain role.  

I think SWIMA has a much broader use, including gathering information from endpoints where users control what software is added. That said, in re-reading the introduction I agree that it doesn't adequately convey that SWIMA standardizes transport but not detection. I'll update accordingly.

> Also Section 2.3
> 
> Can we REQUIRE the underlying transport to provide confidentiality,
> or is there some historical baggage that requires us to allow the
> possibility of cleartext transport?  To be clear, my preference
> is in general for in-protocol message protection, but I recognize
> that there are scenarios where that doesn't always work well or is
> redundant.

NEA is designed to support an extensible list of PT (transport) protocols. Currently, the only NEA transport protocols defined are PT-TLS and PT-EAP, both of which provide confidentiality. I cannot think of why, but it might be the case that sometime in the future someone might create a PT protocol that does not provide confidentiality. If someone did this, I am not sure I would want to automatically preclude SWIMA from using it. In short, my preference would be to note this issue, but not dictate a specific response. Please let me know if you still feel that stronger requirements for confidentiality are necessary.

> I'm a little concerned that there are some broad MUST-level
> requirements that seem hard to know if they can actually be
> implemented reliably, like only using a data source in the posture
> collector if it is known that it can meet all the listed
> requirements both now and in the future, or the requirements for
> consistency across time about how various information is handled.
> This makes updating the PC software pretty risky.  Another example
> is saying that "Even a probable location for a software product is
> preferable to using a zero-length locator." so that once we pick one
> we can't change what is reported.  (I guess we're supposed to
> DELETE+CREATE in this scenario?)

Could you expand on this? At the moment I feel the MUSTs are all necessary. In the case of "MUST meet all listed requirements", this is because a partially compliant source would not provide the consistent view that SWIMA needs. For example, if one source didn't allow event detection, that would mean that events could not reliably be used to update inventory information, violating a SWIMA-PV's assumptions. 

I'm not sure what you mean with regard to your concern about preferring "probable locations" to a lack of location, or how that relates to DELETE+CREATE events. Could you clarify?

> In Section 3.6
> 
> It seems a little odd to me that we need to keep last state prior to
> deletion even around, but we don't need to be able to provide the
> full alteration history -- that makes an alteration event seem like
> a weaker piece of data than delete+create would be, whereas intution
> might think that they should have the same information content.

I am confused by this comment. The requirement to retain deleted records is different from the requirement to track alterations. The former is provided so that SWIMA-PVs are able to get additional data about a product that has been deleted, in the form of the deleted software's information record. Alteration, creation, and deletion are for tracking changes to software state. This needs to provide a complete history so that old state information can be updated to reflect new state. In this, alteration and delete+create are, in fact, of equal value. Am I misunderstanding your comment?

> It makes me a little sad to see an ASCII time representation used when more
> space-efficient options are available and we've already got binary
> integers going on the wire.  Seconds since the epoch might even be
> enough for this work, or for more precision 100s of nanoseconds
> since the epoch is also seeing some notable use.

I would definitely be open to other formats as long as they are not too esoteric. RFC 3339 was just what the TNC uses in their protocols. I'm always for saving some bytes. Do you have a recommendation? 

Beyond these questions, I agree with your comments and have updated the draft accordingly.

Thanks again for the input.

