Re: [sacm] Review on draft-ietf-sacm-ecp-02
Adam Montville <adam.w.montville@gmail.com> Thu, 06 September 2018 17:33 UTC
Return-Path: <adam.w.montville@gmail.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A39E130DDA for <sacm@ietfa.amsl.com>; Thu, 6 Sep 2018 10:33:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OGlishm5niQi for <sacm@ietfa.amsl.com>; Thu, 6 Sep 2018 10:33:34 -0700 (PDT)
Received: from mail-oi0-x22d.google.com (mail-oi0-x22d.google.com [IPv6:2607:f8b0:4003:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 548D6129385 for <sacm@ietf.org>; Thu, 6 Sep 2018 10:33:34 -0700 (PDT)
Received: by mail-oi0-x22d.google.com with SMTP id t68-v6so22041524oie.12 for <sacm@ietf.org>; Thu, 06 Sep 2018 10:33:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=Bw2x0Gd50kKAnQfBKgWbXOigH2Z8yWJiLvrgO3FSd7E=; b=l49tnWSloxiNSwQuOVlwmUYuLIL5OmxNyGmq3S9zt41fBxLaGsT+iRTb64WNIUOOjS WSlbX/37W/79v8kfHcSYAR/4eEtmM6h+AuvS1zRUex8EtWBeASjBjjlsHpo1op+5Vw5X C63cb1uPY9Y003K0mOC6RlGZn61IIRtCJ/6253ohbGCpcdBhWg5GjuHeof6YQOjChsT0 np6dAOiGKIdovIxMimBMQeQ5FSDKnAxafRCeY0wVHOdkiX5w5Ibr6OtnB3QGP+jMoJoT XyQTwYOJn5Nadu6kQpa+hMRtPoN7yeBAj6h1YqP8PiVTct1AU34fdhI0CNnCvzx7uQfZ yDsA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=Bw2x0Gd50kKAnQfBKgWbXOigH2Z8yWJiLvrgO3FSd7E=; b=L3pS4go2cl8sF1VP4Hroa/8YGYsuyTkM6JK4M5MSQE81iMB2T0oFe2o1FQ+UQANt0n UFoFFEbL4sBpby6F5ImyVmEnxTdfpxk88hRIRr+q7BQt3rwRYHM8jiYAM5Bpc3fo/6t7 uBKjdnG2sE15TgsJXq+vJFznwJPCFj8M80QnmhRqQqWKSANJSoYlYxy5pKehp818/kYT kK5NLSnVGuiif9iZjW6ruHkit+N+Nn1mj4uQCvQBFeUcTrqi6KzRc9eob0iaO+QKlaXe crPTxhSBpNoJNJBImAE9IeyJQJrrOZPT8HD1Pqw7S7a24GwmegZtiP7LFUe0w8Qk8/qW qXow==
X-Gm-Message-State: APzg51BYOSKOTjgG7yxtINKQkKobIYY7+mb/pSlrkdbQlhFG2kUhuxFk EyoKw8q6N91F6JFmBeXAVQ4=
X-Google-Smtp-Source: ANB0VdbGa9SmBxEzz1c8vMCc0MFFHV3yZLBW3CopxtoDV/qh8SIHVlrBuKr74EGUGcBNY1lczFYV8w==
X-Received: by 2002:aca:18d:: with SMTP id 135-v6mr3649428oib.2.1536255213410; Thu, 06 Sep 2018 10:33:33 -0700 (PDT)
Received: from afv.lan (99-64-100-131.lightspeed.austtx.sbcglobal.net. [99.64.100.131]) by smtp.gmail.com with ESMTPSA id p132-v6sm12254706oia.31.2018.09.06.10.33.31 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 06 Sep 2018 10:33:32 -0700 (PDT)
From: Adam Montville <adam.w.montville@gmail.com>
Message-Id: <CBFA83D0-189A-453F-A845-AA8D35BED70F@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_53B01E84-A79F-4AF9-95F4-5AD5BB053D26"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Thu, 06 Sep 2018 12:33:30 -0500
In-Reply-To: <DM6PR09MB27145FE46A4BC762C23CE8DCA5010@DM6PR09MB2714.namprd09.prod.outlook.com>
Cc: "<sacm@ietf.org>" <sacm@ietf.org>
To: "Haynes Jr., Dan" <dhaynes@mitre.org>
References: <8662CDE7-A821-4C4C-B003-A12252F94550@gmail.com> <DM6PR09MB27146985B91839BB090516D5A50A0@DM6PR09MB2714.namprd09.prod.outlook.com> <541303E9-FEDE-4B31-BD88-D276AB5EC61F@gmail.com> <DM6PR09MB27145F9C5967B23777180D2FA5020@DM6PR09MB2714.namprd09.prod.outlook.com> <A885C2F0-CBA2-4135-9E49-116BAD0AE6A3@gmail.com> <DM6PR09MB27144F552850C264EBC6D323A5010@DM6PR09MB2714.namprd09.prod.outlook.com> <FA4FDD7C-3257-476F-927A-D389A0ED143A@gmail.com> <DM6PR09MB27145FE46A4BC762C23CE8DCA5010@DM6PR09MB2714.namprd09.prod.outlook.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/dW7IRH9Trmyej2CJuRCZoQzcGa8>
Subject: Re: [sacm] Review on draft-ietf-sacm-ecp-02
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Sep 2018 17:33:37 -0000
