Re: [sacm] 答复: new drafts about network infrastructure device's security baseline:
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Wed, 13 September 2017 00:55 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC9191331A7 for <sacm@ietfa.amsl.com>; Tue, 12 Sep 2017 17:55:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.697
X-Spam-Level:
X-Spam-Status: No, score=-2.697 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8SYH0GfKfJYL for <sacm@ietfa.amsl.com>; Tue, 12 Sep 2017 17:55:33 -0700 (PDT)
Received: from mail-qk0-x230.google.com (mail-qk0-x230.google.com [IPv6:2607:f8b0:400d:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2D23132EBA for <sacm@ietf.org>; Tue, 12 Sep 2017 17:55:32 -0700 (PDT)
Received: by mail-qk0-x230.google.com with SMTP id b82so28766751qkc.4 for <sacm@ietf.org>; Tue, 12 Sep 2017 17:55:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=e2cpf9M2uCI2RVCjnwbsofS80Iju7MVoAekn81gssuc=; b=CV9UpmB5WPzVBCEm1vDJQc8D1I4UlF4R5D91jCX+Sfg7r4XRfKYaBw7ByvF9HcU1PJ pHOiJmIFcWXbhSf3+6YAbxtEPtrGlV1nozezxm7Cg/22DRwPI/EhXVqG4hiCfx07pB2R 1dryuT/D1g2fKkdvGv7SkFWKxWofSfqIN48FujZKHN6n6ASUl+QIiYfFQrx7Q9Ukm3O3 T9SDBwBScuAmQsJjZKYrY/ykoWkt4s6GAdNtQrNOQpkQYqaNFITY/W5XiZjL1hc/WAMi mZjzV/4/1qQPhqZ/jNv+jYwT8/zFe+Z4wGNG3AmfwHBKShmOCy0FuszDzFNGUfflogUv XEtw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=e2cpf9M2uCI2RVCjnwbsofS80Iju7MVoAekn81gssuc=; b=Abg2Qpy2BMm8QpufHjzRhlUSAUXm8Zczty5EqbrnvkKbL+NUeCDdkVzMxnt/CDAEso zBUr3JPuYwHkrDav4JneTX+TWJXRQ1W5dAp0EwkrWsvLp+yWXXE33ksq/UCsr4hrkcNI HjlpH1Cgj7Y/5xsPyAMppRiOW7peMcy8V/YNkY4YTFOaH6OUD0zwS5FmMiAnKYsH4Zrs xVuEAqhFFa58HA6EjzR4UXhHlTsoo2fJO2JKOBg58bIO90LZc/YoBXUX/YVWFq0g8fKh MNifbUMjb1NwG30iW8FIaeszGpjsHR5GRSArfPm30K2mnSEH6ttMSGty4mcezOJPFjJO qEZA==
X-Gm-Message-State: AHPjjUhR6GULV6ehWRAiqL5NMkA69N1s9NQDwMtr56yhCntwKZOMeBtH xTfabeqt5OJtgQ==
X-Google-Smtp-Source: AOwi7QDQ0UoTbXh5Sh+wcCj4ng7ojTBOo7cQdl//jlPxLg8BzReyA7Bp6QoJ3kFEOT3vEdPhLPtzZw==
X-Received: by 10.55.17.73 with SMTP id b70mr22163001qkh.270.1505264131825; Tue, 12 Sep 2017 17:55:31 -0700 (PDT)
Received: from [192.168.1.6] (209-6-124-204.s3530.c3-0.arl-ubr1.sbo-arl.ma.cable.rcncustomer.com. [209.6.124.204]) by smtp.gmail.com with ESMTPSA id d205sm8634950qke.56.2017.09.12.17.55.30 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Sep 2017 17:55:30 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-5738671B-BABD-42E0-9AB0-92D97DFBD210"
Mime-Version: 1.0 (1.0)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Mailer: iPhone Mail (14F89)
In-Reply-To: <tqvzUCyeKnAQyw3CC-AfqT7LV3x8UQxzx4LXCRo-tB3p_uaHBK3Cr9ngpFVzF9ZB-Jr4v-XJfSuPvSIOLW6A5w6lXDMYbWIkZu-J3D2x4l4=@protonmail.com>
Date: Tue, 12 Sep 2017 20:55:30 -0400
Cc: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>, "Xialiang (Frank)" <frank.xialiang@huawei.com>, "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>, "Panos Kampanakis (pkampana)" <pkampana@cisco.com>, "sacm@ietf.org" <sacm@ietf.org>, "Linqiushi \\(Jessica, SCC\\)" <linqiushi@huawei.com>, "Zhengguangying \\(Walker\\)" <zhengguangying@huawei.com>, "dongyue \\(D\\)" <dongyue6@huawei.com>
Content-Transfer-Encoding: 7bit
Message-Id: <6E7AD788-0FAC-4920-B03D-BB9227F8D343@gmail.com>
References: <808ED0DE-508A-47FA-A9F0-CD60CF586A79@cisco.com> <tqvzUCyeKnAQyw3CC-AfqT7LV3x8UQxzx4LXCRo-tB3p_uaHBK3Cr9ngpFVzF9ZB-Jr4v-XJfSuPvSIOLW6A5w6lXDMYbWIkZu-J3D2x4l4=@protonmail.com>
