IETF Logo Mail Archive

Re: [sacm] 答复: new drafts about network infrastructure device's security baseline:

Adam Montville <adam.w.montville@gmail.com> Fri, 08 September 2017 13:34 UTC

Return-Path: <adam.w.montville@gmail.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3AC41323A3 for <sacm@ietfa.amsl.com>; Fri, 8 Sep 2017 06:34:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z0F4OjKhSrX3 for <sacm@ietfa.amsl.com>; Fri, 8 Sep 2017 06:34:07 -0700 (PDT)
Received: from mail-io0-x22c.google.com (mail-io0-x22c.google.com [IPv6:2607:f8b0:4001:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D244A132153 for <sacm@ietf.org>; Fri, 8 Sep 2017 06:34:06 -0700 (PDT)
Received: by mail-io0-x22c.google.com with SMTP id b142so5766616ioe.1 for <sacm@ietf.org>; Fri, 08 Sep 2017 06:34:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=b6oXtKLfFesZhfoVB6kPLX32lZNM6TYyO805M79W6A4=; b=dsW3HZV5tipjyzD86R09bt2rwDeeqPBYGRtTMVL12d89wt1gRO4OqKmlCDmXsR4AIy 69F3kYZQMPlRjwzh49qDW66R+HRWhtNDD8jiGRHXbhpprZGsWkHNWzD9qCUV/aDxPu/4 jwh/MYCWg+GGXNQDkBBrebo8piMZX7iKBu+3kklsg7TeVctwNKf+X7Vve/rTe99unnDJ fbOoCEAkaua2Wq7r4k2WK4FPFZn+lXOX/+UlZPbWtKSwpGvCxEaAXR8YbVyNaMsDFDEN PTyHppXifidRLslbgTgRq+aKgGDJoUE2h6tlw/GmjYoxVuk9o6WZVLcqkwrddT26HQnc /WoQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=b6oXtKLfFesZhfoVB6kPLX32lZNM6TYyO805M79W6A4=; b=YO3x2CoDg4c/tyUwgx1t0sa6i6zMBo0zUhVh32NP/Nj/EHEMnMCWHehZb/LDdODLe5 4mzuANb+SS0VUxGy8mBkW9AsE1eR7TI5ojqRdN7tqry+1GLzNgo65VPl8ptB9SGITddn eEDVQwLcfPyR/SMvBkK0olD6pAKMQavIfHSoo4BmcDoGymbyJbymzRuL/V/i6Tt7reBw E027ytGrSYdvBH6fwXjTHJeT5ahJ9JKQ2bvKtqUhJaufIjKsNgD1+qiQAW6h1RqnGy0s MHiiPvTEs2SMHfeTrhZY2yRge9nEn8Dfn+f/i3/ZAaNXRhdogsgW4V8hrX30KAd5K8OP njaw==
X-Gm-Message-State: AHPjjUgmY0WIoH65kCHZsWQYAOWWxVpVgN95dTtmpPPGkoOuo6qYFFgC iPrC8C+40zGjxKJj7PHztqOSzuHRuw==
X-Google-Smtp-Source: AOwi7QBMbp9eBWBCkZKlzXwuuo8B9RuvsGy/HR69Fua8eMtKVt2SBgfxwmhpbMnC0iaxJlPfWYmcCVWO+zmw+A8ZpH8=
X-Received: by 10.107.141.130 with SMTP id p124mr3220526iod.260.1504877645874; Fri, 08 Sep 2017 06:34:05 -0700 (PDT)
MIME-Version: 1.0
References: <C02846B1344F344EB4FAA6FA7AF481F12BB67B58@DGGEML502-MBX.china.huawei.com> <4c3aa43995df46dfbded53f39a912ca9@XCH-ALN-010.cisco.com> <CY4PR09MB1495D769EA7360C06022E6AFF0940@CY4PR09MB1495.namprd09.prod.outlook.com> <C02846B1344F344EB4FAA6FA7AF481F12BB6A669@DGGEML502-MBX.china.huawei.com>
In-Reply-To: <C02846B1344F344EB4FAA6FA7AF481F12BB6A669@DGGEML502-MBX.china.huawei.com>
From: Adam Montville <adam.w.montville@gmail.com>
Date: Fri, 08 Sep 2017 13:33:50 +0000
Message-ID: <CACknUNUvP8tU4Lb+cxDRz2KgKq5PsCyHPUXMUqJan9uRNrWgWQ@mail.gmail.com>
To: "Xialiang (Frank)" <frank.xialiang@huawei.com>, "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>, "Panos Kampanakis (pkampana)" <pkampana@cisco.com>, "sacm@ietf.org" <sacm@ietf.org>
Cc: "Linqiushi (Jessica, SCC)" <linqiushi@huawei.com>, "Zhengguangying (Walker)" <zhengguangying@huawei.com>, "dongyue (D)" <dongyue6@huawei.com>
Content-Type: multipart/alternative; boundary="94eb2c05a5be834c6a0558ada1c5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/hJ8hH8sOFeHG3VDUrcrjLoN4spY>
Subject: Re: [sacm] 答复: new drafts about network infrastructure device's security baseline:
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Sep 2017 13:34:10 -0000

Dave's recollection regarding "endpoint" in SACM is correct - it's an old
discussion that comes up from time to time, but because network devices are
often addressable by IP, they're considered in the context of their
management an endpoint. The charter could have been clearer, perhaps, and
as we work toward a new charter (chairs will have something to the list
very soon) the working group may choose to be more specific.