Sweet! Looking forward to it. > On Sep 6, 2018, at 12:32 PM, Haynes Jr., Dan <dhaynes@mitre.org> wrote: > > Correct. I will make these changes and post an updated draft tomorrow afternoon. > > Thanks, > > Danny > > > From: Adam Montville <adam.w.montville@gmail.com> > Sent: Thursday, September 06, 2018 1:08 PM > To: Haynes Jr., Dan <dhaynes@mitre.org> > Cc: <sacm@ietf.org> <sacm@ietf.org> > Subject: Re: [sacm] Review on draft-ietf-sacm-ecp-02 > > Thanks, Danny. Looks like it's about buttoned up in terms of my comments? > > > On Sep 6, 2018, at 12:04 PM, Haynes Jr., Dan <dhaynes@mitre.org <mailto:dhaynes@mitre.org>> wrote: > > Hi Adam, > > Even more comments inline :). > > Thanks, > > Danny > > From: Adam Montville <adam.w.montville@gmail.com <mailto:adam.w.montville@gmail.com>> > Sent: Wednesday, September 05, 2018 11:38 PM > To: Haynes Jr., Dan <dhaynes@mitre.org <mailto:dhaynes@mitre.org>> > Cc: <sacm@ietf.org <mailto:sacm@ietf.org>> <sacm@ietf.org <mailto:sacm@ietf.org>> > Subject: Re: [sacm] Review on draft-ietf-sacm-ecp-02 > > Thanks, Danny. I snipped a bunch of the original content to save space. See inline. > > > > On Sep 5, 2018, at 3:53 PM, Haynes Jr., Dan <dhaynes@mitre.org <mailto:dhaynes@mitre.org>> wrote: > > Section 5: When is the target endpoint told what attributes matter and their tolerance ranges? > [Danny]: Wouldn’t it be determined by the data models that are called out in the EPCP Implementations section? > > That seems like an inference :-) To me, it's better to explain that, but mine is just one opinion. > > [Danny]: I think it would be covered in the "provisioning" section in EPCP Transactions. In -03, I updated the "NOTE: TO BE EXPANDED" to say the following. > > "An endpoint is provisioned with one or more attributes that will serve as its unique identifier on the network as well as the components necessary to interact with the posture manager. Examples of such identifiers include MAC addresses, serial numbers, hardware certificates compliant with [IEEE-802-1ar], and the identities of hardware cryptographic modules among others. Furthermore, in some cases, an endpoint may need to be provisioned with instantiations of data models if the posture collection engine is expecting posture information in that format. Once provisioning is complete, the endpoint is deployed on the network." > > Does this help make it clearer? Or, if not, is there any text that you would like to see? > > At first blush this seems helpful. What if the attributes of interest change over time? Not sure they will, or even should. But, the more likely scenario is when a new attribute is introduced. At that point, how do we tell the endpoint we're interested in monitoring that new attribute? > > [Danny]: I think those are both possible situations that we want to account for. If there is a Posture Collector on the endpoint that can collect the attributes, it just needs to be configured via the Administrative Interface or API. If there isn’t a Posture Collector on the endpoint that can collect the attributes, a new Posture Collector needs to be installed on the endpoint and then configured by the Administrative Interface or API. We can add some text to this section stating that components and data models may need to be added or updated over time to fulfill the collection needs of the enterprise. Maybe something like the following. > > "An endpoint is provisioned with one or