[sacm] Benjamin Kaduk's practice ballot (No Objection) on draft-ietf-sacm-nea-swima-patnc-02: (with COMMENT)
Benjamin Kaduk <kaduk@mit.edu> Wed, 21 February 2018 22:58 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D50012AAB6; Wed, 21 Feb 2018 14:58:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gx4kXTvJM21E; Wed, 21 Feb 2018 14:58:46 -0800 (PST)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 605AE12422F; Wed, 21 Feb 2018 14:58:46 -0800 (PST)
X-AuditID: 1209190c-513ff70000002354-87-5a8df9a4ca9c
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id 96.F2.09044.4A9FD8A5; Wed, 21 Feb 2018 17:58:45 -0500 (EST)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id w1LMwdWl030710; Wed, 21 Feb 2018 17:58:41 -0500
Received: from mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w1LMwZnX016494 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 21 Feb 2018 17:58:38 -0500
Date: Wed, 21 Feb 2018 16:58:35 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: The IESG <iesg@ietf.org>
Cc: sacm-chairs@ietf.org, draft-ietf-sacm-nea-swima-patnc@ietf.org, odonoghue@isoc.org, sacm@ietf.org
Message-ID: <20180221225835.GG54688@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrJIsWRmVeSWpSXmKPExsUixG6norv0Z2+Uwa+pbBZfXv9gs5jxZyKz xaxH+5kt1jdNYrV4sbSL0YHVY8mSn0wer6Y1sgYwRXHZpKTmZJalFunbJXBlPJz8m7mg2bKi Y+ZX1gbGLbpdjJwcEgImEq8amxi7GLk4hAQWM0msfbCADSQhJLCRUWL/NmeIxFkmicMv2sES LAKqEvun/mAHsdkEVCQaui8zg9giAjISX9qngNnMAnkSqzpPgNnCAgUSq6+tYQKxeQV0JBYs OM0KYQtKnJz5hAWiXkvixr+XQDUcQLa0xPJ/HCBhUQFlib19h9gnMPLNQtIxC0nHLISOBYzM qxhlU3KrdHMTM3OKU5N1i5MT8/JSi3QN9XIzS/RSU0o3MYJCklOSZwfjmTdehxgFOBiVeHgj SnqjhFgTy4orcw8xSnIwKYnyWq0DCvEl5adUZiQWZ8QXleakFh9ilOBgVhLhPZEAlONNSays Si3Kh0lJc7AoifO6m2hHCQmkJ5akZqemFqQWwWRlODiUJHgZgLEnJFiUmp5akZaZU4KQZuLg BBnOAzR89g+Q4cUFibnFmekQ+VOMlhxdC160MXP8efgSSN548bqNWYglLz8vVUqcNwKkQQCk IaM0D24mKMVIZO+vecUoDvSiMO+a70BVPMD0BDf1FdBCJqCFF7jAFpYkIqSkGhgVnMtFxQ6n qHf+NLkaaFE4taI0zMPlmXDmapFN6sVOd4wuJc/ZOKn9SpjK24t21g9Fv2m/61f6939z9TKf p0vmRDVtnxbom+/8c9+P7y2X2ZWX3z+xfnkoo1rLq5+KSq89+L1kl9+dXnDbXE1AI6LU4soy tUaFFx3tTD8C7pXv9pNRdXvxvVWJpTgj0VCLuag4EQC2GEJ8DAMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/HbL8FPDCbsvFJdACDPtBY4D6Bfo>
Subject: [sacm] Benjamin Kaduk's practice ballot (No Objection) on draft-ietf-sacm-nea-swima-patnc-02: (with COMMENT)
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Feb 2018 22:58:49 -0000
[incoming AD getting practice with document review; please treat as
No Objection with COMMENT]
The Introduction comes off as very strongly supporting this
technology and implying that it's useful in all scenarios, but my
understanding is that the benefits and applicable scenarios are more
limited. (Section 2 and the rest of the document seem more akin to
what I would expect, which is good.) My understanding is that the
primary benefit of this work is in managed environments where there
is an expectation that only a central authority within a given trust
domain will be installing/updating software, and so this mechanism
can be used to audit for policy compliance, in terms of things like
whether updates are taken in a timely fashion, and blocking
certain types of "role-based" access where the presence of certain
software indicates a certain role. There are of course other
situations where it could be useful, and I'm probably missing some
of them, but the limitations called out in (e.g.) Section 7.1 do
seem to give the guidance that this mechanism should not be relied
upon directly as a security measure with any great deal of weight.
So, perhaps the Introduction could say things like "useful to
understand and maintain the security state of a managed network",
"Some sites have a need for a standardized method for exchanging
software inventory data", etc.
I'll also second Eric's concerns about the privacy considerations,
with a callout for the error descriptions as well -- there's a
history of cleartext error strings on the wire leading to attacks
(albeit usually against cryptography and not a higher-level
protocol).