Kind regards,

Adam

On Thu, Sep 7, 2017 at 9:40 PM Xialiang (Frank) <frank.xialiang@huawei.com>
wrote:

> Hi Dave and Panos,
>
> I think Dave gives a very clear and detailed clarification about the
> definition of endpoints in SACM and the latest SACM plan, thanks.
>
>
>
> I will follow the SACM information model and the latest decision to update
> these drafts.
>
> Any comments are welcome!
>
>
>
> B.R.
>
> Frank
>
>
>
> *发件人:* Waltermire, David A. (Fed) [mailto:david.waltermire@nist.gov]
> *发送时间:* 2017年9月8日 3:01
> *收件人:* Panos Kampanakis (pkampana); Xialiang (Frank); sacm@ietf.org
> *抄送:* Linqiushi (Jessica, SCC); Zhengguangying (Walker); dongyue (D)
> *主题:* RE: new drafts about network infrastructure device's security
> baseline:
>
>
>
> Panos,
>
>
>
> At the last IETF meeting we started discussing a charter update. I believe
> we are currently waiting on the chairs to start this discussion on the
> list. This will give the working group an opportunity to clarify this issue
> in the charter.
>
>
>
> As far as endpoints, the definition that has been used for endpoints in the SACM charter is the one from RFC 5209, which is “Any computing device that can be connected to a network.
>
>       Such devices normally are associated with a particular link layer
>
>       address before joining the network and potentially an IP address
>
>       once on the network.  This includes: laptops, desktops, servers,
>
>       cell phones, or any device that may have an IP address.”
>
>
>
> As most network devices are connected to networks, and often expose a management interface that is IP addressable, I’d say they qualify as endpoints. This view is also reflected in the SACM terminology, which states “To further clarify the [RFC5209 <https://tools.ietf.org/html/rfc5209>] definition, an endpoint is any
>
>       physical or virtual device that may have a network address.  Note
>
>       that, network infrastructure devices (e.g. switches, routers,
>
>       firewalls), which fit the definition, are also considered to be
>
>       endpoints within this document.”
>
>
>
> This text squares with my original view of endpoints way back when we were working on the original SACM charter.
>
>
>
> Regards,
>
> Dave
>
>
>
> *From:* sacm [mailto:sacm-bounces@ietf.org <sacm-bounces@ietf.org>] *On
> Behalf Of *Panos Kampanakis (pkampana)
> *Sent:* Thursday, September 07, 2017 2:11 PM
> *To:* Xialiang (Frank) <frank.xialiang@huawei.com>; sacm@ietf.org
> *Cc:* Linqiushi (Jessica, SCC) <linqiushi@huawei.com>; Zhengguangying
> (Walker) <zhengguangying@huawei.com>; dongyue (D) <dongyue6@huawei.com>
> *Subject:* Re: [sacm] new drafts about network infrastructure device's
> security baseline:
>
>
>
> When checking the SACM charter, I do not see any references to network
> infrastructure or network elements. I believe SACM’s initial focus was on
> endpoints. Do these three drafts even fall in SACM’s charter as it is right
> now?
>
> Panos
>
>
>
>
>
> *From:* sacm [mailto:sacm-bounces@ietf.org <sacm-bounces@ietf.org>] *On
> Behalf Of *Xialiang (Frank)
> *Sent:* Thursday, September 07, 2017 4:05 AM
> *To:* sacm@ietf.org
> *Cc:* Linqiushi (Jessica, SCC) <linqiushi@huawei.com>; Zhengguangying
> (Walker) <zhengguangying@huawei.com>; dongyue (D) <dongyue6@huawei.com>
> *Subject:* [sacm] new drafts about network infrastructure device's
> security baseline:
>
>
>
> Hi all,
>
> We just submit 3 drafts to specify the yang data model of network
> infrastructure devices (i.e., router, switch, firewall, etc) security
> posture, or call it security baseline. Each draft covers one of the three
> planes of network infrastructure devices: data plane, control plane,
> management plane.
>
> https://tools.ietf.org/html/draft-xia-sacm-nid-dp-security-baseline-00
>
>
>
> https://tools.ietf.org/html/draft-dong-sacm-nid-cp-security-baseline-00
>
>
>
> https://tools.ietf.org/html/draft-lin-sacm-nid-mp-security-baseline-00
>
>
>
> The goal is to facilitate the collection and assessment of the overall
> security posture of the network infrastructure devices, in order to realize
> the whole lifecycle security automation for the infrastructure network.
>
> Your comments are warmly welcome!
>
>
>
> B.R.
>
> Frank
> _______________________________________________
> sacm mailing list
> sacm@ietf.org
> https://www.ietf.org/mailman/listinfo/sacm
>

v2.23.0 | Report a Bug | By Email