IETF Logo Mail Archive

Re: [sacm] WGLC for draft-ietf-sacm-nea-swima-patnc

"Schmidt, Charles M." <cmschmidt@mitre.org> Mon, 07 August 2017 16:59 UTC

Return-Path: <cmschmidt@mitre.org>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C61CF132754 for <sacm@ietfa.amsl.com>; Mon, 7 Aug 2017 09:59:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mitre.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c6KRyfBdRX3m for <sacm@ietfa.amsl.com>; Mon, 7 Aug 2017 09:59:40 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) by ietfa.amsl.com (Postfix) with ESMTP id D51C8132752 for <sacm@ietf.org>; Mon, 7 Aug 2017 09:59:39 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 317356C0225; Mon, 7 Aug 2017 12:59:39 -0400 (EDT)
Received: from imshyb01.MITRE.ORG (imshyb01.mitre.org [129.83.29.2]) by smtpvmsrv1.mitre.org (Postfix) with ESMTP id 1F2136C0212; Mon, 7 Aug 2017 12:59:39 -0400 (EDT)
Received: from imshyb01.MITRE.ORG (129.83.29.2) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Mon, 7 Aug 2017 12:59:38 -0400
Received: from gcc01-dm2-obe.outbound.protection.outlook.com (10.140.19.249) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1263.5 via Frontend Transport; Mon, 7 Aug 2017 12:59:38 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitre.onmicrosoft.com; s=selector1-mitre-org; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=rz1atlIxMSCMbJlzLivfm88WMjdhMQid/HNOfFZiQ+4=; b=J2aqdKtw8R++f+cpYsRVSPjhdWGI6WWF9Q6b5PodqNKfkOgkSXd4SYuyqwI7g/vPheBcYjZsUCOshNvj9lgECUN0mQlHawe+c32knbCzGc6joiXHqgAW95FKOzqWh2aB7JdH4MmqVLWZyty+TdthQRprn5cgW1fWcypD8oITl5c=
Received: from BN6PR09MB1186.namprd09.prod.outlook.com (10.172.17.144) by BN6PR09MB1187.namprd09.prod.outlook.com (10.172.17.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1320.16; Mon, 7 Aug 2017 16:59:36 +0000
Received: from BN6PR09MB1186.namprd09.prod.outlook.com ([10.172.17.144]) by BN6PR09MB1186.namprd09.prod.outlook.com ([10.172.17.144]) with mapi id 15.01.1320.018; Mon, 7 Aug 2017 16:59:36 +0000
From: "Schmidt, Charles M." <cmschmidt@mitre.org>
To: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>, Karen O'Donoghue <odonoghue@isoc.org>, "sacm@ietf.org" <sacm@ietf.org>
Thread-Topic: [sacm] WGLC for draft-ietf-sacm-nea-swima-patnc
Thread-Index: AQHTDzk5K7iMuJXSJEi0GWGKglgzCaJ49vow
Date: Mon, 07 Aug 2017 16:59:36 +0000
Message-ID: <BN6PR09MB11866327B7470AFEBC92345FABB50@BN6PR09MB1186.namprd09.prod.outlook.com>
References: <9F2CC6FD-105E-4467-BF68-D76809BA188B@cisco.com>
In-Reply-To: <9F2CC6FD-105E-4467-BF68-D76809BA188B@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=cmschmidt@mitre.org;