To: Jerome Athias <jerome.athias@protonmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/xw1kVBTHNBinBjXsJ1Ib5Qc2CDw>
Subject: Re: [sacm] 答复: new drafts about network infrastructure device's security baseline:
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Sep 2017 00:55:36 -0000
The problem with OVAL is that this is specific to network devices and we'd be asking vendors to implement something else. They've made an investment in YANG, so we can get traction and support. OVAL would be great for platforms where there is already support. Best, Kathleen Sent from my iPhone > On Sep 12, 2017, at 3:08 AM, Jerome Athias <jerome.athias@protonmail.com> wrote: > > OVAL > > >> On Mon, Sep 11, 2017 at 6:35 PM, Nancy Cam-Winget (ncamwing) <ncamwing@cisco.com> wrote: >> Hi Frank, >> >> >> >> It is not clear to me why we couldn’t reference the work and attributes already being worked on in NETMOD and perhaps i2nsf? While I agree that SACM includes network elements as endpoints, I think we can leverage work already being defined by other working groups. >> >> >> >> Warm regards, Nancy >> >> >> >> >> >> >> >> From: sacm <sacm-bounces@ietf.org> on behalf of "Xialiang (Frank)" <frank.xialiang@huawei.com> >> Date: Thursday, September 7, 2017 at 7:39 PM >> To: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>, Panos Kampanakis <pkampana@cisco.com>, "sacm@ietf.org" <sacm@ietf.org> >> Cc: "Linqiushi (Jessica, SCC)" <linqiushi@huawei.com>, "Zhengguangying (Walker)" <zhengguangying@huawei.com>, "dongyue (D)" <dongyue6@huawei.com> >> Subject: [sacm] 答复: new drafts about network infrastructure device's security baseline: >> >> >> >> Hi Dave and Panos, >> >> I think Dave gives a very clear and detailed clarification about the definition of endpoints in SACM and the latest SACM plan, thanks. >> >> >> >> I will follow the SACM information model and the latest decision to update these drafts. >> >> Any comments are welcome! >> >> >> >> B.R. >> >> Frank >> >> >> >> 发件人: Waltermire, David A. (Fed) [mailto:david.waltermire@nist.gov] >> 发送时间: 2017年9月8日 3:01 >> 收件人: Panos Kampanakis (pkampana); Xialiang (Frank); sacm@ietf.org >> 抄送: Linqiushi (Jessica, SCC); Zhengguangying (Walker); dongyue (D) >> 主题: RE: new drafts about network infrastructure device's security baseline: >> >> >> >> Panos, >> >> >> >> At the last IETF meeting we started discussing a charter update. I believe we are currently waiting on the chairs to start this discussion on the list. This will give the working group an opportunity to clarify this issue in the charter. >> >> >> >> As far as endpoints, the definition that has been used for endpoints in the SACM charter is the one from RFC 5209, which is "Any computing device that can be connected to a network. >> Such devices normally are associated with a particular link layer >> >> address before joining the network and potentially an IP address >> >> once on the network. This includes: laptops, desktops, servers, >> >> cell phones, or any device that may have an IP address." >> >> >> >> As most network devices are connected to networks, and often expose a management interface that is IP addressable, I’d say they qualify as endpoints. This view is also reflected in the SACM terminology, which states "To further clarify the [RFC5209] definition, an endpoint is any >> physical or virtual device that may have a network address. Note >> that, network