Re: [sacm] Review on draft-ietf-sacm-ecp-02
"Haynes Jr., Dan" <dhaynes@mitre.org> Thu, 06 September 2018 17:05 UTC
Return-Path: <dhaynes@mitre.org>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9857B130ED9 for <sacm@ietfa.amsl.com>; Thu, 6 Sep 2018 10:05:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.309
X-Spam-Level:
X-Spam-Status: No, score=-4.309 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mitre.onmicrosoft.com header.b=Cg83jU5S; dkim=pass (1024-bit key) header.d=mitre.org header.b=tkyjTlur
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GLblwwYAjNFf for <sacm@ietfa.amsl.com>; Thu, 6 Sep 2018 10:04:59 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EE0E130ED7 for <sacm@ietf.org>; Thu, 6 Sep 2018 10:04:59 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 7E1276C001E; Thu, 6 Sep 2018 13:04:58 -0400 (EDT)
Received: from imshyb01.MITRE.ORG (unknown [129.83.29.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by smtpvmsrv1.mitre.org (Postfix) with ESMTPS id 614126C0018; Thu, 6 Sep 2018 13:04:58 -0400 (EDT)
Received: from imshyb02.MITRE.ORG (129.83.29.3) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Thu, 6 Sep 2018 13:04:57 -0400
Received: from GCC01-DM2-obe.outbound.protection.outlook.com (10.140.19.249) by imshyb02.MITRE.ORG (129.83.29.3) with Microsoft SMTP Server (TLS) id 15.0.1263.5 via Frontend Transport; Thu, 6 Sep 2018 13:04:57 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitre.onmicrosoft.com; s=selector1-mitre-org; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EW1CTNtO+Y3h3srUDxhXbYu+O7xrNlY3cUYOsxGBJgw=; b=Cg83jU5SY/XOvMYNyEH3Jv9+UV0WdvnSoK0CJqfzuALITbay8bokDpIGMZeTJaaWW4GeBsdwIdUneMuIWSjuzKFMPWYUulHXB+zCG1B47q6rQdj1zq8dq5k/ScxpfpSI+s3wuwieKIB1dhXEu//ZRJ8e9slrjOD/hK1U+Ja8cUs=
Received: from DM6PR09MB2714.namprd09.prod.outlook.com (20.176.97.148) by DM6PR09MB2716.namprd09.prod.outlook.com (20.176.97.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1101.15; Thu, 6 Sep 2018 17:04:56 +0000
Received: from DM6PR09MB2714.namprd09.prod.outlook.com ([fe80::8937:5c7a:8648:f21e]) by DM6PR09MB2714.namprd09.prod.outlook.com ([fe80::8937:5c7a:8648:f21e%3]) with mapi id 15.20.1101.016; Thu, 6 Sep 2018 17:04:56 +0000
From: "Haynes Jr., Dan" <dhaynes@mitre.org>
To: "Montville, Adam W" <adam.w.montville@gmail.com>
CC: "<sacm@ietf.org>" <sacm@ietf.org>
Thread-Topic: [sacm] Review on draft-ietf-sacm-ecp-02
Thread-Index: AQHUOvXME4Hpue8dVEyi3uwt10Xm+qTVjLQwgAx4ToCAACqpSIAAgIoAgACxqAA=
Date: Thu, 06 Sep 2018 17:04:56 +0000
Message-ID: <DM6PR09MB27144F552850C264EBC6D323A5010@DM6PR09MB2714.namprd09.prod.outlook.com>
References: <8662CDE7-A821-4C4C-B003-A12252F94550@gmail.com> <DM6PR09MB27146985B91839BB090516D5A50A0@DM6PR09MB2714.namprd09.prod.outlook.com> <541303E9-FEDE-4B31-BD88-D276AB5EC61F@gmail.com> <DM6PR09MB27145F9C5967B23777180D2FA5020@DM6PR09MB2714.namprd09.prod.outlook.com> <A885C2F0-CBA2-4135-9E49-116BAD0AE6A3@gmail.com>
In-Reply-To: <A885C2F0-CBA2-4135-9E49-116BAD0AE6A3@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dhaynes@mitre.org;
