* WGs marked with an * asterisk has had at least one new draft made available during the last 5 days

Sacm Status Pages

Security Automation and Continuous Monitoring (Active WG)
Sec Area: Eric Rescorla, Kathleen Moriarty | 2013-Jul-12 —  
Chairs
 
 


IETF-99 sacm minutes

Session 2017-07-20 0930-1200: Karlin I/II - Audio stream - sacm chatroom

Minutes

minutes-99-sacm-00 minutes



          Security Automation and Continuous Monitoring Minutes
          IETF 99
          Thursday, July 20, 2017
          Morning Session I: 09:30-12:00
          
          1. WG status
          ============
          presenters: chairs, Adam Montville and Karen O'Donoghue
          slides:
          https://www.ietf.org/proceedings/99/slides/slides-99-sacm-chair-slides-01.pdf
          
          The chairs summarized the WG status.
          
          2. Agenda bashing
          ====================
          Based on discussion, the agenda was rearranged as follows.
          
          1. WG status – chairs – 5m
          2. Hackathon results – David Waltermire 15m
          3. Hackathon results - Henk Birkholz 15m
          4. Charter Discussion / Way Forward - Chairs/AD - remaining time
             a. Information Model
             b. Architecture
             c. Existing WG drafts
             d. Existing individual drafts
             e. Charter
             f. Milestones
          5. Existing Work Disposition/Open Issues (total: 40m)
             a. SWIMA – Charles Schmidt 15m
             b. Terminology – Henk Birkholz 15m
             c. CoSWID - Henk Birkholz 10m
          6. ROLIE Software Descriptor Extension - Stephen Banghart - 20m
          7. ROLIE Checklist Extension - Bill Munyan - 5m
          8. TNC 2.0 Update - Charles Schmidt 15m
          
          2. Hackathon results
          ====================
          presenter: David Waltermire
          
          Waltermire presented POC of the Vulnerability Assessment scenario built
          during the Hackathon.  The POC incorporated a variety of existing work
          in SACM (OVAL, SWIMA, SWID), MILE (ROILE) and others; using open source
          (Ubuntu, strongTNC) and commercial products (Center for Internet Security
          CIS-CAT).
          
          Use case
          ** A vendor will release vulnerability bulletin
          ** An end user of that product needs to inventory their network to
          identify which systems in their enterprise have that vulnerability
          
          
          Lessons learned:
          ** Turning vulnerability detection data (a vulnerability bulletin)
          into an OVAL definition is difficult.
          ** Difficult to query for the software of interest in the collector
          service -- need a query API against the data store
          ** Need a better way to query an enterprise data store for SWIDs --
          will propose a new work item to the charter
          ** SWIDs have file hash information to determine if a file on an endpoint
          has been modified but challenges remain in understanding if patches have
          been correctly installed
          
          Q: (Roman Danyliw): Can you clarify the (3) lesson learned?
          A: (David Waltermire): We can only say coarsely if software is
          installed. To know for sure, we would have to examine the file system. For
          example, we demonstrated using the package database to know the software
          inventory of an endpoint, however, there is no way to verify if there
          is a delta between that and what is installed on the file system.
          
          Q: (Frank Xia Lang): If that your demo included work from a variety of
          WG, do you feel that there is sufficient differentiation across WG groups?
          A: (David Waltermire): There are likely more gaps than overlaps from
          this experience.  Various close and proprietary interfaces that needed
          to be used which means there are more opportunities for standardization.
          There were not a lot of choices for what to use.
          
          Q: (Shiwetha Bihangdari): Cisco would be interested in getting the file
          hash information (per lesson #3)
          A: (David Waltermire): We'd like to work on this at the IETF 100 Hackathon
          and invite you to help.
          
          Comment: (Henk Birkholz): There is significant related work outside the
          IETF and software inventory is just one type of data.
          
          3. Hackathon results 2
          ======================
          presenters: Henk Birholz
          slides: (used but not uploaded)
          
          Explored using a YANG-based approach to demonstrate architecture
          requirements (G-007, 009, 011, 012, 013, 015).  Open source tools were
          used for this implementation (XMPP-grid server and client; apache kafka,
          YANG pub-sub client in python).  A variety of current YANG models were
          used in this demonstration.
          
          Comment: (Stephen Banghart): It was very interesting to see the
          application of YANG in SACM.
          
