IETF Logo Mail Archive

Re: [sacm] new drafts about network infrastructure device's security baseline:

"Waltermire, David A. (Fed)" <david.waltermire@nist.gov> Thu, 07 September 2017 19:00 UTC

Return-Path: <david.waltermire@nist.gov>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8DBA132FC3 for <sacm@ietfa.amsl.com>; Thu, 7 Sep 2017 12:00:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MqHrvodTZsq3 for <sacm@ietfa.amsl.com>; Thu, 7 Sep 2017 12:00:35 -0700 (PDT)
Received: from gcc01-dm2-obe.outbound.protection.outlook.com (mail-dm2gcc01on0130.outbound.protection.outlook.com [23.103.201.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B164E132FA3 for <sacm@ietf.org>; Thu, 7 Sep 2017 12:00:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=2S37f7trLDjHHUO//lxcyOJrKoJ4UgDTrq/O1L0U0rY=; b=cBm0OReiJo4K9ZWYzGx5JwA8VcaSf39PViUJ78MZp7ND3e/Gq5VTtpuMZ9fuOZ0kZkF/XiV3lvSY9uG1EqmEwcmaen9yqbgW28x4V01YFVmjgdpJtJxgZ4ru5ryDLxHA3uXM+i5JpQ4Hmk5080QPmSPAJMeKjRPpfzoCO9XPbSA=
Received: from CY4PR09MB1495.namprd09.prod.outlook.com (10.173.191.141) by CY4PR09MB1494.namprd09.prod.outlook.com (10.173.191.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.13.10; Thu, 7 Sep 2017 19:00:30 +0000
Received: from CY4PR09MB1495.namprd09.prod.outlook.com ([10.173.191.141]) by CY4PR09MB1495.namprd09.prod.outlook.com ([10.173.191.141]) with mapi id 15.20.0013.018; Thu, 7 Sep 2017 19:00:30 +0000
From: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
To: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>, "Xialiang (Frank)" <frank.xialiang@huawei.com>, "sacm@ietf.org" <sacm@ietf.org>
CC: "Linqiushi (Jessica, SCC)" <linqiushi@huawei.com>, "Zhengguangying (Walker)" <zhengguangying@huawei.com>, "dongyue (D)" <dongyue6@huawei.com>
Thread-Topic: new drafts about network infrastructure device's security baseline:
Thread-Index: AdMnr9yvyzoNHtmhQXuBvOw9Rg6/RAAVF6ZgAAFYTUA=
Date: Thu, 07 Sep 2017 19:00:30 +0000
Message-ID: <CY4PR09MB1495D769EA7360C06022E6AFF0940@CY4PR09MB1495.namprd09.prod.outlook.com>
References: <C02846B1344F344EB4FAA6FA7AF481F12BB67B58@DGGEML502-MBX.china.huawei.com> <4c3aa43995df46dfbded53f39a912ca9@XCH-ALN-010.cisco.com>
In-Reply-To: <4c3aa43995df46dfbded53f39a912ca9@XCH-ALN-010.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=david.waltermire@nist.gov;
x-originating-ip: [129.6.224.58]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR09MB1494; 6:qAvDmqk/vThGM73zWrSQruiOTRttb4e3OHN40wYrwlHVZDYNE/8574oUv/nXvC3fc/ORmfTsK/pps+w7a+M5rvrk8fczjcxCHnSZAdfZtZHUanMqh6yreY5fid6kEqeCaH+ZhOtFZRm2oTPE/wk6tsdLSUxY636aRM7k4QJbZQ6NOtEOQqpWN7H40GIPrknN6cwQjCyXipQiTs/ToIjLwObsSE6rMbkYxKW5cd2S+LHLRjhU0J2M5GPirthI4H/eTtR95XZDqZwOrJenQRrla6mPysD3C3HWnw97Zm9WoArbo4ZNmLQr2D2h/D/g5v5d10kTcmaxOVtvMPKa2P+tPQ==; 5:i4JKCIuOy/IkaKlJBm9IPNAyWQV7lqIpHm35qf8SnnAneUsQv2COcEcS+l9AVJhxaWalCJeyU9PITBlFR1F6XP8PhoTDirNam0lzK0HApwsF8oC645JqnbYcASVht+LdEU31MvptvOxfJCemIzK1cQ==; 24:68gAiZMOgdXzYlAXtVAqk9oE/LDtOZ9XFjhEt6HaVluxcse8UyN3FEIaKLzS1hMrxcQV7RMnFSKKwAB0/UPWcPhoFo1I3Kzbl/CR4nfRt1M=; 7:D49iq38fcZA7tXfYDwWku8WUFmHVeUfq9KihENhO6V7Q0vDLnZ8fMwcBmjwnep10NvnW+g54d6Y2Stk6P3GbLEn3/WkEmqA9bXD/7GHNZm8Q5sp82x/SoKBuRwSNM2zkhHFEM3Bu39RR+395ZHjHc1oPbBI4OU9m76FPZWtQxV+AgiAhEDyL+mtxgL+jWwfWOsQv14GzNSkSR2Cqj9Yx+1Aj7e5vTdx6+brCgJzkUjg=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 3db9f3d7-25bc-4aac-9ac5-08d4f622b5a8
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(300000502095)(300135100095)(22001)(2017030254152)(48565401081)(300000503095)(300135400095)(2017052603199)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:CY4PR09MB1494;
x-ms-traffictypediagnostic: CY4PR09MB1494:
x-exchange-antispam-report-test: UriScan:(192374486261705)(50582790962513)(21748063052155);
x-microsoft-antispam-prvs: <CY4PR09MB1494BD2DA13F3C7FD66486A1F0940@CY4PR09MB1494.namprd09.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(8121501046)(5005006)(93006095)(93001095)(10201501046)(3002001)(100000703101)(100105400095)(6055026)(6041248)(20161123560025)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123564025)(20161123562025)(20161123555025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CY4PR09MB1494; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CY4PR09MB1494;
x-forefront-prvs: 04238CD941
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(53754006)(189002)(377454003)(199003)(86362001)(101416001)(6436002)(6506006)(33656002)(55016002)(50986999)(3846002)(76176999)(54356999)(5660300001)(790700001)(7696004)(25786009)(6116002)(102836003)(81166006)(8936002)(3280700002)(81156014)(4326008)(966005)(8676002)(10710500007)(77096006)(229853002)(3660700001)(68736007)(2906002)(105586002)(106356001)(478600001)(74316002)(53546010)(2950100002)(53936002)(7736002)(14454004)(99286003)(54906002)(6306002)(9686003)(2900100001)(236005)(2501003)(189998001)(6246003)(2420400007)(7110500001)(606006)(66066001)(15650500001)(54896002)(97736004)(45673001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR09MB1494; H:CY4PR09MB1495.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR09MB1495D769EA7360C06022E6AFF0940CY4PR09MB1495namp_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Sep 2017 19:00:30.1410 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR09MB1494
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/PSjphlEFUSEDWdK66sH-A1v_pco>
Subject: Re: [sacm] new drafts about network infrastructure device's security baseline:
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Sep 2017 19:00:39 -0000

