[sacm] Benjamin Kaduk's practice ballot (No Objection) on draft-ietf-sacm-nea-swima-patnc-02: (with COMMENT)
Benjamin Kaduk <kaduk@mit.edu> Wed, 21 February 2018 22:58 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D50012AAB6; Wed, 21 Feb 2018 14:58:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gx4kXTvJM21E; Wed, 21 Feb 2018 14:58:46 -0800 (PST)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 605AE12422F; Wed, 21 Feb 2018 14:58:46 -0800 (PST)
X-AuditID: 1209190c-513ff70000002354-87-5a8df9a4ca9c
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id 96.F2.09044.4A9FD8A5; Wed, 21 Feb 2018 17:58:45 -0500 (EST)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id w1LMwdWl030710; Wed, 21 Feb 2018 17:58:41 -0500
Received: from mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w1LMwZnX016494 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 21 Feb 2018 17:58:38 -0500
Date: Wed, 21 Feb 2018 16:58:35 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: The IESG <iesg@ietf.org>
Cc: sacm-chairs@ietf.org, draft-ietf-sacm-nea-swima-patnc@ietf.org, odonoghue@isoc.org, sacm@ietf.org
Message-ID: <20180221225835.GG54688@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrJIsWRmVeSWpSXmKPExsUixG6norv0Z2+Uwa+pbBZfXv9gs5jxZyKz xaxH+5kt1jdNYrV4sbSL0YHVY8mSn0wer6Y1sgYwRXHZpKTmZJalFunbJXBlPJz8m7mg2bKi Y+ZX1gbGLbpdjJwcEgImEq8amxi7GLk4hAQWM0msfbCADSQhJLCRUWL/NmeIxFkmicMv2sES LAKqEvun/mAHsdkEVCQaui8zg9giAjISX9qngNnMAnkSqzpPgNnCAgUSq6+tYQKxeQV0JBYs OM0KYQtKnJz5hAWiXkvixr+XQDUcQLa0xPJ/HCBhUQFlib19h9gnMPLNQtIxC0nHLISOBYzM qxhlU3KrdHMTM3OKU5N1i5MT8/JSi3QN9XIzS/RSU0o3MYJCklOSZwfjmTdehxgFOBiVeHgj SnqjhFgTy4orcw8xSnIwKYnyWq0DCvEl5adUZiQWZ8QXleakFh9ilOBgVhLhPZEAlONNSays Si3Kh0lJc7AoifO6m2hHCQmkJ5akZqemFqQWwWRlODiUJHgZgLEnJFiUmp5akZaZU4KQZuLg BBnOAzR89g+Q4cUFibnFmekQ+VOMlhxdC160MXP8efgSSN548bqNWYglLz8vVUqcNwKkQQCk IaM0D24mKMVIZO+vecUoDvSiMO+a70BVPMD0BDf1FdBCJqCFF7jAFpYkIqSkGhgVnMtFxQ6n qHf+NLkaaFE4taI0zMPlmXDmapFN6sVOd4wuJc/ZOKn9SpjK24t21g9Fv2m/61f6939z9TKf p0vmRDVtnxbom+/8c9+P7y2X2ZWX3z+xfnkoo1rLq5+KSq89+L1kl9+dXnDbXE1AI6LU4soy tUaFFx3tTD8C7pXv9pNRdXvxvVWJpTgj0VCLuag4EQC2GEJ8DAMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/HbL8FPDCbsvFJdACDPtBY4D6Bfo>
Subject: [sacm] Benjamin Kaduk's practice ballot (No Objection) on draft-ietf-sacm-nea-swima-patnc-02: (with COMMENT)
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Feb 2018 22:58:49 -0000
[incoming AD getting practice with document review; please treat as No Objection with COMMENT] The Introduction comes off as very strongly supporting this technology and implying that it's useful in all scenarios, but my understanding is that the benefits and applicable scenarios are more limited. (Section 2 and the rest of the document seem more akin to what I would expect, which is good.) My understanding is that the primary benefit of this work is in managed environments where there is an expectation that only a central authority within a given trust domain will be installing/updating software, and so this mechanism can be used to audit for policy compliance, in terms of things like whether updates are taken in a timely fashion, and blocking certain types of "role-based" access where the presence of certain software indicates a certain role. There are of course other situations where it could be useful, and I'm probably missing some of them, but the limitations called out in (e.g.) Section 7.1 do seem to give the guidance that this mechanism should not be relied upon directly as a security measure with any great deal of weight. So, perhaps the Introduction could say things like "useful to understand and maintain the security state of a managed network", "Some sites have a need for a standardized method for exchanging software inventory data", etc. I'll also second Eric's concerns about the privacy considerations, with a callout for the error descriptions as well -- there's a history of cleartext error strings on the wire leading to attacks (albeit usually against cryptography and not a higher-level protocol). Section 2.3 Efficiency is also important when one considers that some network endpoints are small and low powered, some networks are low bandwidth and/or high latency, and some transport protocols (such as PT-EAP, Posture Transport (PT) Protocol for Extensible Authentication Protocol (EAP) Tunnel Methods [RFC7171]) or their underlying carrier protocol might allow only one packet in flight at a time or only one roundtrip. I think I'm a little confused at how this protocol could be useful at all with only one roundtrip -- or does roundtrip just mean one request/response exchange, which could involve lots of packets and potentially take longer to deliver than the path RTT? (The latter could maybe make sense in an EAP scheme where you need to verify the client environment before allowing access, though see above disclaimer about this