more attributes that will serve as its unique identifier on the network as well as the components and data models necessary to interact with the posture manager. Examples of such identifiers include MAC addresses, serial numbers, hardware certificates compliant with [IEEE-802-1ar], and the identities of hardware cryptographic modules among others. Once provisioning is complete, the endpoint is deployed on the network. Over time, components and data models may need to be added to the endpoint or updated to support the collection needs of an enterprise." > > Section 5.1: NOTE: TO BE EXPANDED before WGLC? > [Danny]: Yes, we will update this in the next draft. > Section 5.6: It feels odd to allow authorized repo access w/o specifying an interface. That said…may have a good idea for such a draft down the road a place. > [Danny]: Given that we don’t actually have a protocol or interface for this, I think it’s more of a note of what we want when we develop one. So, I think we are in agreement here? > > Seems that way. > Section 6.2.4: Why not support fetch/polling via NETCONF and RESTCONF now? > [Danny]: This should be supported through NETCONF and RESTCONF now. This text is just trying to say that we also want to support the self-reporting capabilities provided by Yang Push once it’s an RFC. > > Ok. Is it worthwhile to also state NETCONF/RESTCONF? > > [Danny]: Section 6.2 contains normative references to NETCONF/RESTCONF. Are you looking for something more? > > Sorry. This is my oversight, I think. Seems sane. > > Section 6.3: Change “Update the policy…” to “Establish and update the policy…” > [Danny]: Addressed. > Section 6.3: Why shouldn’t the API offer commands and policy interaction? > [Danny]: Are you asking why the API shouldn’t offer endpoints the ability to issue commands and policy interactions? > > No. The API is enabling query, but no proactive tasks. How are policies managed? Seems that the API should enable that as well. > > [Danny]: I think I am confused. Doesn't the API already support managing the policy in section 6.3 (i.e., establish and update the policy)? > > I'm probably the one who is confused. :-) The way I read that section is that it addresses two means of interaction: 1) administrative interface, 2) API. I took the first three bullets as applicable to the administrative interface, and the solitary bullet as applicable to the API. If all of the bullets are applied to each, then I think the section could be rearranged to combine the two bulleted lists and state something to the effect that the list applies to both the administrative interface and the API. > > [Danny]: Sorry my bad. I read it wrong. I don’t see anything wrong with the interface and API supporting the same capabilities especially since it isn’t defined yet :). I will update the text to make them both support the same capabilities.
- [sacm] Review on draft-ietf-sacm-ecp-02 Adam Montville
- Re: [sacm] Review on draft-ietf-sacm-ecp-02 Haynes Jr., Dan
- Re: [sacm] Review on draft-ietf-sacm-ecp-02 Adam Montville
- Re: [sacm] Review on draft-ietf-sacm-ecp-02 Haynes Jr., Dan
- Re: [sacm] Review on draft-ietf-sacm-ecp-02 Adam Montville
- Re: [sacm] Review on draft-ietf-sacm-ecp-02 Haynes Jr., Dan
- Re: [sacm] Review on draft-ietf-sacm-ecp-02 Adam Montville
- Re: [sacm] Review on draft-ietf-sacm-ecp-02 Haynes Jr., Dan
- Re: [sacm] Review on draft-ietf-sacm-ecp-02 Adam Montville