Re: [sacm] 答复: 答复: new drafts about network infrastructure device's security baseline:
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Tue, 12 September 2017 13:34 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB2C31321C7 for <sacm@ietfa.amsl.com>; Tue, 12 Sep 2017 06:34:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HhdHPj0NbVgP for <sacm@ietfa.amsl.com>; Tue, 12 Sep 2017 06:34:35 -0700 (PDT)
Received: from mail-pf0-x235.google.com (mail-pf0-x235.google.com [IPv6:2607:f8b0:400e:c00::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C88F81321A0 for <sacm@ietf.org>; Tue, 12 Sep 2017 06:34:35 -0700 (PDT)
Received: by mail-pf0-x235.google.com with SMTP id q76so5128173pfq.2 for <sacm@ietf.org>; Tue, 12 Sep 2017 06:34:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=VjujYEN3xpEfW8QiIvicY5UEUYG6eNjPyfatycv84oM=; b=Yg6QS3xqcPzC3ZygqmhPsKmbTRPSyvS4PpWT/pDg/jGIqkECBod1UcKf9MpMlrWPIG QD2sw0Wy+M6lb/q9legGn+KRPuH3he47os64KFiZ/4h+f148vc/f2u1zf+SAJpaXKDxQ t/jkpmM4aVzIaQB9Yl9QFHXlfRbWNVItgw1dLx+El+dPLHa3PVZoGfzzWlmFwyo8fU/7 K0VZCZiCbg1UE+wcZkLKODbnTAr+jAM+xf6bO9uCbXrLEfdziRAoxOgjNfac0g2IpM3C vvAqq6eAeWhEWvVXNe6Kv7vJyfDaJ2g0fFYfX6nHtwQwZH9KoJEXylYS9aKcPg33/kpF ak6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=VjujYEN3xpEfW8QiIvicY5UEUYG6eNjPyfatycv84oM=; b=mDt4YpJecfPy6rIKSKw+KfOIX7qjYpej6fYN5Ai526K6SnqdI3OTx7HlO42qRTfgxl qm1eETZZw2SjlQN6TSlkl4leT7oZvhcGwpDatAjHwLA30TCXNVWAMMxLyf6WpcYHJ1aO k5PMSFn8PFS/DCS/hrQdJgVmIsoKhX+SWft4pOwmzPQqA+5R3IkaWiW4Ilwi7GiVMU4n qzhXS7lmayq21njjV/mL1H0OreDbfs3N8oMLMZkjvHcOv6nG3DWpUbEopZiXQWpbI0a3 KLwQS6dyFm9c+7hwj/bDf/ww9Js+otofhDWPBR/CSpm8X4R/y9h9hAMYzCxEpjgZl7sO E2bg==
X-Gm-Message-State: AHPjjUgVnnxtA4bFOEnXPytBK53R/Agy49nh4O6xe3Cr6KafUwU3l4K9 lWzjc5rGuIckbSckTUGl6pUXYSDV4g==
X-Google-Smtp-Source: ADKCNb7yRNwVLc/K9L4fc1bMM98EKRHKRBodxtECmNEGGKv/K35MDNzE0eHAhFjF7nGemNgtxgy7m1Sj9NkxfpVJ1Ww=
X-Received: by 10.84.131.103 with SMTP id 94mr10231539pld.302.1505223275104; Tue, 12 Sep 2017 06:34:35 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.144.1 with HTTP; Tue, 12 Sep 2017 06:33:54 -0700 (PDT)
In-Reply-To: <C02846B1344F344EB4FAA6FA7AF481F12BB6F46A@DGGEML502-MBX.china.huawei.com>
References: <808ED0DE-508A-47FA-A9F0-CD60CF586A79@cisco.com> <CAHbuEH4a5RKYED9N0Q=v3-gUOd0QnFgqnLNg-dKJpfArDQW0zQ@mail.gmail.com> <C02846B1344F344EB4FAA6FA7AF481F12BB6F46A@DGGEML502-MBX.china.huawei.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Tue, 12 Sep 2017 09:33:54 -0400
Message-ID: <CAHbuEH4SB9QP-17-cHXGNQ-Fab-T_HfLQh1XuvdBA2Y9xOXu-w@mail.gmail.com>
To: "Xialiang (Frank)" <frank.xialiang@huawei.com>
Cc: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>, "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>, "Panos Kampanakis (pkampana)" <pkampana@cisco.com>, "sacm@ietf.org" <sacm@ietf.org>, "Linqiushi (Jessica, SCC)" <linqiushi@huawei.com>, "Zhengguangying (Walker)" <zhengguangying@huawei.com>, "dongyue (D)" <dongyue6@huawei.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/GCo66vi_cfiTSiTktmIDJZbk7yA>
Subject: Re: [sacm] 答复: 答复: new drafts about network infrastructure device's security baseline:
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Sep 2017 13:34:39 -0000
Hello Frank, Thanks for your response, inline. On Mon, Sep 11, 2017 at 10:01 PM, Xialiang (Frank) <frank.xialiang@huawei.com> wrote: > Hi Nancy, Kathleen, > Your point make sense. Let me explain our intention as below: > 1. Our objective is to specify the security posture (we call it security baseline in the documents) of network devices, like router, switch or maybe FW. By collecting and evaluating them, to meet the SACM requirements on network device as endpoint. We only focus on the security baseline information; > 2. Current -00 version of drafts do not have the contents about: how to encapsulate the security baseline information into SACM Information Model, how to send them to the collector by YANG push and pub/sub mechanisms, and how to adapt these information into SACM protocol, we will address these issues in following updated versions; > 3. we do find that some YANG model