Section 2.3
Efficiency is also important when one considers that some network
endpoints are small and low powered, some networks are low
bandwidth and/or high latency, and some transport protocols (such
as PT-EAP, Posture Transport (PT) Protocol for Extensible
Authentication Protocol (EAP) Tunnel Methods [RFC7171]) or their
underlying carrier protocol might allow only one packet in flight
at a time or only one roundtrip.
I think I'm a little confused at how this protocol could be useful at all
with only one roundtrip -- or does roundtrip just mean one
request/response exchange, which could involve lots of packets and
potentially take longer to deliver than the path RTT? (The latter
could maybe make sense in an EAP scheme where you need to verify the
client environment before allowing access, though see above
disclaimer about this not seeming like a strong security mechanism.)
Also Section 2.3
Can we REQUIRE the underlying transport to provide confidentiality,
or is there some historical baggage that requires us to allow the
possibility of cleartext transport? To be clear, my preference
is in general for in-protocol message protection, but I recognize
that there are scenarios where that doesn't always work well or is
redundant.
I'm a little concerned that there are some broad MUST-level
requirements that seem hard to know if they can actually be
implemented reliably, like only using a data source in the posture
collector if it is known that it can meet all the listed
requirements both now and in the future, or the requirements for
consistency across time about how various information is handled.
This makes updating the PC software pretty risky. Another example
is saying that "Even a probable location for a software product is
preferable to using a zero-length locator." so that once we pick one
we can't change what is reported. (I guess we're supposed to
DELETE+CREATE in this scenario?)
In Section 3.6
It seems a little odd to me that we need to keep last state prior to
deletion even around, but we don't need to be able to provide the
full alteration history -- that makes an alteration event seem like
a weaker piece of data than delete+create would be, whereas intution
might think that they should have the same information content.
Section 5.6
Request IDs can be randomly generated or sequential,
as long as values are not repeated per the rules in this paragraph.
SWIMA-PCs are not required to check for duplicate Request IDs.
The birthday bound for a 32-bit number is not a super-great margin
of comfort for a random selection, though I guess the consequences
of a collision are not catastrophic.
It makes me a little sad to see an ASCII time representation used when more
space-efficient options are available and we've already got binary
integers going on the wire. Seconds since the epoch might even be
enough for this work, or for more precision 100s of nanoseconds
since the epoch is also seeing some notable use.
Editorial nits:
There's a typo in the abstract (for "Trusted").
As a general note, "Software Inventory Message and Attributes for
PA-TNC" is written out in full many times in the document (including
in tables); does it make sense to abbreviate it more often or just
refer to "this document" or "this specification" or similar?
Section 1.3, "Endpoint's Software Inventory Evidence Collection":
[...], information generated to report output from
software discovery tools, and [...]
Maybe this makes more sense with s/to/from/? The current text
leaves me pretty confused (so maybe my suggestion is bunk).
Section 3.2
Do not confuse the "data model" described here with the SWIMA
messages and attributes used to convey information between SWIMA-PVs
and PCs. The SWIMA specification dictates the structure of its
messages and attributes. Some attributes, however, have specific
fields used to convey inventory records, and those fields support an
extensible list of data models for their values. By contrast, a data
model refers only to the structure used to organize software
inventory record data.
We probably should disambiguate all occurrences of "data model" in this
paragraph, just to be clear.
Section 3.4.1
Instead,
to reliably distinguish between multiple instances of a single
software product, one needs to make use of Record Identifiers,
described in the following section.
actually it's section 3.4.3 now, not directly following.
Section 3.4.2
Clearly identifying the type of
data model from with the Software Identifier was derived thus
provides useful context for that value.
"from which"
Table 7 should disambiguate the initial Status Flags field, as the table
currently has two mentions of "Flags" that mean different things.
Section 5.15
When sending to a giving SWIMA-PV, the SWIMA-PC MUST use the
recipient SWIMA-PVs Source Identifier associations.
s/giving/given/
Also, maybe mention what scope of private agreement is needed on the
interpretation of the metadata, which is basically opaque as far as SWIMA is
concerned. That is, is this something agreed upon just between a
specific PC
and PV, or expected to be agreed upon in a broader group (e.g.,
organization)
Section 5.16.1 et seq
Should we say something about how the length of the variable-length
description field is know from the length of the PA-TNC attribute?
- [sacm] Benjamin Kaduk's practice ballot (No Objec… Benjamin Kaduk
- Re: [sacm] Benjamin Kaduk's practice ballot (No O… Schmidt, Charles M.
- Re: [sacm] Benjamin Kaduk's practice ballot (No O… Benjamin Kaduk
- Re: [sacm] Benjamin Kaduk's practice ballot (No O… Schmidt, Charles M.
- Re: [sacm] Benjamin Kaduk's practice ballot (No O… Benjamin Kaduk
- Re: [sacm] Benjamin Kaduk's practice ballot (No O… Schmidt, Charles M.