          4. Charter Discussion / Way Forward - Chairs/AD - remaining time
          presenters: chairs, Adam Montville and Karen O'Donoghue
          slides: starting at slide 7 of
                  https://www.ietf.org/proceedings/99/slides/slides-99-sacm-chair-slides-01.pdf
          
          The WG discussed areas in which to update the charter -- Collection,
          Evaluation and Messaging.  Birkholz, Banghart and Cam-Winget proposed
          scope. This discussion item came about when the WG got together to
          figure out which items to work on next based on lessons learned from the
          hackathon. Given the level of interest in these three items, the WG can
          likely handle these items in parallel.
          
          Collection, slide 8, Henk Birkholz
          Comment (Henk): We need to know how to collect data and which different
          data models to support.
          Q: (Danny Haynes): Just to clarify, this is more general than just YANG?
          A: (Henk Birkholz): Yes.
          Q: (David Waltermire): We have two methods of collection, SWIMA and YANG.
          Should we look at how to orchestrate across collection methods?  Is that
          consistent with your thinking?
          A: (Henk Birkholz): It is. We need a lightweight orchestration mechanism
          across collection mechanisms.
          Comment (Adam Montville): We have many things like WMI, NETCONF,
          OVAL, etc.
          A: (David Waltermire): We have different ways to collect from a variety
          of devices.
          
          Evaluation, slide 9, Stephen Banghart
          Comment: (Stephen Banghart): Evaluation was identified as a standards gap
          from the hackathon.  A language that describes a query/set of software
          like this software is greater than this or this.
          Comment: (Shiwetha Bihangdari) Would that also provide known good values?
          Comment: (Henk Birkholz): Yes. We have things like CoSWID to represent
          good measurements. These would be vendor supplied.
          Comment: (David Waltermire): NIST run the NVD which maps a vulnerability
          to a product.  This mapping requires more complication mapping expressions
          that Banghart is describing. See if product 1.2 and operating system is
          on the device. We need to describe statements like this and represent
          VDD. It is also important to note that this solution will be agnostic
          to the mechanism that collected the data.
          Comment: (Dan Romanscanu): Given how the language is written, I have
          concerns about it approaching a formal languages specification and the
          complexity involved in doing so.  Will it be extensible enough for each
          range of collected attributes? Will you be very specific about what will
          be included because we don't want it to get too complicated.
          Comment: (Frank Xia Lang): From this language, what standards work will
          result for interoperability?  What scope do you want to cover with this
          language? Is it the current SACM work or  maybe something beyond that.
          Comment: (Stephen Banghart): We'd like to see something like OVAL
          produced since it already does this type of evaluation.  It should work
          for SACM first.  If it extends to other WG, all the better.
          Comment: (Henk Birkholz): This can get very complicated. There is some
          similarity to I2NF capability model draft for capability information
          mode. They introduced the ECA model that a rule can be cascaded. John
          Strassner is a good expert for this and we should talk to him first and
          not try to reinvent the wheel.
          Comment (Stephen Banghart): I would like to see how this fills the
          hackathon gap.
          Comment (Henk Birkholz): Maybe we should have a virtual interim meeting
          that includes John.
          Comment: (Dan Romanscanu): It would be good to have a session with him. We
          need to separate between what describes the interface and how to do it.
          Comment (Stephen Banghart): Are you recommending that we have multiple
          standardization efforts and then pick one?
          Comment (Dan Romanscanu): No. We should start with the externally exposed
          layer and then go below.
          Comment: (Sheila Franklin): Creating a new language and interpreter is
          significant effort.  Perhaps starting with prior work would help.
          Comment: (Stephen Banghart): We could start with OVAL.  Perhaps the
          text should read that candidate solutions need to be found, new or
          otherwise. Make it clear that we will look at something.
          Comment: (Karen O'Donoghue): Let's not edit the text and be clear that
          a solution needs to be found (not made from scratch).
          Comment: (Kathleen Moriarty): You would have to really prove that
          something new is required.  We have YANG, OVAL, etc. Something new is
          not something that I would like to see happen.
          