x-originating-ip: [192.80.55.87]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR09MB1187; 6:w1UlMHUanrebIzfDdVmqp5LGxb1HB9xOYonQgwUnIhwuoQ/FPS8SCVWvxXVXxGQxbOCuZXgFgyrX1Ar0A381XA0PADXry43t9ufHMlzxRLhP+UiVDboF2hThIydjJmT6oRX6w89W+7aohSRNwxFXR16PF601Pha+Nxw5vlTFqOM/KA+JtmJxyJ0vzqI5phtfz9JQhBTOBHJpF8cpSIUi3d5qpwIGSEI1MUx+quHwIKF/7bZNiI8Crj3gOLsZlzglDLK7Aqh2pnLmSKgWceBVl1NNAm07AwVIn2TXRUOCc3IFyU0lsdN0AYrBPPiPl6rqm8ykMZkB7vKhkW8DC/sejg==; 5:SW3t6YAg4O4duMXaWZ3wqoBhrAbMkivDkhnzfd2bZMn3/QV7dUO29j3rHw5f97nqfXF6DN5Ho8COlL8a/gEqNq1NVi3O5BNrcG+5EhNzwR5kQas98vDGyVRHrvbe2WzzD8bSL4ml4BPrGNMPENCzdg==; 24:UCUIWtdygJ659toQk2PVzBUsOYR8aOtFhZPmqpJbkLhaJSodW6lgLv1wSemNZfTmzkcd5lKA28WOAjYxjImVOVuF0ondcPdkVPl+CqaoZgw=; 7:be5xaMCqKa9V8uRrJc9wHS3U0dWEAbYibYI+F9d3RJebS1paisSva1ucT4Mn5UJfMdSHw2PP9P/44HRRA/8OAIlbK4JctPsXpyVxTL9C/f7kXo20PR08gdjUrx5Dpoqg4Jx9ty82dIWz7ma0mlY5xwFVrDI8ajeu5nDUJdFKm1/j9FM+odpd/wfFrcpK7DvXTKrhvOcorOPu79SylJcFk0QrxaVswHck383RBFMtm98=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: e51c8ef6-a9fa-43a2-f05d-08d4ddb5af68
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(48565401081)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:BN6PR09MB1187;
x-ms-traffictypediagnostic: BN6PR09MB1187:
x-exchange-antispam-report-test: UriScan:(158342451672863)(120809045254105)(100405760836317);
x-microsoft-antispam-prvs: <BN6PR09MB11876AF13B6211E5307E3F9FABB50@BN6PR09MB1187.namprd09.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(93006095)(93001095)(100000703101)(100105400095)(6055026)(6041248)(20161123555025)(20161123562025)(20161123564025)(20161123558100)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BN6PR09MB1187; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BN6PR09MB1187;
x-forefront-prvs: 0392679D18
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(39400400002)(39850400002)(39410400002)(39840400002)(39450400003)(377454003)(199003)(24454002)(189002)(101416001)(6246003)(2501003)(55016002)(53936002)(99286003)(3280700002)(66066001)(229853002)(8936002)(102836003)(25786009)(74316002)(6506006)(2906002)(6116002)(77096006)(53546010)(86362001)(14454004)(478600001)(9686003)(2950100002)(3846002)(97736004)(189998001)(230783001)(5660300001)(81156014)(81166006)(68736007)(6436002)(305945005)(38730400002)(6306002)(50986999)(76176999)(54356999)(966005)(106356001)(3660700001)(105586002)(8676002)(2900100001)(7696004)(7736002)(8666007)(33656002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN6PR09MB1187; H:BN6PR09MB1186.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: mitre.org does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Aug 2017 16:59:36.6697 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR09MB1187
X-OriginatorOrg: mitre.org
X-MITRE: 8GQsMWxq66rxk57w
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/ACx0V0wGC-pGhgEvQm3n5BB4aqc>
Subject: Re: [sacm] WGLC for draft-ietf-sacm-nea-swima-patnc
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Aug 2017 16:59:43 -0000