infrastructure devices (e.g. switches, routers, >> firewalls), which fit the definition, are also considered to be >> endpoints within this document." >> >> This text squares with my original view of endpoints way back when we were working on the original SACM charter. >> >> Regards, >> Dave >> >> >> From: sacm [mailto:sacm-bounces@ietf.org] On Behalf Of Panos Kampanakis (pkampana) >> Sent: Thursday, September 07, 2017 2:11 PM >> To: Xialiang (Frank) <frank.xialiang@huawei.com>; sacm@ietf.org >> Cc: Linqiushi (Jessica, SCC) <linqiushi@huawei.com>; Zhengguangying (Walker) <zhengguangying@huawei.com>; dongyue (D) <dongyue6@huawei.com> >> Subject: Re: [sacm] new drafts about network infrastructure device's security baseline: >> >> >> >> When checking the SACM charter, I do not see any references to network infrastructure or network elements. I believe SACM’s initial focus was on endpoints. Do these three drafts even fall in SACM’s charter as it is right now? >> >> Panos >> >> >> >> >> >> From: sacm [mailto:sacm-bounces@ietf.org] On Behalf Of Xialiang (Frank) >> Sent: Thursday, September 07, 2017 4:05 AM >> To: sacm@ietf.org >> Cc: Linqiushi (Jessica, SCC) <linqiushi@huawei.com>; Zhengguangying (Walker) <zhengguangying@huawei.com>; dongyue (D) <dongyue6@huawei.com> >> Subject: [sacm] new drafts about network infrastructure device's security baseline: >> >> >> >> Hi all, >> >> We just submit 3 drafts to specify the yang data model of network infrastructure devices (i.e., router, switch, firewall, etc) security posture, or call it security baseline. Each draft covers one of the three planes of network infrastructure devices: data plane, control plane, management plane. >> >> https://tools.ietf.org/html/draft-xia-sacm-nid-dp-security-baseline-00 >> >> >> >> https://tools.ietf.org/html/draft-dong-sacm-nid-cp-security-baseline-00 >> >> >> >> https://tools.ietf.org/html/draft-lin-sacm-nid-mp-security-baseline-00 >> >> >> >> The goal is to facilitate the collection and assessment of the overall security posture of the network infrastructure devices, in order to realize the whole lifecycle security automation for the infrastructure network. >> >> Your comments are warmly welcome! >> >> >> >> B.R. >> >> Frank >> > _______________________________________________ > sacm mailing list > sacm@ietf.org > https://www.ietf.org/mailman/listinfo/sacm
- [sacm] new drafts about network infrastructure de… Xialiang (Frank)
- Re: [sacm] new drafts about network infrastructur… Henk Birkholz
- Re: [sacm] new drafts about network infrastructur… Xialiang (Frank)
- Re: [sacm] new drafts about network infrastructur… Panos Kampanakis (pkampana)
- Re: [sacm] new drafts about network infrastructur… Waltermire, David A. (Fed)
- [sacm] 答复: new drafts about network infrastructur… Xialiang (Frank)
- Re: [sacm] 答复: new drafts about network infrastru… Adam Montville
- Re: [sacm] 答复: new drafts about network infrastru… Nancy Cam-Winget (ncamwing)
- Re: [sacm] 答复: new drafts about network infrastru… Kathleen Moriarty
- [sacm] 答复: 答复: new drafts about network infrastru… Xialiang (Frank)
- Re: [sacm] 答复: new drafts about network infrastru… Jerome Athias
- Re: [sacm] 答复: 答复: new drafts about network infra… Kathleen Moriarty
- [sacm] 答复: 答复: 答复: new drafts about network infra… Xialiang (Frank)
- Re: [sacm] 答复: new drafts about network infrastru… Kathleen Moriarty