x-originating-ip: [192.160.51.89]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM6PR09MB2716; 6:F/ku6HvFKqTGHLWkRLt5Erb4aRRNJ1aS9FV9qoTH6J/9+PrV5McnMScbkw6hT+lOODU7DwB10NehpGNzkie7SBQHqDZ1pUIbkbexuzUVD0DkyZwJ+IbRazBQCWpOTnTYjlqRSThbu4+9wIEITazv2DsMBJ6ilyqkOj4yoFwRfeIuorMNrKBk99/BRQh2FXee3kgJd9WA42+vTek6rh2SEYbrgFvfXg8kSCHBcyStmGZ04/s/VOt7W8xqMtxIrBxO3rthKnoZ3kXuP3nndKnWXDjoasSQktSC8KEJeXzJCPeAWG6FVt5wZHe9Cso9GnkOQL5CVcUZ+zGrCikUlFNcT6Ing3779IV6njUSFj454bDVYKYwy/wU5gD+MN5dj25wXlJB/B5T8A+S+vSAkdubfY1HrI1wG2wniI5iWe4Hf1fl4SZqG/Gs1yG/Uz6hmmq02F7tL216uHU/U9ODlhdhcQ==; 5:yZHM3eLoZ4zC+7o6Z49Elw48vRJlrcvXk1fbodYZ+be8W6XDOfbbgOMRWVkmqqc5chqCuY1LmCFFl85kZi9xVVoaGDGd4EiE2jlLx4inD6s7GVrf15k7Jx2aGyXhmm7R2bmm2P1lSR2zCZoJHbHaz2LFuq/sg/79tx/tlleYczg=; 7:MnR4fXuNpLSePzjCTNjFoy1/pU3JdaWYhG3DumNBGoMKcHmIxiygAr/Ez+ZoAUE4uEQsNvy01PKyuo80d/JmTt6nnAtRqlfNUnzA7ZxQLGCFmwdTl775T8Bbvs8QQ3n/qduPB3lMUQ1ntwZdfxjVRL8eZRfaDmjvWthaiXvRyCd191k11mke/U4emLFK1wC+dkP+/2COHCTTiqAyILuuj62csPHkiKvbcr2G8Q563nO3a81hkmof+9LVmL+V3HyR
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 7774d81f-9a1c-4e0b-f35c-08d6141adf41
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989137)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:DM6PR09MB2716;
x-ms-traffictypediagnostic: DM6PR09MB2716:
x-ld-processed: c620dc48-1d50-4952-8b39-df4d54d74d82,ExtAddr
x-microsoft-antispam-prvs: <DM6PR09MB271644CD15C50DA1BD5BCCB5A5010@DM6PR09MB2716.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(72170088055959)(35073007944872)(85827821059158)(21748063052155);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(3231311)(944501410)(52105095)(93006095)(93001095)(3002001)(10201501046)(6055026)(149027)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123562045)(20161123558120)(20161123560045)(201708071742011)(7699016); SRVR:DM6PR09MB2716; BCL:0; PCL:0; RULEID:; SRVR:DM6PR09MB2716;
x-forefront-prvs: 0787459938
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39850400004)(366004)(376002)(136003)(346002)(396003)(40224003)(199004)(189003)(102836004)(6306002)(33656002)(316002)(25786009)(6916009)(53546011)(6506007)(81156014)(4326008)(3846002)(81166006)(106356001)(7696005)(19609705001)(76176011)(66066001)(6246003)(478600001)(14454004)(9326002)(93886005)(8936002)(86362001)(74316002)(8676002)(2900100001)(790700001)(68736007)(6116002)(105586002)(39060400002)(99286004)(7736002)(229853002)(476003)(5250100002)(2906002)(5660300001)(256004)(14444005)(97736004)(6436002)(11346002)(9686003)(54896002)(236005)(26005)(446003)(486006)(186003)(55016002)(53936002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM6PR09MB2716; H:DM6PR09MB2714.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: mitre.org does not designate permitted sender hosts)
x-microsoft-antispam-message-info: BwyVlRo4BEs6639MkmmTlK85F6O/Q1QunkuUls9CZOZUx/wpPndGEjIye1SdnkGCi5P3De+uDDmiqiOmeV9JbyfBAnPQXl3/7bhYDCxNo7Gv4JICdXu7qXNHcqpYR5CVOmaHML28UoZdcdQbRS0L3fM8rTbUzU96E3WlH8U3BhQV6ezpxZNl3JgXSjOLiYl7ElYhHxmWBKaBaJptJn8nLsQ/if3M6/pwcYs+4EYyoTV0Oz5RJYY7/JVvfqClDj2HkhtZ53aHRI187J7Y5kGD3+9as0uzoEclKohpb+i487UMUc5DwFgPIx3uW6AH8MgkVXzPYEmN1jwLzfRJKBhm86tzikvqEA0sCJJU4zctkgI=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM6PR09MB27144F552850C264EBC6D323A5010DM6PR09MB2714namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 7774d81f-9a1c-4e0b-f35c-08d6141adf41
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Sep 2018 17:04:56.6279 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR09MB2716
X-OriginatorOrg: mitre.org
X-MITRE: 8GQsMWxq66rxk57w