Panos,

At the last IETF meeting we started discussing a charter update. I believe we are currently waiting on the chairs to start this discussion on the list. This will give the working group an opportunity to clarify this issue in the charter.


As far as endpoints, the definition that has been used for endpoints in the SACM charter is the one from RFC 5209, which is "Any computing device that can be connected to a network.
      Such devices normally are associated with a particular link layer
      address before joining the network and potentially an IP address
      once on the network.  This includes: laptops, desktops, servers,
      cell phones, or any device that may have an IP address."


As most network devices are connected to networks, and often expose a management interface that is IP addressable, I'd say they qualify as endpoints. This view is also reflected in the SACM terminology, which states "To further clarify the [RFC5209<https://tools.ietf.org/html/rfc5209>] definition, an endpoint is any

      physical or virtual device that may have a network address.  Note

      that, network infrastructure devices (e.g. switches, routers,

      firewalls), which fit the definition, are also considered to be

      endpoints within this document."



This text squares with my original view of endpoints way back when we were working on the original SACM charter.



Regards,

Dave

From: sacm [mailto:sacm-bounces@ietf.org] On Behalf Of Panos Kampanakis (pkampana)
Sent: Thursday, September 07, 2017 2:11 PM
To: Xialiang (Frank) <frank.xialiang@huawei.com>; sacm@ietf.org
Cc: Linqiushi (Jessica, SCC) <linqiushi@huawei.com>; Zhengguangying (Walker) <zhengguangying@huawei.com>; dongyue (D) <dongyue6@huawei.com>
Subject: Re: [sacm] new drafts about network infrastructure device's security baseline:

When checking the SACM charter, I do not see any references to network infrastructure or network elements. I believe SACM's initial focus was on endpoints. Do these three drafts even fall in SACM's charter as it is right now?
Panos


From: sacm [mailto:sacm-bounces@ietf.org] On Behalf Of Xialiang (Frank)
Sent: Thursday, September 07, 2017 4:05 AM
To: sacm@ietf.org<mailto:sacm@ietf.org>
Cc: Linqiushi (Jessica, SCC) <linqiushi@huawei.com<mailto:linqiushi@huawei.com>>; Zhengguangying (Walker) <zhengguangying@huawei.com<mailto:zhengguangying@huawei.com>>; dongyue (D) <dongyue6@huawei.com<mailto:dongyue6@huawei.com>>
Subject: [sacm] new drafts about network infrastructure device's security baseline:

Hi all,
We just submit 3 drafts to specify the yang data model of network infrastructure devices (i.e., router, switch, firewall, etc) security posture, or call it security baseline. Each draft covers one of the three planes of network infrastructure devices: data plane, control plane, management plane.

https://tools.ietf.org/html/draft-xia-sacm-nid-dp-security-baseline-00



https://tools.ietf.org/html/draft-dong-sacm-nid-cp-security-baseline-00



https://tools.ietf.org/html/draft-lin-sacm-nid-mp-security-baseline-00

The goal is to facilitate the collection and assessment of the overall security posture of the network infrastructure devices, in order to realize the whole lifecycle security automation for the infrastructure network.
Your comments are warmly welcome!

B.R.
Frank

v2.23.0 | Report a Bug | By Email