IETF Logo Mail Archive

Re: [sacm] 答复: new drafts about network infrastructure device's security baseline:

"Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com> Mon, 11 September 2017 15:35 UTC

Return-Path: <ncamwing@cisco.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B75E21323B8 for <sacm@ietfa.amsl.com>; Mon, 11 Sep 2017 08:35:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.519
X-Spam-Level:
X-Spam-Status: No, score=-14.519 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 987LRMUi7CU5 for <sacm@ietfa.amsl.com>; Mon, 11 Sep 2017 08:35:16 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD69B1286C7 for <sacm@ietf.org>; Mon, 11 Sep 2017 08:35:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=30094; q=dns/txt; s=iport; t=1505144115; x=1506353715; h=from:to:cc:subject:date:message-id:mime-version; bh=ankpzKWYo522E0KXXbtPsOz2IDg0EGc20vZ9nE4SMM4=; b=Nv1fm+sSx8oUt5qB3u23VoSOyX3eW6HjLbebDTfVrrg3rNIvd5jgEL8z HkWH/98pdb5n6wz8JNaT7kenBjm2QY9IllSyoU323ZZpeI1BecoZ00Jwk DhJIWwjXqku9vSH+gLKVfDHiA0F1V3OTYjQREZAS/fmii3X5Kd7PswVXg g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CyAgDeq7ZZ/5RdJa1cGQEBAQEBAQEBAQEBBwEBAQEBgnBrZG4nB4NwiiGQIYF0d5BEhG6CEgojhRsCGoQHPxgBAgEBAQEBAQFrKIUYAQEFI1YSAQYCEQMBAQEhBwMCBDAUBgMKBAENBYlNZBCOL51mgicnim8BAQEBAQEBAQEBAQEBAQEBAQEBAQEYBYMrggKDMyuCSDWFFxaCXTCCMQWYNIhAAodZg1qJHIITkF6JfIsCAhEZAYE4AR84gQ13FUoSAYUFHBkZgTV2iDCBDwEBAQ
X-IronPort-AV: E=Sophos;i="5.42,378,1500940800"; d="scan'208,217";a="292096055"
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 11 Sep 2017 15:35:14 +0000
Received: from XCH-RTP-007.cisco.com (xch-rtp-007.cisco.com [64.101.220.147]) by rcdn-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id v8BFZE0c008468 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 11 Sep 2017 15:35:14 GMT
Received: from xch-rtp-015.cisco.com (64.101.220.155) by XCH-RTP-007.cisco.com (64.101.220.147) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Mon, 11 Sep 2017 11:35:13 -0400
Received: from xch-rtp-015.cisco.com ([64.101.220.155]) by XCH-RTP-015.cisco.com ([64.101.220.155]) with mapi id 15.00.1263.000; Mon, 11 Sep 2017 11:35:13 -0400
From: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>
To: "Xialiang (Frank)" <frank.xialiang@huawei.com>, "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>, "Panos Kampanakis (pkampana)" <pkampana@cisco.com>, "sacm@ietf.org" <sacm@ietf.org>
CC: "Linqiushi (Jessica, SCC)" <linqiushi@huawei.com>, "Zhengguangying (Walker)" <zhengguangying@huawei.com>, "dongyue (D)" <dongyue6@huawei.com>
Thread-Topic: [sacm] 答复: new drafts about network infrastructure device's security baseline:
Thread-Index: AQHTKxOPIpC2d8zuEUuNsENU3bksoA==
Date: Mon, 11 Sep 2017 15:35:13 +0000
Message-ID: <808ED0DE-508A-47FA-A9F0-CD60CF586A79@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.1a.0.160910
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.154.106.120]
Content-Type: multipart/alternative; boundary="_000_808ED0DE508A47FAA9F0CD60CF586A79ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/_OPYbqRvBvGa_kY8Z6GKiUQsfmI>
Subject: Re: [sacm] 答复: new drafts about network infrastructure device's security baseline:
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Sep 2017 15:35:19 -0000

Hi Frank,

It is not clear to me why we couldn’t reference the work and attributes already being worked on in NETMOD and perhaps i2nsf?  While I agree that SACM includes network elements as endpoints, I think we can leverage work already being defined by other working groups.

