IETF Logo Mail Archive

Re: [sacm] Comments on draft-ietf-sacm-ecp

"Haynes Jr., Dan" <dhaynes@mitre.org> Tue, 03 April 2018 18:29 UTC

Return-Path: <dhaynes@mitre.org>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E25AF12D7F7; Tue, 3 Apr 2018 11:29:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.208
X-Spam-Level:
X-Spam-Status: No, score=-4.208 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mitre.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pKgmMQXp49dX; Tue, 3 Apr 2018 11:28:57 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) by ietfa.amsl.com (Postfix) with ESMTP id 4C175124BE8; Tue, 3 Apr 2018 11:28:57 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id A33FF6C007B; Tue, 3 Apr 2018 14:28:57 -0400 (EDT)
Received: from imshyb02.MITRE.ORG (unknown [129.83.29.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by smtpvmsrv1.mitre.org (Postfix) with ESMTPS id 8BDBB6C0072; Tue, 3 Apr 2018 14:28:57 -0400 (EDT)
Received: from imshyb01.MITRE.ORG (129.83.29.2) by imshyb02.MITRE.ORG (129.83.29.3) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Tue, 3 Apr 2018 14:28:55 -0400
Received: from GCC01-DM2-obe.outbound.protection.outlook.com (10.140.19.249) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1263.5 via Frontend Transport; Tue, 3 Apr 2018 14:28:55 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitre.onmicrosoft.com; s=selector1-mitre-org; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=JxBRmR0qd+rjGQCaeoMth8uV/ROMPHqnxqXeVps/qxY=; b=bCeCeMQCjIVHRnNAP9K2KomVRbQx5jwYD4VAFjLrHGry+Oln9GzRyKNwUmlxbR5nxuHF4gf4TsmxqXFOI+zqGechtIDB5/eQxryrNW2rjIeMXEDviTRSQGWCFyACBFW8kfixfGqNYW/s9kgIgtHCHQP18ZWTTWIdhoqUuZQjTYM=
Received: from DM5PR0901MB2197.namprd09.prod.outlook.com (10.167.106.167) by DM5PR0901MB2199.namprd09.prod.outlook.com (10.167.109.39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.631.10; Tue, 3 Apr 2018 18:28:54 +0000
Received: from DM5PR0901MB2197.namprd09.prod.outlook.com ([fe80::e550:42b2:7e29:134b]) by DM5PR0901MB2197.namprd09.prod.outlook.com ([fe80::e550:42b2:7e29:134b%13]) with mapi id 15.20.0631.013; Tue, 3 Apr 2018 18:28:54 +0000
From: "Haynes Jr., Dan" <dhaynes@mitre.org>
To: "Montville, Adam W" <adam.w.montville@gmail.com>, "draft-ietf-sacm-ecp@ietf.org" <draft-ietf-sacm-ecp@ietf.org>
CC: "<sacm@ietf.org>" <sacm@ietf.org>
Thread-Topic: Comments on draft-ietf-sacm-ecp
Thread-Index: AQHTyrjv7uoxXF+PNU2Ohl0MdfWl/6PvAFqA
Date: Tue, 03 Apr 2018 18:28:54 +0000
Message-ID: <DM5PR0901MB219737E3075D0C2C84E916D3A5A50@DM5PR0901MB2197.namprd09.prod.outlook.com>
References: <A9A78B93-981C-4857-AC35-CD38055DA55B@gmail.com>
In-Reply-To: <A9A78B93-981C-4857-AC35-CD38055DA55B@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dhaynes@mitre.org;
x-originating-ip: [192.160.51.88]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR0901MB2199; 7:qGmP3xNnkHFKhPJsYLMLxjF/famXa9vooBIRrsJ5BOqFxj/v840hkLKc/gpm53NlmCnqf2OzK/BUf3RKTdOTGtBXptzU6rmyTwubD4ZJdZlOLrU9qQozZH3tRsPtDK0qzoPBxK6g0ELJ1qnGGGbyV8/gE3v/WQq3wfoTFGGyL66HW3NvLoa6BNT5UgxK4mzIlrSud5bPQS8f46wfKyW+3zqAKDSmgMbd4aCxMI3bwbbLQ/I+377mBNefHzSb4h9e
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 2a804802-a8ea-46d2-2f9b-08d59990c197
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:DM5PR0901MB2199;
x-ms-traffictypediagnostic: DM5PR0901MB2199:
x-ld-processed: c620dc48-1d50-4952-8b39-df4d54d74d82,ExtAddr
x-microsoft-antispam-prvs: <DM5PR0901MB2199BCD2CB561C38FD4899D1A5A50@DM5PR0901MB2199.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(158342451672863)(72170088055959)(120809045254105)(85827821059158)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(3002001)(3231221)(944501327)(52105095)(6055026)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123564045)(20161123560045)(20161123562045)(6072148)(201708071742011); SRVR:DM5PR0901MB2199; BCL:0; PCL:0; RULEID:; SRVR:DM5PR0901MB2199;
x-forefront-prvs: 0631F0BC3D
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39380400002)(396003)(39860400002)(366004)(376002)(346002)(199004)(189003)(51444003)(6436002)(33656002)(2906002)(6306002)(7736002)(9686003)(55016002)(229853002)(2501003)(236005)(74316002)(66066001)(5250100002)(53936002)(3280700002)(186003)(6246003)(5660300001)(316002)(110136005)(2900100001)(39060400002)(97736004)(54896002)(4326008)(68736007)(26005)(3660700001)(606006)(478600001)(486005)(105586002)(7696005)(14454004)(966005)(81156014)(25786009)(8676002)(8936002)(106356001)(81166006)(790700001)(6506007)(486005)(102836004)(53546011)(59450400001)(3846002)(99286004)(76176011)(11346002)(6116002)(476003)(446003)(86362001)(19609705001)(9326002)(564094006); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR0901MB2199; H:DM5PR0901MB2197.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: mitre.org does not designate permitted sender hosts)
x-microsoft-antispam-message-info: MmI7qdqJ08f59MfaQYWIVuuj9QAwlW3ECu2xFC/vO+gQKK4CLbiTJ6ts2rQDJ3HK4uoXQbMA7+HY3Uvbv23Q5DXOaqxRws/OpsSZ0eNUTypvsedHBJHAhOql8d7L2DJaSP2NQCq0ej6Wc66oI8vt37o5AZ7xo3PGUNLJvc83jWUAXa2mlg6yiyVV3pLJsNWVA5jwOrONL9kpWBlDOYuwCxk4IfETeFc4ScM+8KSLkdtkDANZ+28l912MRg8AwEBqSbXp5HHjdMa3s1gSpUKv5FiQH3MynsvqrSvzD3hntS51eZUvss14ZNndIT9DgPd7SUnFjkTB7cco1dj63I2hsLqtgsAX8uavyxHwb70gIZ4J8V1KutmE8DMbyL4qwqNKZdBO7zhIX36XSo+TXkferoYyuoc5RJtvQ6zrCsBm5jA=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM5PR0901MB219737E3075D0C2C84E916D3A5A50DM5PR0901MB2197_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 2a804802-a8ea-46d2-2f9b-08d59990c197
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Apr 2018 18:28:54.3950 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR0901MB2199
X-OriginatorOrg: mitre.org
X-MITRE: 8GQsMWxq66rxk57w
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/tSKnM578SBf9PVsYpcZ8sXVVHR0>
Subject: Re: [sacm] Comments on draft-ietf-sacm-ecp
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Apr 2018 18:29:01 -0000

