IETF Logo Mail Archive

Re: [sacm] Benjamin Kaduk's practice ballot (No Objection) on draft-ietf-sacm-nea-swima-patnc-02: (with COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Thu, 08 March 2018 14:17 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BC44126D85; Thu, 8 Mar 2018 06:17:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DiZePIm3yQYO; Thu, 8 Mar 2018 06:17:40 -0800 (PST)
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0EC4126CD6; Thu, 8 Mar 2018 06:17:39 -0800 (PST)
X-AuditID: 1209190f-ce9ff70000007d48-0d-5aa146020d61
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-4.mit.edu (Symantec Messaging Gateway) with SMTP id E5.69.32072.20641AA5; Thu, 8 Mar 2018 09:17:38 -0500 (EST)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id w28EHb92007293; Thu, 8 Mar 2018 09:17:37 -0500
Received: from mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w28EHW76016968 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 8 Mar 2018 09:17:34 -0500
Date: Thu, 08 Mar 2018 08:17:32 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: "Schmidt, Charles M." <cmschmidt@mitre.org>
Cc: The IESG <iesg@ietf.org>, "sacm-chairs@ietf.org" <sacm-chairs@ietf.org>, "draft-ietf-sacm-nea-swima-patnc@ietf.org" <draft-ietf-sacm-nea-swima-patnc@ietf.org>, "odonoghue@isoc.org" <odonoghue@isoc.org>, "sacm@ietf.org" <sacm@ietf.org>
Message-ID: <20180308141732.GD27850@mit.edu>
References: <20180221225835.GG54688@mit.edu> <DM5PR0901MB2375263C5375E6438FA0A70BABC30@DM5PR0901MB2375.namprd09.prod.outlook.com> <20180228015121.GE50954@kduck.kaduk.org> <DM5PR0901MB2375EF1656E78C7DA3DE046FABD90@DM5PR0901MB2375.namprd09.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <DM5PR0901MB2375EF1656E78C7DA3DE046FABD90@DM5PR0901MB2375.namprd09.prod.outlook.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupnleLIzCtJLcpLzFFi42IR4hRV1mVyWxhlcGCmlcW8xz1MFl9e/2Cz mPFnIrPFrEf7mS3WN01itXixtIvRgc1jyZKfTB6vpjWyerxtuMoewBzFZZOSmpNZllqkb5fA lfHwx0fmgksuFd+e2zQwTjTrYuTkkBAwkVjcvJGpi5GLQ0hgMZPE032v2SGcDYwSn48cZoZw zjBJLPzezAbSwiKgIrHvcysriM0GZDd0X2YGsUUE9CVenv3OAmIzC3QySWxZqApiCwuUSHx/ 2gcU5+DgFdCReNrhAjGzlUli94RXjCA1vAKCEidnPoHq1ZK48e8lE0g9s4C0xPJ/HCBhToFE iZ/rl4OtFRVQltjbd4h9AqPALCTds5B0z0LoXsDIvIpRNiW3Sjc3MTOnODVZtzg5MS8vtUjX RC83s0QvNaV0EyM4rCX5dzDOafA+xCjAwajEw/vAcWGUEGtiWXFl7iFGSQ4mJVFe36wFUUJ8 SfkplRmJxRnxRaU5qcWHGCU4mJVEeAP0gcp5UxIrq1KL8mFS0hwsSuK87ibaUUIC6Yklqdmp qQWpRTBZGQ4OJQneby5AjYJFqempFWmZOSUIaSYOTpDhPEDDOVxBhhcXJOYWZ6ZD5E8x6nLc ePG6jVmIJS8/L1VKnPc7yCABkKKM0jy4OaB0JJG9v+YVozjQW8K8JiCjeICpDG7SK6AlTEBL 9l5eALKkJBEhJdXAaL99ffRKU/Pbz3bI8R5cFzqPJ8Rpi7/QuhnC03f8YYqpWdFgN//P8rLv KU4JC5I+mDe+eqkgmbV4b+2ME08+rdIoK/G8xGH4Jsdd9FWl1eqit8+/ZegrPs4LnxSceO6E 2AsGG3UVrlv/tdcejt0ZJ84Ypsl37tdf00PfdBd3H31yY+4ig8LnnUosxRmJhlrMRcWJACjy 3PUiAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/KeqYFVS1pmkPdPYecIk-iWahJiE>
Subject: Re: [sacm] Benjamin Kaduk's practice ballot (No Objection) on draft-ietf-sacm-nea-swima-patnc-02: (with COMMENT)
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Mar 2018 14:17:43 -0000