has been defined in IETF WGs like netmod, i2rs, i2nsf, etc. But we also observe that: there are still some YANG model related with device security baseline are not defined yet (i.e., URPF, CPU defend, Keychain, Remote Login Security, etc); Even some YANG model (i.e., BGP, OSPF, SNMP, etc) has been defined in IETF, their security configuration and status part are not completed and have potential room for improvement. If we find the existing contents as you pointed, we'd like to reference them and will not reinvent the wheel. > > In summary, we want to follow the SACM Information Model and protocol, and extend the YANG push and pub/sub mechanisms to systematically specify the security baseline data model in SACM WG. Please use the Yangcatalog.org site to identify the YANG modules that already exist for the data that can be collected. The next step would be to figure out if certain information is not available, what YANG modules should be extended to gather that information. Or to create new YANG modules for that purpose. Since you are talking about network devices, YANG is the way to go right now as that is where industry is heading. Thank you, Kathleen > > B.R. > Frank > > -----邮件原件----- > 发件人: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com] > 发送时间: 2017年9月12日 5:26 > 收件人: Nancy Cam-Winget (ncamwing) > 抄送: Xialiang (Frank); Waltermire, David A. (Fed); Panos Kampanakis (pkampana); sacm@ietf.org; Linqiushi (Jessica, SCC); Zhengguangying (Walker); dongyue (D) > 主题: Re: [sacm] 答复: new drafts about network infrastructure device's security baseline: > > On Mon, Sep 11, 2017 at 11:35 AM, Nancy Cam-Winget (ncamwing) <ncamwing@cisco.com> wrote: >> Hi Frank, >> >> >> >> It is not clear to me why we couldn’t reference the work and >> attributes already being worked on in NETMOD and perhaps i2nsf? While >> I agree that SACM includes network elements as endpoints, I think we >> can leverage work already being defined by other working groups. > > Yes, I agree with Nancy. If the work exists already, it should be referenced. YANG is the preferred method and there appears to be direct copy and paste from IPFIX and other technologies. > > Best regards, > Kathleen >> >> >> >> Warm regards, Nancy >> >> >> >> >> >> >> >> From: sacm <sacm-bounces@ietf.org> on behalf of "Xialiang (Frank)" >> <frank.xialiang@huawei.com> >> Date: Thursday, September 7, 2017 at 7:39 PM >> To: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>, Panos >> Kampanakis <pkampana@cisco.com>, "sacm@ietf.org" <sacm@ietf.org> >> Cc: "Linqiushi (Jessica, SCC)" <linqiushi@huawei.com>, "Zhengguangying >> (Walker)" <zhengguangying@huawei.com>, "dongyue (D)" >> <dongyue6@huawei.com> >> Subject: [sacm] 答复: new drafts about network infrastructure device's >> security baseline: >> >> >> >> Hi Dave and Panos, >> >> I think Dave gives a very clear and detailed clarification about the >> definition of endpoints in SACM and the latest SACM plan, thanks. >> >> >> >> I will follow the SACM information model and the latest decision to >> update these drafts. >> >> Any comments are welcome! >> >> >> >> B.R. >> >> Frank >> >> >> >> 发件人: Waltermire, David A. (Fed) [mailto:david.waltermire@nist.gov] >> 发送时间: 2017年9月8日 3:01 >> 收件人: Panos Kampanakis (pkampana); Xialiang (Frank); sacm@ietf.org >> 抄送: Linqiushi (Jessica, SCC); Zhengguangying (Walker); dongyue (D) >> 主题: RE: new drafts about network infrastructure device's security baseline: >> >> >> >> Panos, >> >> >> >> At the last IETF meeting we started discussing a charter update. I >> believe we are currently waiting on the chairs to start this discussion on the list. >> This will give the working group an opportunity to clarify this issue >> in the charter. >> >> >> >> As far as endpoints, the definition that has been used for endpoints >> in the SACM charter is the one from RFC 5209, which is “Any computing >> device that can be connected to a network. >> >> Such devices normally are associated with a particular link >> layer >> >> address before joining the network and potentially an IP address >> >> once on the network. This includes: laptops, desktops, servers, >> >> cell phones, or any device that may have an IP address.” >> >> >> >> As most network devices are connected to networks, and often expose a >> management interface that is IP addressable, I’d say they qualify as >> endpoints. This view is also reflected in the SACM terminology, which >> states “To further clarify the [RFC5209] definition, an endpoint is >> any >> >> physical or virtual device that may have a network address. >> Note >> >> that, network infrastructure devices (e.g. switches, routers, >> >> firewalls), which fit the definition, are also considered to be >> >> endpoints within this document.” >> >> >> >> This text squares with my original view of endpoints way back when we >> were working on the original SACM charter. >> >> >> >> Regards, >> >> Dave >> >> >> >> From: sacm [mailto:sacm-bounces@ietf.org] On Behalf Of Panos >> Kampanakis >> (pkampana) >> Sent: Thursday, September 07, 2017 2:11 PM >> To: Xialiang (Frank) <frank.xialiang@huawei.com>; sacm@ietf.org >> Cc: Linqiushi (Jessica, SCC) <linqiushi@huawei.com>; Zhengguangying >> (Walker) <zhengguangying@huawei.com>; dongyue (D) >> <dongyue6@huawei.com> >> Subject: Re: [sacm] new drafts about network infrastructure device's >> security baseline: >> >> >> >> When checking the SACM charter, I do not see any references to network >> infrastructure or network elements. I believe SACM’s initial focus was >> on endpoints. Do these three drafts even fall in SACM’s charter as it >> is right now? >> >> Panos >> >> >> >> >> >> From: sacm [mailto:sacm-bounces@ietf.org] On Behalf Of Xialiang >> (Frank) >> Sent: Thursday, September 07, 2017 4:05 AM >> To: sacm@ietf.org >> Cc: Linqiushi (Jessica, SCC) <linqiushi@huawei.com>; Zhengguangying >> (Walker) <zhengguangying@huawei.com>; dongyue (D) >> <dongyue6@huawei.com> >> Subject: [sacm] new drafts about network infrastructure device's >> security >> baseline: >> >> >> >> Hi all, >> >> We just submit 3 drafts to specify the yang data model of network >> infrastructure devices (i.e., router, switch, firewall, etc) security >> posture, or call it security baseline. Each draft covers one of the >> three planes of network infrastructure devices: data plane, control >> plane, management plane. >> >> https://tools.ietf.org/html/draft-xia-sacm-nid-dp-security-baseline-00 >> >> >> >> https://tools.ietf.org/html/draft-dong-sacm-nid-cp-security-baseline-0 >> 0 >> >> >> >> https://tools.ietf.org/html/draft-lin-sacm-nid-mp-security-baseline-00 >> >> >> >> The goal is to facilitate the collection and assessment of the overall >> security posture of the network infrastructure devices, in order to >> realize the whole lifecycle security automation for the infrastructure network. >> >> Your comments are warmly welcome! >> >> >> >> B.R. >> >> Frank >> >> >> _______________________________________________ >> sacm mailing list >> sacm@ietf.org >> https://www.ietf.org/mailman/listinfo/sacm >> > > > > -- > > Best regards, > Kathleen -- Best regards, Kathleen
- [sacm] new drafts about network infrastructure de… Xialiang (Frank)
- Re: [sacm] new drafts about network infrastructur… Henk Birkholz
- Re: [sacm] new drafts about network infrastructur… Xialiang (Frank)
- Re: [sacm] new drafts about network infrastructur… Panos Kampanakis (pkampana)
- Re: [sacm] new drafts about network infrastructur… Waltermire, David A. (Fed)
- [sacm] 答复: new drafts about network infrastructur… Xialiang (Frank)
- Re: [sacm] 答复: new drafts about network infrastru… Adam Montville
- Re: [sacm] 答复: new drafts about network infrastru… Nancy Cam-Winget (ncamwing)
- Re: [sacm] 答复: new drafts about network infrastru… Kathleen Moriarty
- [sacm] 答复: 答复: new drafts about network infrastru… Xialiang (Frank)
- Re: [sacm] 答复: new drafts about network infrastru… Jerome Athias
- Re: [sacm] 答复: 答复: new drafts about network infra… Kathleen Moriarty
- [sacm] 答复: 答复: 答复: new drafts about network infra… Xialiang (Frank)
- Re: [sacm] 答复: new drafts about network infrastru… Kathleen Moriarty