Hi Adam,

Comments inline below.

Thanks,

Danny

From: Adam Montville [mailto:adam.w.montville@gmail.com]
Sent: Monday, April 02, 2018 3:29 PM
To: draft-ietf-sacm-ecp@ietf.org
Cc: <sacm@ietf.org> <sacm@ietf.org>
Subject: Comments on draft-ietf-sacm-ecp

Hello ECP'ers (and SACM),

I'm still going through the 01 revision of the ECP draft, but am now really looking at some of the documents it points to. I have a few comments and clarifying questions, in no particular order (I do apologize for the shotgun approach here)...


  *   This is a really verbose draft. I'd be happy to help trim it down. :-)
[danny] Sounds good to me :). Feel free to propose changes.

  *   I'm noting that Lisa Lorenzin is no longer with Pulse Secure - does her information need to be updated?
[danny] It probably should be, but, I don't have her latest information. Does anyone have it?

  *   I'm not 100% clear on the scope of this draft. At one point, the draft seems relegated to what it calls the posture manager and the software executing on an endpoint, but at another point the draft talks about necessary repository functions. (See my final comment below.)
[danny] Yes, you are correct. We have been slowly iterating the draft to get it away from as solution for connected and compliant use cases to a common framework for the collection of endpoint information (needed for asset management, hardware/software inventory, configuration, vulnerability) and the communication of that information to a centralized server. Your comment about being one way to collect information is also correct. We updated it from being entirely NEA/TNC focused to be open and support other protocols like NETMOD.

  *   How related are IM-IMC and/or IM-IVC to IF-MAP? I don't think very related, but this is outside my area of knowledge. I ask because at one point Lisa warned the working group about some IF-MAP-related pitfalls to avoid.
[danny] They are not related. IF-IMC and IF-IMV are interfaces between Posture Collectors and the Posture Broker Client and Posture Validators and the Posture Broker Server respectively. This provides a common interface by which Posture Collectors and Posture Validators can developed and easily deployed into the system. IF-MAP is just an interface between TNC components and the metadata access point (MAP) server which stores network and endpoint information. Unfortunately, I am not familiar with the IF-MAP-related pitfalls to avoid. Can someone with more TCG experience elaborate on the pitfall associated with IF-MAP?