          Messaging, slide 10, Nancy Cam-Winget
          Comment (Nancy Cam-Winget): Messaging involves control plane capabilities,
          discovery, and orchestration. I think we have done sufficient work in this
          area, but, we need to figure out how we discover rules for evaluation,
          etc. All this work needs to be orchestrated and we need to deal with
          the timeliness of publish, subscribe, and query. From the data plane,
          we need to figure out a unified transfer mechanism to query in addition
          to publish and subscribe. We have a draft that discusses how XMPP applies
          MILE and we can do something similar for SACM.
          Comment: (Shiwetha Bihangdari): Is this going to be in the charter
          text? Would this text preclude a non XMPP protocols?
          Comment: (Nancy Cam-Winget): Not necessarily. If we use XMPP, we can
          include other protocols and data models in there.
          Comment (???): If I wanted to use existing technology would that be ok?
          Comment (Nancy Cam-Winget): Yes. In the hackathon, we just tried to show
          the push and pull model.
          Comment: (Kaarthik Sivakumar): Do you just want to integrate this? Is
          this defining transport or format?
          Comment: (Nancy Cam-Winget): This text is trying to demonstrate how XMPP
          could meet the SACM goals.
          Comment: (Frank ): You mentioned XMPP-Grid. Data and control plane
          were mentioned.  The data plane appears to already be mentioned in
          the collection.
          Comment: (Nancy Cam-Winget): I am not suggesting a single protocol. We
          could have several.
          Comment (???): In the SACM work, I am still not clear what we can achieve.
          Comment (Nancy Cam-Winget): Not quite true. Part of the hackathon
          exercise, we showed how you can use network infrastructure. Henk provided
          a draft. We tried to show the applicability XMPP and YANG.
          Comment (Nancy Cam-Winget):... XMPP could assist in orchestration
          Comment: (Henk Birkholz): Data/control planes are not competitive.
          They are chained.
          Comment: (David Waltermire): For example, XMPP could be used to send
          something to a ROILE server which could then be made available for
          download.
          Q: (Jessica Fitzgerald-McKay): Would part of the messaging effort include
          defining a data model for messaging?
          A: (Nancy Cam-Winget): Yes. That would be for messaging people. We need
          to show how data models fit requirements.
          Comment: (Henk Birkholz): The new draft contains an experimental, very
          early data model, but, is a possible answer to your question.
          (Karen O'Donoghue): Based on this input, we'll revise the charter on
          the list.
          Comment: (Shiwetha Bihangdari): I don't see any charter text that points
          to how to collect known good values.
          (Karen O'Donoghue): I would like to see us have a narrow scope then move
          forward with next steps.
          
          5a. SWIMA
          =========
          presenter: Charles Schmidt
          slides:
          https://www.ietf.org/proceedings/99/slides/slides-99-sacm-swima-00.pdf
          draft: draft-ietf-sacm-nea-swima-patnc-00
          
          Schmidt presented an update to changes made in the SWIMA draft based on
          document review and implementer feedback. Major changes included updating
          the title to be correct as well as a few optimizations to the protocol
          including record location, behavior when reporting an unavailable record,
          order of attribute fields and lengths, and software identifier algorithm
          for SWID tags. The update also included minor editorial changes. No
          comments or feedback were received on the list.
          
          Comment: (Stephen Banghart): We used this draft during the Hackathon
          and did not find any issues.
          
          Q: (David Waltermire): Will this be moved to WG last call?
          Q: (Karen O'Donoghue) How many have read this draft? A couple of people,
          in the room, raised their hands. Jess mentioned on Jabber that she read
          the document.
          Q: (Karen O'Donoghue) Does anyone not think we should move it to WGLC?
          [no one]
          
          5.b. Terminology
          ================
          presenter: Henk Birkholz
          slides:
          https://www.ietf.org/proceedings/99/slides/slides-99-sacm-terminology-00.pdf
          draft: draft-ietf-sacm-terminology-13
          
          Birkholz presented an update to changes made in the terminology draft.
          
          Slide 2
          Comment: (Kathleen Moriarty): TEEP is not yet a working group.
          Recommend not gating SACM work on them.
          Comment: (Henk Birkholz): Agreed.
          