Hi Charles,

On Tue, Mar 06, 2018 at 01:03:37AM +0000, Schmidt, Charles M. wrote:
> Hi Benjamin,
> 
> Thanks for following up. It looks like we are mostly on the same page. I have a few additional responses:
> 
> > > > Also Section 2.3
> > > >
> > > > Can we REQUIRE the underlying transport to provide confidentiality,
> > > > or is there some historical baggage that requires us to allow the
> > > > possibility of cleartext transport?  To be clear, my preference
> > > > is in general for in-protocol message protection, but I recognize
> > > > that there are scenarios where that doesn't always work well or is
> > > > redundant.
> > >
> > > NEA is designed to support an extensible list of PT (transport) protocols.
> > Currently, the only NEA transport protocols defined are PT-TLS and PT-EAP,
> > both of which provide confidentiality. I cannot think of why, but it might be
> > the case that sometime in the future someone might create a PT protocol
> > that does not provide confidentiality. If someone did this, I am not sure I
> > would want to automatically preclude SWIMA from using it. In short, my
> > preference would be to note this issue, but not dictate a specific response.
> > Please let me know if you still feel that stronger requirements for
> > confidentiality are necessary.
> > 
> > This seems pretty speculative to me, but not quite to the point that
> > I would ballot DISCUSS for it (if I could ballot, which I can't
> > yet).  If such a hypothetical future transport was standards-track,
> > it could (procedurally, at least) update this document to relax the
> > condition, anyway, so my personal inclination is to require
> > confidentiality at present and revisit later if needed.
> 
> Thinking about this a bit more, I agree. I have made two changes to the section. First, I made it clear that the section is not about "things that are not required", but about requirements that are beyond the scope of SWIMA to meet. (Hopefully that will clarify things a bit better.) I also rephrased the section:
> 
>    There are certain capabilities that users of the SWIMA specification
>    might require but which are beyond the scope of SWIMA itself and need
>    to be addressed by other standards.  This list is not exhaustive.
> 
>    End to End Confidentiality:  The SWIMA specification does not define
>       a mechanism for confidentiality, nor is confidentiality
>       automatically provided by using the PA-TNC interface.  In the NEA
>       architecture, confidentiality is generally provided by the
>       underlying transport protocols, such as the PT Binding to TLS
>       [RFC6876] or PT-EAP Posture Transport for Tunneled EAP Methods
>       [RFC7171] - see Section 7 for more information on related
>       standards.  The information conveyed by SWIMA is often sensitive
>       in nature for both security (Section 8) and privacy (Section 9)
>       reasons.  Those who implement SWIMA need to ensure that
>       appropriate NEA transport mechanisms are employed to meet
>       confidentiality requirements.
> 
> Does this better address your concerns?

Yes, thank you!

> --
> 
> > > > I'm a little concerned that there are some broad MUST-level
> > > > requirements 
> <SNIP>
> > >
> > > Could you expand on this? 
> <SNIP>
> >
> > Probably I should treat this as a learning experience with my
> > practice ballot, having put some not-really-actionable comment in my
> > review.  Looking through the document again, maybe things like:
> > 
> >    With regard to alterations to a record, SWIMA-PCs MUST detect any
> >    alterations to the contents of a record.
> > 
> > could be problematic if the record format changes to add more fields
> > and the SWIMA-PC doesn't know to track the new fields (pretty
> > speculative, admittedly; I don't know how plausible either of those
> > are)
> 
> I'm not too worried about this because change detection can be extremely coarse. (I.e., it can be based on the record's "Modification timestamp" if it is a file, or based on comparing hashes of the record.) The structure of the record should be irrelevant for that level of change detection.