Charles

> -----Original Message-----
> From: Benjamin Kaduk [mailto:kaduk@mit.edu]
> Sent: Wednesday, February 21, 2018 4:59 PM
> To: The IESG <iesg@ietf.org>
> Cc: sacm-chairs@ietf.org; draft-ietf-sacm-nea-swima-patnc@ietf.org;
> odonoghue@isoc.org; sacm@ietf.org
> Subject: Benjamin Kaduk's practice ballot (No Objection) on draft-ietf-sacm-
> nea-swima-patnc-02: (with COMMENT)
> 
> 
> [incoming AD getting practice with document review; please treat as
> No Objection with COMMENT]
> 
> The Introduction comes off as very strongly supporting this
> technology and implying that it's useful in all scenarios, but my
> understanding is that the benefits and applicable scenarios are more
> limited.  (Section 2 and the rest of the document seem more akin to
> what I would expect, which is good.)  My understanding is that the
> primary benefit of this work is in managed environments where there
> is an expectation that only a central authority within a given trust
> domain will be installing/updating software, and so this mechanism
> can be used to audit for policy compliance, in terms of things like
> whether updates are taken in a timely fashion, and blocking
> certain types of "role-based" access where the presence of certain
> software indicates a certain role.  There are of course other
> situations where it could be useful, and I'm probably missing some
> of them, but the limitations called out in (e.g.) Section 7.1 do
> seem to give the guidance that this mechanism should not be relied
> upon directly as a security measure with any great deal of weight.
> So, perhaps the Introduction could say things like "useful to
> understand and maintain the security state of a managed network",
> "Some sites have a need for a standardized method for exchanging
> software inventory data", etc.
> 
> 
> I'll also second Eric's concerns about the privacy considerations,
> with a callout for the error descriptions as well -- there's a
> history of cleartext error strings on the wire leading to attacks
> (albeit usually against cryptography and not a higher-level
> protocol).
> 
> 
> Section 2.3
> 
>       Efficiency is also important when one considers that some network
>       endpoints are small and low powered, some networks are low
>       bandwidth and/or high latency, and some transport protocols (such
>       as PT-EAP, Posture Transport (PT) Protocol for Extensible
>       Authentication Protocol (EAP) Tunnel Methods [RFC7171]) or their
>       underlying carrier protocol might allow only one packet in flight
>       at a time or only one roundtrip.
> 
> I think I'm a little confused at how this protocol could be useful at all
> with only one roundtrip -- or does roundtrip just mean one
> request/response exchange, which could involve lots of packets and
> potentially take longer to deliver than the path RTT?  (The latter
> could maybe make sense in an EAP scheme where you need to verify the
> client environment before allowing access, though see above
> disclaimer about this not seeming like a strong security mechanism.)
> 
> Also Section 2.3
> 
> Can we REQUIRE the underlying transport to provide confidentiality,
> or is there some historical baggage that requires us to allow the
> possibility of cleartext transport?  To be clear, my preference
> is in general for in-protocol message protection, but I recognize
> that there are scenarios where that doesn't always work well or is
> redundant.
> 
> 
> I'm a little concerned that there are some broad MUST-level
> requirements that seem hard to know if they can actually be
> implemented reliably, like only using a data source in the posture
> collector if it is known that it can meet all the listed
> requirements both now and in the future, or the requirements for
> consistency across time about how various information is handled.
> This makes updating the PC software pretty risky.  Another example
> is saying that "Even a probable location for a software product is
> preferable to using a zero-length locator." so that once we pick one
> we can't change what is reported.  (I guess we're supposed to
> DELETE+CREATE in this scenario?)
> 
> 
> In Section 3.6
> 
> It seems a little odd to me that we need to keep last state prior to
> deletion even around, but we don't need to be able to provide the
> full alteration history -- that makes an alteration event seem like
> a weaker piece of data than delete+create would be, whereas intution
> might think that they should have the same information content.
> 
> Section 5.6
> 
>    Request IDs can be randomly generated or sequential,
>    as long as values are not repeated per the rules in this paragraph.
>    SWIMA-PCs are not required to check for duplicate Request IDs.
> 
> The birthday bound for a 32-bit number is not a super-great margin
> of comfort for a random selection, though I guess the consequences
> of a collision are not catastrophic.
> 
> 
> It makes me a little sad to see an ASCII time representation used when more
> space-efficient options are available and we've already got binary
> integers going on the wire.  Seconds since the epoch might even be
> enough for this work, or for more precision 100s of nanoseconds
> since the epoch is also seeing some notable use.
> 
> 
> Editorial nits:
> 
> 
> There's a typo in the abstract (for "Trusted").
> 
> As a general note, "Software Inventory Message and Attributes for
> PA-TNC" is written out in full many times in the document (including
> in tables); does it make sense to abbreviate it more often or just
> refer to "this document" or "this specification" or similar?
> 
> Section 1.3, "Endpoint's Software Inventory Evidence Collection":
> 
>    [...], information generated to report output from
>    software discovery tools, and [...]
> 
> Maybe this makes more sense with s/to/from/?  The current text
> leaves me pretty confused (so maybe my suggestion is bunk).
> 
> 
> Section 3.2
> 
>    Do not confuse the "data model" described here with the SWIMA
>    messages and attributes used to convey information between SWIMA-PVs
>    and PCs.  The SWIMA specification dictates the structure of its
>    messages and attributes.  Some attributes, however, have specific
>    fields used to convey inventory records, and those fields support an
>    extensible list of data models for their values.  By contrast, a data
>    model refers only to the structure used to organize software
>    inventory record data.
> 
> We probably should disambiguate all occurrences of "data model" in this
> paragraph, just to be clear.
> 
> 
> Section 3.4.1
> 
>        Instead,
>        to reliably distinguish between multiple instances of a single
>        software product, one needs to make use of Record Identifiers,
>        described in the following section.
> 
> actually it's section 3.4.3 now, not directly following.
> 
> 
> Section 3.4.2
> 
>    Clearly identifying the type of
>    data model from with the Software Identifier was derived thus
>    provides useful context for that value.
> 
> "from which"
> 
> 
> Table 7 should disambiguate the initial Status Flags field, as the table
> currently has two mentions of "Flags" that mean different things.
> 
> 
> Section 5.15
> 
>    When sending to a giving SWIMA-PV, the SWIMA-PC MUST use the
>    recipient SWIMA-PVs Source Identifier associations.
> 
> s/giving/given/
> Also, maybe mention what scope of private agreement is needed on the
> interpretation of the metadata, which is basically opaque as far as SWIMA is
> concerned.  That is, is this something agreed upon just between a
> specific PC
> and PV, or expected to be agreed upon in a broader group (e.g.,
> organization)
> 
> 
> Section 5.16.1 et seq
> 
> Should we say something about how the length of the variable-length
> description field is know from the length of the PA-TNC attribute?
> 
>

v2.23.0 | Report a Bug | By Email