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitre.org; h=from:to:cc:subject:date:message-id:references:in-reply-to:content-type:mime-version; s=selector1; bh=EW1CTNtO+Y3h3srUDxhXbYu+O7xrNlY3cUYOsxGBJgw=; b=tkyjTlurIOK6RUgVK2mpr7rxTF9iHpo0vtZfb+XREWEP8fL1cBGR08mpiSh/MxgUrTm7Wma6uOr6cTjP0j2CCBlq6HyT+W69aD1W9d5xT9tfO9WuBrZ9qPOlAp2YOXzg8nUrYt6EjegKV4spXO/NrmMrEe9eS73ibPqCqvLEVqk=
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/gtIS30elKDOrKcacaPgHKmlf3Ko>
Subject: Re: [sacm] Review on draft-ietf-sacm-ecp-02
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Sep 2018 17:05:04 -0000
Hi Adam, Even more comments inline :). Thanks, Danny From: Adam Montville <adam.w.montville@gmail.com> Sent: Wednesday, September 05, 2018 11:38 PM To: Haynes Jr., Dan <dhaynes@mitre.org> Cc: <sacm@ietf.org> <sacm@ietf.org> Subject: Re: [sacm] Review on draft-ietf-sacm-ecp-02 Thanks, Danny. I snipped a bunch of the original content to save space. See inline. On Sep 5, 2018, at 3:53 PM, Haynes Jr., Dan <dhaynes@mitre.org<mailto:dhaynes@mitre.org>> wrote: * Section 5: When is the target endpoint told what attributes matter and their tolerance ranges? [Danny]: Wouldn’t it be determined by the data models that are called out in the EPCP Implementations section? That seems like an inference :-) To me, it's better to explain that, but mine is just one opinion. [Danny]: I think it would be covered in the "provisioning" section in EPCP Transactions. In -03, I updated the "NOTE: TO BE EXPANDED" to say the following. "An endpoint is provisioned with one or more attributes that will serve as its unique identifier on the network as well as the components necessary to interact with the posture manager. Examples of such identifiers include MAC addresses, serial numbers, hardware certificates compliant with [IEEE-802-1ar], and the identities of hardware cryptographic modules among others. Furthermore, in some cases, an endpoint may need to be provisioned with instantiations of data models if the posture collection engine is expecting posture information in that format. Once provisioning is complete, the endpoint is deployed on the network." Does this help make it clearer? Or, if not, is there any text that you would like to see? At first blush this seems helpful. What if the attributes of interest change over time? Not sure they will, or even should. But, the more likely scenario is when a new attribute is introduced. At that point, how do we tell the endpoint we're interested in monitoring that new attribute? [Danny]: I think those are both possible situations that we want to account for. If there is a Posture Collector on the endpoint that can collect the attributes, it just needs to be configured via the Administrative Interface or API. If there isn’t a Posture Collector on the endpoint that can collect the attributes, a new Posture Collector needs to be installed on the endpoint and then configured by the Administrative Interface or API. We can add some text to this section stating that components and data models may need to be added or updated over time to fulfill the collection needs of the enterprise. Maybe something like the following. "An endpoint is provisioned with one or more attributes that will serve as its unique identifier on the network as well