not seeming like a strong security mechanism.) Also Section 2.3 Can we REQUIRE the underlying transport to provide confidentiality, or is there some historical baggage that requires us to allow the possibility of cleartext transport? To be clear, my preference is in general for in-protocol message protection, but I recognize that there are scenarios where that doesn't always work well or is redundant. I'm a little concerned that there are some broad MUST-level requirements that seem hard to know if they can actually be implemented reliably, like only using a data source in the posture collector if it is known that it can meet all the listed requirements both now and in the future, or the requirements for consistency across time about how various information is handled. This makes updating the PC software pretty risky. Another example is saying that "Even a probable location for a software product is preferable to using a zero-length locator." so that once we pick one we can't change what is reported. (I guess we're supposed to DELETE+CREATE in this scenario?) In Section 3.6 It seems a little odd to me that we need to keep last state prior to deletion even around, but we don't need to be able to provide the full alteration history -- that makes an alteration event seem like a weaker piece of data than delete+create would be, whereas intution might think that they should have the same information content. Section 5.6 Request IDs can be randomly generated or sequential, as long as values are not repeated per the rules in this paragraph. SWIMA-PCs are not required to check for duplicate Request IDs. The birthday bound for a 32-bit number is not a super-great margin of comfort for a random selection, though I guess the consequences of a collision are not catastrophic. It makes me a little sad to see an ASCII time representation used when more space-efficient options are available and we've already got binary integers going on the wire. Seconds since the epoch might even be enough for this work, or for more precision 100s of nanoseconds since the epoch is also seeing some notable use. Editorial nits: There's a typo in the abstract (for "Trusted"). As a general note, "Software Inventory Message and Attributes for PA-TNC" is written out in full many times in the document (including in tables); does it make sense to abbreviate it more often or just refer to "this document" or "this specification" or similar? Section 1.3, "Endpoint's Software Inventory Evidence Collection": [...], information generated to report output from software discovery tools, and [...] Maybe this makes more sense with s/to/from/? The current text leaves me pretty confused (so maybe my suggestion is bunk). Section 3.2 Do not confuse the "data model" described here with the SWIMA messages and attributes used to convey information between SWIMA-PVs and PCs. The SWIMA specification dictates the structure of its messages and attributes. Some attributes, however, have specific fields used to convey inventory records, and those fields support an extensible list of data models for their values. By contrast, a data model refers only to the structure used to organize software inventory record data. We probably should disambiguate all occurrences of "data model" in this paragraph, just to be clear. Section 3.4.1 Instead, to reliably distinguish between multiple instances of a single software product, one needs to make use of Record Identifiers, described in the following section. actually it's section 3.4.3 now, not directly following. Section 3.4.2 Clearly identifying the type of data model from with the Software Identifier was derived thus provides useful context for that value. "from which" Table 7 should disambiguate the initial Status Flags field, as the table currently has two mentions of "Flags" that mean different things. Section 5.15 When sending to a giving SWIMA-PV, the SWIMA-PC MUST use the recipient SWIMA-PVs Source Identifier associations. s/giving/given/ Also, maybe mention what scope of private agreement is needed on the interpretation of the metadata, which is basically opaque as far as SWIMA is concerned. That is, is this something agreed upon just between a specific PC and PV, or expected to be agreed upon in a broader group (e.g., organization) Section 5.16.1 et seq Should we say something about how the length of the variable-length description field is know from the length of the PA-TNC attribute?
- [sacm] Benjamin Kaduk's practice ballot (No Objec… Benjamin Kaduk
- Re: [sacm] Benjamin Kaduk's practice ballot (No O… Schmidt, Charles M.
- Re: [sacm] Benjamin Kaduk's practice ballot (No O… Benjamin Kaduk
- Re: [sacm] Benjamin Kaduk's practice ballot (No O… Schmidt, Charles M.
- Re: [sacm] Benjamin Kaduk's practice ballot (No O… Benjamin Kaduk
- Re: [sacm] Benjamin Kaduk's practice ballot (No O… Schmidt, Charles M.