IETF Logo Mail Archive

[sacm] 答复: new drafts about network infrastructure device's security baseline:

"Xialiang (Frank)" <frank.xialiang@huawei.com> Fri, 08 September 2017 02:40 UTC

Return-Path: <frank.xialiang@huawei.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DA93133090 for <sacm@ietfa.amsl.com>; Thu, 7 Sep 2017 19:40:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dbL2OK977kn5 for <sacm@ietfa.amsl.com>; Thu, 7 Sep 2017 19:39:58 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D94FC132D68 for <sacm@ietf.org>; Thu, 7 Sep 2017 19:39:57 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml709-cah.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DOD93222; Fri, 08 Sep 2017 02:39:56 +0000 (GMT)
Received: from DGGEML405-HUB.china.huawei.com (10.3.17.49) by lhreml709-cah.china.huawei.com (10.201.108.32) with Microsoft SMTP Server (TLS) id 14.3.301.0; Fri, 8 Sep 2017 03:39:54 +0100
Received: from DGGEML502-MBX.china.huawei.com ([169.254.2.131]) by dggeml405-hub.china.huawei.com ([10.3.17.49]) with mapi id 14.03.0301.000; Fri, 8 Sep 2017 10:39:45 +0800
From: "Xialiang (Frank)" <frank.xialiang@huawei.com>
To: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>, "Panos Kampanakis (pkampana)" <pkampana@cisco.com>, "sacm@ietf.org" <sacm@ietf.org>
CC: "Linqiushi (Jessica, SCC)" <linqiushi@huawei.com>, "Zhengguangying (Walker)" <zhengguangying@huawei.com>, "dongyue (D)" <dongyue6@huawei.com>
Thread-Topic: new drafts about network infrastructure device's security baseline:
Thread-Index: AdMnr9yvyzoNHtmhQXuBvOw9Rg6/RAAVF6ZgAAFYTUAAEBIf8A==
Date: Fri, 08 Sep 2017 02:39:44 +0000
Message-ID: <C02846B1344F344EB4FAA6FA7AF481F12BB6A669@DGGEML502-MBX.china.huawei.com>
References: <C02846B1344F344EB4FAA6FA7AF481F12BB67B58@DGGEML502-MBX.china.huawei.com> <4c3aa43995df46dfbded53f39a912ca9@XCH-ALN-010.cisco.com> <CY4PR09MB1495D769EA7360C06022E6AFF0940@CY4PR09MB1495.namprd09.prod.outlook.com>
In-Reply-To: <CY4PR09MB1495D769EA7360C06022E6AFF0940@CY4PR09MB1495.namprd09.prod.outlook.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.134.159.76]
Content-Type: multipart/alternative; boundary="_000_C02846B1344F344EB4FAA6FA7AF481F12BB6A669DGGEML502MBXchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A0B0202.59B202FC.008E, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.2.131, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: d87707ba009a80737d062153142aa83e
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/bA-MjOIq_afEmPK9Inc0Uhq95SU>
Subject: [sacm] 答复: new drafts about network infrastructure device's security baseline:
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Sep 2017 02:40:00 -0000

Hi Dave and Panos,
I think Dave gives a very clear and detailed clarification about the definition of endpoints in SACM and the latest SACM plan, thanks.

I will follow the SACM information model and the latest decision to update these drafts.
Any comments are welcome!

B.R.
Frank

发件人: Waltermire, David A. (Fed) [mailto:david.waltermire@nist.gov]
发送时间: 2017年9月8日 3:01
收件人: Panos Kampanakis (pkampana); Xialiang (Frank); sacm@ietf.org
抄送: Linqiushi (Jessica, SCC); Zhengguangying (Walker); dongyue (D)
主题: RE: new drafts about network infrastructure device's security baseline:

Panos,

At the last IETF meeting we started discussing a charter update. I believe we are currently waiting on the chairs to start this discussion on the list. This will give the working group an opportunity to clarify this issue in the charter.


As far as endpoints, the definition that has been used for endpoints in the SACM charter is the one from RFC 5209, which is “Any computing device that can be connected to a network.
      Such devices normally are associated with a particular link layer
      address before joining the network and potentially an IP address
      once on the network.  This includes: laptops, desktops, servers,
      cell phones, or any device that may have an IP address.”


As most network devices are connected to networks, and often expose a management interface that is IP addressable, I’d say they qualify as endpoints. This view is also reflected in the SACM terminology, which states “To further clarify the [RFC5209<https://tools.ietf.org/html/rfc5209>] definition, an endpoint is any

      physical or virtual device that may have a network address.  Note

      that, network infrastructure devices (e.g. switches, routers,

      firewalls), which fit the definition, are also considered to be

      endpoints within this document.”



This text squares with my original view of endpoints way back when we were working on the original SACM charter.



Regards,

Dave

From: sacm [mailto:sacm-bounces@ietf.org] On Behalf Of Panos Kampanakis (pkampana)
Sent: Thursday, September 07, 2017 2:11 PM
To: Xialiang (Frank) <frank.xialiang@huawei.com<mailto:frank.xialiang@huawei.com>>; sacm@ietf.org<mailto:sacm@ietf.org>
Cc: Linqiushi (Jessica, SCC) <linqiushi@huawei.com<mailto:linqiushi@huawei.com>>; Zhengguangying (Walker) <zhengguangying@huawei.com<mailto:zhengguangying@huawei.com>>; dongyue (D) <dongyue6@huawei.com<mailto:dongyue6@huawei.com>>
Subject: Re: [sacm] new drafts about network infrastructure device's security baseline:

When checking the SACM charter, I do not see any references to network infrastructure or network elements. I believe SACM’s initial focus was on endpoints. Do these three drafts even fall in SACM’s charter as it is right now?
Panos


From: sacm [mailto:sacm-bounces@ietf.org] On Behalf Of Xialiang (Frank)
Sent: Thursday, September 07, 2017 4:05 AM
To: sacm@ietf.org<mailto:sacm@ietf.org>
Cc: Linqiushi (Jessica, SCC) <linqiushi@huawei.com<mailto:linqiushi@huawei.com>>; Zhengguangying (Walker) <zhengguangying@huawei.com<mailto:zhengguangying@huawei.com>>; dongyue (D) <dongyue6@huawei.com<mailto:dongyue6@huawei.com>>
Subject: [sacm] new drafts about network infrastructure device's security baseline:

Hi all,
We just submit 3 drafts to specify the yang data model of network infrastructure devices (i.e., router, switch, firewall, etc) security posture, or call it security baseline. Each draft covers one of the three planes of network infrastructure devices: data plane, control plane, management plane.

https://tools.ietf.org/html/draft-xia-sacm-nid-dp-security-baseline-00



https://tools.ietf.org/html/draft-dong-sacm-nid-cp-security-baseline-00



https://tools.ietf.org/html/draft-lin-sacm-nid-mp-security-baseline-00

The goal is to facilitate the collection and assessment of the overall security posture of the network infrastructure devices, in order to realize the whole lifecycle security automation for the infrastructure network.
Your comments are warmly welcome!

B.R.
Frank

v2.23.0 | Report a Bug | By Email