Hi Nancy,

Thanks a bunch for the comments. Responses inline:

> My general read of this was that it would be a SWIDs mapping to either a
> particular data model to adhere to SACM and/or that it would use the NEA
> data model and transfer using PA-TNC and PB-TNC.  Is that correct?  I do not
> get that impression from Section 3, so am somewhat confused.

A few points: SWIMA is not SWID-specific. (The first drafts were, but it has since changed to support an extensible list of software inventory records, of which SWIDs are one possible record type.) 

Also, NEA does not have a single data model. Instead, the PA protocol is a "lightweight wrapper" for a set of attributes to be exchanged. These attributes are intended to be extensible to allow a growing set of bindings to be defined, each of which define their own conditions for Collectors and Validators, and each of which support their own network attributes and data model. 

So what you describe is not, in fact, the goal of SWIMA. SWIMA defines a NEA PA extension that defines new attributes and Collector/Validator behaviors to manage the collection and delivery of software inventory information.
 
> Here are some comments thus far:
> If indeed the draft is about extending the PA-TNC model to include
> SWIDs…This can limit the scalability and deployment use cases; per section
> 2.1.3 of RFC 7632, as it states there is desire to “collect a set of attribute
> values related to one or more endpoints”.

I'm confused by what you mean here. SWIMA is not intended it single-handedly fulfill this requirement. It does, however, move towards fulfillment of this requirement by enabling appropriate collection of software inventory information. Thus there is no limiting of the SACM use cases.

> -	As there are no references to the TNC standards (and those have
> been absorbed in NEA),
> I suggest to remove the last paragraph and Table 1 of Section 1.1

I agree the table is unnecessary. I do believe it is appropriate to retain the final paragraph to recognize that SWIMA came from TCG work and that this derivation is not a bifurcation.

> Section 1.1
> “The attributes defined in this document are used to
>    communicate software inventory evidence, collected from a range of
>    possible sources, from the posture collector on the endpoint to the
>    posture validator on a NEA Server using the PA-TNC interface, as
>    shown in Figure 1 below.”
> -	“Posture collector on the endpoint”,
> why does the collector need to be on an endpoint?

The NEA specification (RFC 5209) states that Posture Collectors are on NEA Clients, which is a type of endpoint. Is there anything that is not an endpoint on which you think there should be a posture collector?

> Section 2, specifically 2.1.1 and 2.1.2 If the definition is to define a set of PA-
> TNC attributes; they are meant to be carried thru the NEA model; as such the
> recipient MUST be a NEA Server or at minimum a Posture Validator as that is
> the component that can accept NEA’s Posture Attributes.  I’m not sure these
> 2 sections are needed as they have to map to the NEA architecture which is
> described in 2.1.3

2.1.1 and 2.1.2 are intended to outline the specific purpose of the extension of the PA-TNC specification that creates SWIMA. In other words, they identify why SWIMA was created. The three use cases identified in PA TNC are: 
- Initial Client-Triggered Assessment - Client sends information when requesting to join a network
- Server-Initiated Assessment with Remediation - Verifier requests information from the client.
- Client-Triggered Reassessment - Client detects a situation where it needs to push updated information to the server.

All of these represent cases under which PA-TNC can operate. SWIMA supports these cases as well. They don't talk about the same thing as 2.1.1 or 2.1.2, though. 2.1.1 and 2.1.2 identify the uses of software inventory information supported by SWIMA; the PA-TNC use cases identify the cases under which information might be exchanged in general. These are non-overlapping and complementary.

> Section 2.2: is this section necessary?  There are many more use cases not
> supported, so would opt to remove this section.

I believe this is helpful because these address likely areas of confusion. Yes, this is not an exhaustive list of unsupported use cases. However, a reasonable reader might initially assume that SWIMA includes guidance for converting software inventory into a single data model (for example). This section would make it clear that conversion of information is outside the scope of SWIMA.

> Section 2.3: There must be normative language to make these requirements.

These are not requirements to implementers. These are design requirements for the specification itself. This is why these are not normative.