          Comment: (Kathleen Moriarty): A terminology draft is abnormal and would
          better received by the IESG in another draft. Is there another document
          that this could be fit into? It could be an appendix or a terminology
          section.
          Comment: (Henk Birkholz): The old architecture would probably be the best
          place for this. We may end up creating a 100+ page document as well as
          include terms that exceed the document.
          Comment: (Kathleen Moriarty): No one reads the terminology document. You
          just reference it. It doesn't matter where it sits. I don't think it
          matters if the terminology is informational.
          Comment: (Stephen Banghart): I'd recommend moving this text into the
          architecture draft.
          Comment: (Kathleen Moriarty): I'd recommend waiting to publish the
          architecture until later so the terminology doesn't need to be updated.
          
          5.c. CoSWID
          ===========
          presenter: Henk Birkholz
          slides:
          https://www.ietf.org/proceedings/99/slides/slides-99-sacm-coswid-00.pdf
          draft: draft-ietf-sacm-coswid-02
          
          Birkholz presented an update to changes made in the COSWID draft. There
          was one issue mentioned that highlighted a discrepancy between the ISO
          specification and the XSD.
          
          Comment: (Karen O'Donoghue): Regarding the discrepancy, chairs determine
          consensus. You need to post question and get feedback. Then we will
          construct a question for consensus. Have people read this draft?
          A: (Henk Birkholz): Lots of people from ISO and the U.S. Government have
          read it.
          Comment (Karen O'Donoghue): We will get more feedback from the list.
          
          6. ROLIE Software Descriptor Extension
          ======================================
          presenter: Stephen Banghart
          slides:
          https://www.ietf.org/proceedings/99/slides/slides-99-sacm-rolie-and-software-extension-00.pdf
          draft: draft-banghart-sacm-rolie-softwaredescriptor-01
          
          Banghart presented brief overview of ROLIE as well as an update to
          changes made in the ROILE Software Descriptor Extension draft which is
          being developed in MILE.
          
          7. ROLIE Checklist Extension
          ============================
          presenter: Bill Munyan
          slides:
          https://www.ietf.org/proceedings/99/slides/slides-99-sacm-rolie-checklist-information-type-00.pdf
          drafts: draft-mandm-sacm-rolie-configuration-checklist-00
          
          Munyan presented an overview of the draft as well as next steps.
          
          Q: (Karen O'Donoghue): Would it be possible to have a new version of
          the draft before the next virtual interim meeting?
          A: (Bill Munyan): Yes.
          Comment: (Stephen Banghart): We could use this update for the IETF 100
          Hackathon. We were also thinking of creating a template for creating
          ROLIE extensions.
          Comment: David Waltermire): We'd be interested in getting your help
          making a template.
          
          8. TNC 2.0 Update
          =================
          presenter: Charles Schmidt
          slides:
          https://www.ietf.org/proceedings/99/slides/slides-99-sacm-tnc-20-00.pdf
          
          Schmidt provided an update on the Trusted Network Communication
          Architecture v2.0 that will be published imminently. The key thing
          to note about the TNC 2.0 update is that it emphasizes that TNC is
          compose-able and you can pick and choose the components that you need. It
          also clarifies how it aligns with SACM. Specifically, TNC can be used to
          continuously assess an endpoint rather than just as a comply-to-connect
          solution.
          
          9. Closing and Way Forward
          ==========
          presenters: chairs, Adam Montville and Karen O'Donoghue
          
          The chairs noted:
          ** A successful Hackathon to include the regular planning meeting
          ** Need more discussion on the mailing list to discuss the charter and
          work items
          ** One or two virtual interim meetings will be held before IETF 100
          
          Comment: (Kathleen Moriarty): Please get the charter updated soon.
          The IESG has noted that the WG is past its expiration.
          Comment: (Adam Montville): How soon, is soon?
          Comment: (Kathleen Moriarty): By mid-September would be best. You may
          also want to remove milestone dates from the charter. WGs do not typically
          do this.
          Q: (Karen O'Donoghue): Would you prefer to see the charter narrowed to
          3-5 documents?
          A: (Kathleen Moriarty): We should tie that to the WG.
          Comment: (Adam Montville): We can rely on the work item people to refine
          their text and work on the list over the next couple of weeks.
          Comment: (Karen O'Donoghue): Yes, updating elements of the charter can
          happen sooner.
          Comment: (Adam Montville): Thank you everyone for you work at the
          hackathon.
          Comment: (Kathleen Moriarty): Yes, this is a very positive thing for
          the WG.
          
          



Generated from PyHt script /wg/sacm/minutes.pyht Latest update: 24 Oct 2012 16:51 GMT -