as the components and data models necessary to interact with the posture manager. Examples of such identifiers include MAC addresses, serial numbers, hardware certificates compliant with [IEEE-802-1ar], and the identities of hardware cryptographic modules among others. Once provisioning is complete, the endpoint is deployed on the network. Over time, components and data models may need to be added to the endpoint or updated to support the collection needs of an enterprise." * Section 5.1: NOTE: TO BE EXPANDED before WGLC? [Danny]: Yes, we will update this in the next draft. * Section 5.6: It feels odd to allow authorized repo access w/o specifying an interface. That said…may have a good idea for such a draft down the road a place. [Danny]: Given that we don’t actually have a protocol or interface for this, I think it’s more of a note of what we want when we develop one. So, I think we are in agreement here? Seems that way. * Section 6.2.4: Why not support fetch/polling via NETCONF and RESTCONF now? [Danny]: This should be supported through NETCONF and RESTCONF now. This text is just trying to say that we also want to support the self-reporting capabilities provided by Yang Push once it’s an RFC. Ok. Is it worthwhile to also state NETCONF/RESTCONF? [Danny]: Section 6.2 contains normative references to NETCONF/RESTCONF. Are you looking for something more? Sorry. This is my oversight, I think. Seems sane. * Section 6.3: Change “Update the policy…” to “Establish and update the policy…” [Danny]: Addressed. * Section 6.3: Why shouldn’t the API offer commands and policy interaction? [Danny]: Are you asking why the API shouldn’t offer endpoints the ability to issue commands and policy interactions? No. The API is enabling query, but no proactive tasks. How are policies managed? Seems that the API should enable that as well. [Danny]: I think I am confused. Doesn't the API already support managing the policy in section 6.3 (i.e., establish and update the policy)? I'm probably the one who is confused. :-) The way I read that section is that it addresses two means of interaction: 1) administrative interface, 2) API. I took the first three bullets as applicable to the administrative interface, and the solitary bullet as applicable to the API. If all of the bullets are applied to each, then I think the section could be rearranged to combine the two bulleted lists and state something to the effect that the list applies to both the administrative interface and the API. [Danny]: Sorry my bad. I read it wrong. I don’t see anything wrong with the interface and API supporting the same capabilities especially since it isn’t defined yet :). I will update the text to make them both support the same capabilities.
- [sacm] Review on draft-ietf-sacm-ecp-02 Adam Montville
- Re: [sacm] Review on draft-ietf-sacm-ecp-02 Haynes Jr., Dan
- Re: [sacm] Review on draft-ietf-sacm-ecp-02 Adam Montville
- Re: [sacm] Review on draft-ietf-sacm-ecp-02 Haynes Jr., Dan
- Re: [sacm] Review on draft-ietf-sacm-ecp-02 Adam Montville
- Re: [sacm] Review on draft-ietf-sacm-ecp-02 Haynes Jr., Dan
- Re: [sacm] Review on draft-ietf-sacm-ecp-02 Adam Montville
- Re: [sacm] Review on draft-ietf-sacm-ecp-02 Haynes Jr., Dan
- Re: [sacm] Review on draft-ietf-sacm-ecp-02 Adam Montville