> Also, it would be best suited to have this section also set in the context of the
> SACM requirements and reference the requirements enumerated in the
> soon to be published https://datatracker.ietf.org/doc/draft-ietf-sacm-
> requirements/ draft

I'll have to think about that, but my gut response is that the SWIMA requirements and the SACM requirements are not the same thing. SWIMA certainly must conform to SACM requirements, but it does not need to completely fulfill them - SWIMA is one part of a larger solution. The SWIMA requirements, in turn, are intended to focus just on SWIMA itself, and thus go beyond SCAP requirements. Even when they align (e.g., requirement for interoperability) they are not talking about the same thing. SWIMA interoperability just means that the protocols allow SWIMA-PV and SWIMA-PCs from different vendors to talk to each other, not that the information collected by SWIMA be useable across the entire SACM architecture. The bottom line is that, despite the common use of the term "requirements", my initial feeling is that these are not alike enough for a mapping to be usefully instructive. Do you have specific mappings that you feel would be appropriate?

> Section 2.5: What does it mean to “provide reliable delivery”?  Does this
> imply TCP vs UDP?

This is intended to mean that, if one party sends a message, the other party will either receive it or the sender will know it was not received. I'll add a clarification to that effect since, upon a quick search, it looks like there is no formal definition of the term. 

It does not require any particular way of accomplishing reliable delivery (e.g., TCP) - just that reliable delivery is required.

> Section 3.2 The beginning of the draft and title infers that this draft is a
> mapping for NEA, which does define its own data model…so how can these
> map to “an open set of data models”?

NEA does not define a single data model. It defines a framework which can be used to support an extensible list of attributes, each of which can support their own data model.

In 3.2, the term "data model" refers not to the attributes, but to the way that a software inventory record is expressed. I should probably clarify that. "Open" set is probably the wrong word; I should probably say "Extensible" set. This reflects that SWIMA can convey records using any inventory record structure and imposes no limits on those structures.

> Editorial
> 
> Section: Introduction
> Awkward sentence: “When reported endpoint
>    software installation inventory lists, shortened to "software
>    inventories" for the remainder of this document, contain patch level
>    data for identified software, further comparison to vulnerability or
>    threat alerts can be used to determine an endpoint's exposure to
>    attack. “
> 
> If I understand the intent, I suggest: “Endpoint software installation
> inventory lists (hereinafter “software inventories”)
> can further be used to determine an endpoint’s
> exposure to attack based on comparison to vulnerability or threat alerts
> against
> identified software’s patch level data.”

Yeah - my sentence is overly convoluted. Your suggestion is a big improvement. Thank you.

> Section 1.3 “Software Identifier” has a first reference to SWIMA that should
> be referenced first;
> e.e. Software Inventory Message Attributes (SWIMA).

Per Adam's suggestion, I'll be using "SWIMA" to label a lot more things. I'll add a definition of this term to the introduction so we are covered for the document.

> More to come soon,
> 	Nancy

Great! Thanks a bunch for the feedback.

Charles

> On 7/28/17, 7:40 AM, "sacm on behalf of Karen O'Donoghue" <sacm-
> bounces@ietf.org on behalf of odonoghue@isoc.org> wrote:
> 
>     Folks,
> 
>     This begins a 3 week working group last call (WGLC) for the following
> document:
> 
>     Software Inventory Message and Attributes (SWIMA) for PA-TNC
>     https://datatracker.ietf.org/doc/draft-ietf-sacm-nea-swima-patnc/
> 
>     We have chosen to do a 3 week WGLC to account for post IETF recovery
> and August vacations.
> 
>     Please review the referenced document and send any comments to the
> mailing list including your assessment of whether this document is mature
> enough to proceed to the IESG. Please note that these messages of support
> for progression to the mailing list will be used to determine WG consensus to
> proceed.
> 
>     Please send all comments in by Friday 18 August 2017.
> 
>     Thank you!
>     Karen and Adam
> 
> 
> 
> _______________________________________________
> sacm mailing list
> sacm@ietf.org
> https://www.ietf.org/mailman/listinfo/sacm

v2.23.0 | Report a Bug | By Email