[sacm] Comments on draft-ietf-sacm-ecp

Adam Montville <adam.w.montville@gmail.com> Mon, 02 April 2018 19:29 UTC

Return-Path: <adam.w.montville@gmail.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06A7812D873; Mon, 2 Apr 2018 12:29:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jo5FArPP-pg5; Mon, 2 Apr 2018 12:29:29 -0700 (PDT)
Received: from mail-ot0-x233.google.com (mail-ot0-x233.google.com [IPv6:2607:f8b0:4003:c0f::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 639F212D870; Mon, 2 Apr 2018 12:29:29 -0700 (PDT)
Received: by mail-ot0-x233.google.com with SMTP id v64-v6so16779855otb.13; Mon, 02 Apr 2018 12:29:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:mime-version:subject:message-id:date:cc:to; bh=wHkQLLbG4CkWwP6UfMmU7cTe+b4FaPWcuaUDx6FkdTo=; b=XHNcgfDqT5qzrYwrODspyIpgFf5v3uIFA80B1Gc5ds8Q/pqmkKyj7zng3vPfsTtVHF gn24A3Q+8TOvhb1cFhXli0fXyvdTcJV2+WGqWY5hPXYdIqgNLQhX7Hgk+qsFCufjbOAK Zq9KYjYnicRW+D8yvnsuAWhAWgva0qSACC+Is5nrU+OByW5K04kWGt7bFeswRQ3xQwCG s0PmZfqE5HGNIna4xlwlEQmHnJ9JikG2KN4/Ck2TgW4Yp1QxSw6fn/59Amd2a9EXr0Px Um/7M0FmVW7tVZKNxEsqXY2SxEvgz9/D2dIocwaKuSo2taWmQdE27lArugcChi/gZdS8 xr5A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:message-id:date:cc:to; bh=wHkQLLbG4CkWwP6UfMmU7cTe+b4FaPWcuaUDx6FkdTo=; b=tvg3BqJpsygp+u+u3x4B/xYbVgQ1esLFS0NgjRUDKrKp/Hjr5ICkppjH8wTP+IpKDH FlvvfCrq5MISjYssYNHmccNKPIvWxRJX9JuH951lDzoLW8xUA0hw0ByOMRD5FPfOp3iK XDf2UYiEzIryT1yvaL2zi2EONSLyoKGLSPvZD6Stl2FDMURRSsTVL2KtjwcQP7vaczEW /Tt3iqYnrA6czKi+7Yai9fbJ7UgzJ+fHDv+qsfj22DmKF3lN/AH+bWgS4cg/iLiV8WEz d1Zf4pXO0y8UEI/vWbfNhrtqvyDNdLxk68Ge1A2CSCuzPIUWWZdsFg4CgLwCtDYGWtb5 d59A==
X-Gm-Message-State: ALQs6tAaJP6G0dYhXKiqqQKzNr7LTCC2SqHNvz0tmc8Eucs04V6MIK47 tobB5nEjix88zQ91Gad21D7pAiHD
X-Google-Smtp-Source: AIpwx49/gvjrTlWSFMebemTSrQMny1AsLHnw4FsxVkLr4zccFdXW+lo1KdpUrzQi3dDnC4AoLjyOWA==
X-Received: by 2002:a9d:48eb:: with SMTP id a40-v6mr6695858otj.86.1522697368183; Mon, 02 Apr 2018 12:29:28 -0700 (PDT)
Received: from macbook-3.lan (99-64-100-131.lightspeed.austtx.sbcglobal.net. [99.64.100.131]) by smtp.gmail.com with ESMTPSA id w20-v6sm719071otd.70.2018.04.02.12.29.26 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 02 Apr 2018 12:29:27 -0700 (PDT)
From: Adam Montville <adam.w.montville@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_09F464D3-FE3B-44C9-B6B3-07E59AB58BAF"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Message-Id: <A9A78B93-981C-4857-AC35-CD38055DA55B@gmail.com>
Date: Mon, 02 Apr 2018 14:29:25 -0500
Cc: "<sacm@ietf.org>" <sacm@ietf.org>
To: draft-ietf-sacm-ecp@ietf.org
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/OY7GnFoNavNY-Ljs2rI-k2_VGoc>
Subject: [sacm] Comments on draft-ietf-sacm-ecp
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Apr 2018 19:29:32 -0000

Hello ECP'ers (and SACM),

I'm still going through the 01 revision of the ECP draft, but am now really looking at some of the documents it points to. I have a few comments and clarifying questions, in no particular order (I do apologize for the shotgun approach here)...

This is a really verbose draft. I'd be happy to help trim it down. :-) 
I'm noting that Lisa Lorenzin is no longer with Pulse Secure - does her information need to be updated?
I'm not 100% clear on the scope of this draft. At one point, the draft seems relegated to what it calls the posture manager and the software executing on an endpoint, but at another point the draft talks about necessary repository functions. (See my final comment below.)
How related are IM-IMC and/or IM-IVC to IF-MAP? I don't think very related, but this is outside my area of knowledge. I ask because at one point Lisa warned the working group about some IF-MAP-related pitfalls to avoid.
I would consider removing section 8 (though retaining section 9 might be helpful from a scoping perspective)
I would move section 10 way up front.
Note that these examples are relying on SWID collectors which aren't really what the examples are intended to convey.
For example, 10.1 claims "posture assessment" but shows only SWIMA, which may be part of posture collection, but is not wholly posture collection.
I would like to see how the authors feel ECP maps to RFC8248 (similar to the attempt we made in the mandm draft [2])
Not being as familiar with NEA as I perhaps should be, I'm interested to know whether NEA prescribes an event-driven approach to monitoring or if that is an ECP agumentation (see 10.1.1)
Wherever the draft says something like "SWIMA Posture Collection", I would say "SWIMA inventory collection" or something similar to that. Posture has s specific definition per our terminology draft [3], and the information enabled by use of SWIMA is part of, but is not in total, posture information.
Do the authors (or does anyone) have any notion of what a repository would look like?
I would like to see some expository text helping a reader understand how various collectors (not just a SWIMA collector) could be created and deployed potentially from multiple parties on a single endpoint.
Do the authors anticipate the administrative interface/API to be fully specified elsewhere? I think the same goes for the repository. And the evaluator at at least one point in the draft.
I'm not sure what SACM SWAM means in the title of 7.1.6
There's a lot of talk about policy content, but no real details - is the expectation that these will be handled in separate drafts?

If entering these into Trac or GitHub as issues makes more sense, let me know. 

I think the ECP draft is less about compliance and more about collection, and it's specifically about agent-based (or in-built) collection capabilities based on NEA and extensions thereto - in other words, ECP begins to specify a collection infrastructure for agent-based collection (sorry if I'm slow). In this way, the draft adds value to SACM, and leaves room for alternative approaches that may not be agent-based. If a tight scope statement could be created along these lines, I think that would go a long way toward clarifying the draft. 

Thoughts?

Kind regards,

Adam



[1] https://datatracker.ietf.org/doc/draft-ietf-sacm-ecp/ <https://datatracker.ietf.org/doc/draft-ietf-sacm-ecp/>
[2] https://datatracker.ietf.org/doc/draft-mandm-sacm-architecture/ <https://datatracker.ietf.org/doc/draft-mandm-sacm-architecture/>
[3] https://datatracker.ietf.org/doc/draft-ietf-sacm-terminology/ <https://datatracker.ietf.org/doc/draft-ietf-sacm-terminology/>