Okay, I'll defer to your better familiarity.

> > There's also the prohibition against coverage gaps, which I can
> > definitely understand wanting, but seems prone to Murphy's law.
> 
> I agree this is a bigger lift, but, again, I'm not worried. It just means the SWIMA-PC needs to keep track of the records in the Evidence Collection. If it stops and restarts monitoring, it just needs to see how the Evidence Collection changes. As noted above, MODIFICATION detection can be very coarse. If it cannot figure out the delta, it just needs to change the Epoch to indicate a discontinuity and continue from there. (Noted in 3.7.1 Event Identifiers.) So, again, while this is a challenge, I think it remains reasonable.

Okay.

> --
> 
> > > > In Section 3.6
> > > >
> > > > It seems a little odd to me that we need to keep last state prior to
> > > > deletion even around, but we don't need to be able to provide the
> > > > full alteration history -- that makes an alteration event seem like
> > > > a weaker piece of data than delete+create would be, whereas intution
> > > > might think that they should have the same information content.
> > >
> > > I am confused by this comment. The requirement to retain deleted records
> > is different from the requirement to track alterations. The former is provided
> > so that SWIMA-PVs are able to get additional data about a product that has
> > been deleted, in the form of the deleted software's information record.
> > Alteration, creation, and deletion are for tracking changes to software state.
> > This needs to provide a complete history so that old state information can be
> > updated to reflect new state. In this, alteration and delete+create are, in
> > fact, of equal value. Am I misunderstanding your comment?
> > 
> > It is more likely that the misunderstanding was mine.  In that,
> > since the SWIMA-PC needs to be able to provide event history
> > including alteration events, the SWIMA-PV could request all the
> > relevant alteration events and track the state of that software
> > through the history that's retained.  My original comment would only
> > be valid if the alteration records did not contain a record of what
> > actually changed.
> 
> I think I understand your concern: You were noting that, in the case of a DELETE action, the SWIMA-PV can request the historical record to see what used to be there. However, in the case of a MODIFY event, the SWIMA-PV has no way to collect the previous iteration of the record, and thus cannot compare to determine what changed. Thus, if there was a DELETE+CREATE event, one could take the old and new records (assuming one was able to line them up) and compare, but would not be able to perform such a comparison under a MODIFICATION. Is this your concern?

Exactly.

> If so, then I do agree that there is a difference between what one can tell about the two event sequences. However, from a practical standpoint, I am not concerned about this. We do make it explicit in the specification that the old attribute cannot be collected via SWIMA, so this shouldn't be a surprise. I cannot think of any use cases where knowing the preceding state of the record is necessary - most of the uses of SWIMA I can imagine just need a way to capture the current state. If you can think of a reason that a consumer might need to know what changed in the record let me know, but I feel that simply knowing there is a revised record is sufficient for virtually all SWIMA uses.

I am thinking about some sort of compliance scenario where it
becomes relevant to know "did Employee X have a vulnerable version
of software Y installed on date Z?" to be able to confirm that their
machine was potentially compromised by a given virus, which would
change the liability situation.  Or is that not an intended use
case?

> --
> 
> Regarding the timestamp, I did some searching but I was also unable to find a standard expressed time in a more concise format. The Wilkinson draft you found didn't have a lot of detail. At this stage, I'm inclined to leave things be rather than create something unique to SWIMA (or adopt something esoteric enough that I might as well be doing so).

I can't blame you for sticking to tried-and-true.  Sorry for sending
you on the ultimately fruitless chase -- I really thought there was
something in an RFC using it.

> ---
> 
> Thanks again for the clarifications. I hope that the new draft (-04) better addresses your concerns.

It does look better.  Thanks again,

Benjamin

v2.23.0 | Report a Bug | By Email