Warm regards, Nancy



From: sacm <sacm-bounces@ietf.org> on behalf of "Xialiang (Frank)" <frank.xialiang@huawei.com>
Date: Thursday, September 7, 2017 at 7:39 PM
To: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>, Panos Kampanakis <pkampana@cisco.com>, "sacm@ietf.org" <sacm@ietf.org>
Cc: "Linqiushi (Jessica, SCC)" <linqiushi@huawei.com>, "Zhengguangying (Walker)" <zhengguangying@huawei.com>, "dongyue (D)" <dongyue6@huawei.com>
Subject: [sacm] 答复: new drafts about network infrastructure device's security baseline:

Hi Dave and Panos,
I think Dave gives a very clear and detailed clarification about the definition of endpoints in SACM and the latest SACM plan, thanks.

I will follow the SACM information model and the latest decision to update these drafts.
Any comments are welcome!

B.R.
Frank

发件人: Waltermire, David A. (Fed) [mailto:david.waltermire@nist.gov]
发送时间: 2017年9月8日 3:01
收件人: Panos Kampanakis (pkampana); Xialiang (Frank); sacm@ietf.org
抄送: Linqiushi (Jessica, SCC); Zhengguangying (Walker); dongyue (D)
主题: RE: new drafts about network infrastructure device's security baseline:

Panos,

At the last IETF meeting we started discussing a charter update. I believe we are currently waiting on the chairs to start this discussion on the list. This will give the working group an opportunity to clarify this issue in the charter.


As far as endpoints, the definition that has been used for endpoints in the SACM charter is the one from RFC 5209, which is “Any computing device that can be connected to a network.
      Such devices normally are associated with a particular link layer
      address before joining the network and potentially an IP address
      once on the network.  This includes: laptops, desktops, servers,
      cell phones, or any device that may have an IP address.”


As most network devices are connected to networks, and often expose a management interface that is IP addressable, I’d say they qualify as endpoints. This view is also reflected in the SACM terminology, which states “To further clarify the [RFC5209<https://tools.ietf.org/html/rfc5209>] definition, an endpoint is any

      physical or virtual device that may have a network address.  Note

      that, network infrastructure devices (e.g. switches, routers,

      firewalls), which fit the definition, are also considered to be

      endpoints within this document.”



This text squares with my original view of endpoints way back when we were working on the original SACM charter.



Regards,

Dave

From: sacm [mailto:sacm-bounces@ietf.org] On Behalf Of Panos Kampanakis (pkampana)
Sent: Thursday, September 07, 2017 2:11 PM
To: Xialiang (Frank) <frank.xialiang@huawei.com<mailto:frank.xialiang@huawei.com>>; sacm@ietf.org<mailto:sacm@ietf.org>
Cc: Linqiushi (Jessica, SCC) <linqiushi@huawei.com<mailto:linqiushi@huawei.com>>; Zhengguangying (Walker) <zhengguangying@huawei.com<mailto:zhengguangying@huawei.com>>; dongyue (D) <dongyue6@huawei.com<mailto:dongyue6@huawei.com>>
Subject: Re: [sacm] new drafts about network infrastructure device's security baseline:

When checking the SACM charter, I do not see any references to network infrastructure or network elements. I believe SACM’s initial focus was on endpoints. Do these three drafts even fall in SACM’s charter as it is right now?
Panos


From: sacm [mailto:sacm-bounces@ietf.org] On Behalf Of Xialiang (Frank)
Sent: Thursday, September 07, 2017 4:05 AM
To: sacm@ietf.org<mailto:sacm@ietf.org>
Cc: Linqiushi (Jessica, SCC) <linqiushi@huawei.com<mailto:linqiushi@huawei.com>>; Zhengguangying (Walker) <zhengguangying@huawei.com<mailto:zhengguangying@huawei.com>>; dongyue (D) <dongyue6@huawei.com<mailto:dongyue6@huawei.com>>
Subject: [sacm] new drafts about network infrastructure device's security baseline:

Hi all,
We just submit 3 drafts to specify the yang data model of network infrastructure devices (i.e., router, switch, firewall, etc) security posture, or call it security baseline. Each draft covers one of the three planes of network infrastructure devices: data plane, control plane, management plane.

https://tools.ietf.org/html/draft-xia-sacm-nid-dp-security-baseline-00



https://tools.ietf.org/html/draft-dong-sacm-nid-cp-security-baseline-00



https://tools.ietf.org/html/draft-lin-sacm-nid-mp-security-baseline-00

The goal is to facilitate the collection and assessment of the overall security posture of the network infrastructure devices, in order to realize the whole lifecycle security automation for the infrastructure network.
Your comments are warmly welcome!

B.R.
Frank

v2.23.0 | Report a Bug | By Email