  *   I would consider removing section 8 (though retaining section 9 might be helpful from a scoping perspective)
[danny] I think both could be good from a scoping perspective. Perhaps, we should move these to an appendix?

  *   I would move section 10 way up front.

     *   Note that these examples are relying on SWID collectors which aren't really what the examples are intended to convey.
     *   For example, 10.1 claims "posture assessment" but shows only SWIMA, which may be part of posture collection, but is not wholly posture collection.
[danny] I don't have an objection to that. What do others think about this?

  *   I would like to see how the authors feel ECP maps to RFC8248 (similar to the attempt we made in the mandm draft [2])
[danny] It doesn't directly map to RFC8248, but, it talks about how ECP aligns with SACM (https://tools.ietf.org/html/draft-haynes-sacm-ecp-recommendations-00). Does this help?

  *   Not being as familiar with NEA as I perhaps should be, I'm interested to know whether NEA prescribes an event-driven approach to monitoring or if that is an ECP agumentation (see 10.1.1)

[danny] Events are prescribed in the extensions to NEA. For example, in SWIMA, it states:



                  All SWIMA-PCs MUST be able to be able to detect changes to the Software Inventory Evidence Collection.  Specifically, SWIMA-PCs MUST be able to detect:

o   The creation of records

o   The deletion of records

o   The alteration of records



  *   Wherever the draft says something like "SWIMA Posture Collection", I would say "SWIMA inventory collection" or something similar to that. Posture has s specific definition per our terminology draft [3], and the information enabled by use of SWIMA is part of, but is not in total, posture information.
[danny] Can you clarify? Looking at the definition for posture in GitHub, it says: "...the configuration and state information that is collected from a target endpoint in the form of endpoint attributes (e.g. software/hardware inventory, configuration settings, dynamically assigned addresses). This information may constitute one or more posture attributes.". It seems like what SWIMA collects is posture to me?

  *   Do the authors (or does anyone) have any notion of what a repository would look like?
[danny] No, it's to be defined at a later time :). For now, I think we have to let implementers define their own repository and interfaces to the repository. After we get these major components standardized, we can try and tackle that problem.

  *   I would like to see some expository text helping a reader understand how various collectors (not just a SWIMA collector) could be created and deployed potentially from multiple parties on a single endpoint.
[danny] The IF-IMC/IF-IMV interfaces provide this functionality. If all PCs/PVs and all PCMs/PCEs implement these interfaces they should be able to deploy PCs/PVs from multiple parties on a single endpoint.

  *   Do the authors anticipate the administrative interface/API to be fully specified elsewhere? I think the same goes for the repository. And the evaluator at at least one point in the draft.
[danny] Yes, IF-IMC/IF-IMV are TCG specifications and we are proposing that we just reference them directly rather than trying to submit them to SACM. At some point, we will need interfaces/APIs for the repository and evaluator, but, those are both things we need to tackle later on.

  *   I'm not sure what SACM SWAM means in the title of 7.1.6
[danny]  SWAM is supposed to be "Software Asset Management". ACTION: Just expand SWAM in the document since it is only used in two places.

  *   There's a lot of talk about policy content, but no real details - is the expectation that these will be handled in separate drafts?
[danny] Yes, as of right now, policy is not defined anywhere. It is something that can be defined in separate drafts at a later time.
If entering these into Trac or GitHub as issues makes more sense, let me know.

[danny] Let's keep going on the list and see what concrete actions come out of this thread. If we have a bunch, we can go ahead and add them. For now, I just want to keep the discussion in one place (easier for management - I think :)).

I think the ECP draft is less about compliance and more about collection, and it's specifically about agent-based (or in-built) collection capabilities based on NEA and extensions thereto - in other words, ECP begins to specify a collection infrastructure for agent-based collection (sorry if I'm slow). In this way, the draft adds value to SACM, and leaves room for alternative approaches that may not be agent-based. If a tight scope statement could be created along these lines, I think that would go a long way toward clarifying the draft.

[danny] Do you want to take a pass at that statement :)? Also, where are you thinking it would go? In the introduction?

Thoughts?

Kind regards,

Adam



[1] https://datatracker.ietf.org/doc/draft-ietf-sacm-ecp/
[2] https://datatracker.ietf.org/doc/draft-mandm-sacm-architecture/
[3] https://datatracker.ietf.org/doc/draft-ietf-sacm-terminology/

v2.23.0 | Report a Bug | By Email