One document matched: draft-moskowitz-firstmile-00.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY I-D.ietf-netconf-yang-push
SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-netconf-yang-push.xml">
<!ENTITY I-D.ietf-netconf-yang-library
SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-netconf-yang-library.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc toc="yes" ?>
<?rfc symrefs="yes" ?>
<?rfc sortrefs="yes"?>
<?rfc compact="yes" ?>
<?rfc subcompact="no" ?>
<?rfc iprnotified="no" ?>
<?rfc strict="no" ?>
<rfc category="std" docName="draft-moskowitz-firstmile-00.txt" ipr="trust200902">
<front>
<title abbrev="first MILE">Security alerts over the first MILE</title>
<author fullname="Robert Moskowitz" initials="R." surname="Moskowitz" >
<organization>HTT Consulting</organization>
<address>
<postal>
<street> </street>
<city>Oak Park</city>
<region>MI</region>
<code>48237</code>
</postal>
<email>rgm@labs.htt-consult.com</email>
</address>
</author>
<author fullname="Susan Hares" initials="S." surname="Hares">
<organization>Huawei</organization>
<address>
<postal>
<street>7453 Hickory Hill</street>
<city>Saline</city>
<region>MI</region>
<code>48176</code>
<country>USA</country>
</postal>
<email>shares@ndzh.com</email>
</address>
</author>
<author fullname="Liang Xia" initials="L." surname="Xia">
<organization>Huawei</organization>
<address>
<postal>
<street>No. 101, Software Avenue, Yuhuatai District</street>
<city>Nanjing</city>
<country>China</country>
</postal>
<email>Frank.xialiang@huawei.com</email>
</address>
</author>
<date year="2016" />
<area>Security Area</area>
<keyword>RFC</keyword>
<keyword>Request for Comments</keyword>
<keyword>I-D</keyword>
<keyword>Internet-Draft</keyword>
<abstract>
<t>
This document describes a pub/sub styled protocol to send security
alerts to a security monitor that can feed into MILE and other
management platforms. It uses data structures from NETCONF, MILE,
and IPFIX to manage the reporting and report security alerts.
</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>
This document proposes a set of protocols to automate the reporting
of security alerts to the various monitoring systems. The intent
is primarily to automate the input of security events to the MILE
environment (RID <xref target="RFC6545" /> and IODEF <xref
target="I-D.ietf-mile-rfc5070-bis" />). Any authorized
monitoring system can subscribe to any of the security alerts
reports.
</t>
<t>
An Internet security defense device first registers with a security
alert monitoring system. At this point the content and protocol
used has not been identified. Since such a registration is normally
at 'quiet time', the registration does not occur during a network
congested time and can use some HTTPS-based service. At this time
both systems exchange their X.509 identifiers to be used for the
sub/pub security and identification.
</t>
<t>
Once a defense device is registered, the monitoring system can
subscribe to it for those alerts in needs to receive. The
subscription protocol should use NETCONF <xref target="RFC6536" />
with the publication/subscription push service <xref
target="I-D.ietf-netconf-yang-push"></xref>. If the system needs a
"pull" service, the NETCONF and I2RS subscription service could be
expanded to support a pull service.
</t>
<t>
Any secure NETCONF transport that this pub/sub service support can
be used.
</t>
<t>
The defense device publishes security alerts to subscribed monitors
using IODEF or IPFIX <xref target="RFC7011" /> data structures.
The protocol(s) for these reports are discussed within this
document.
</t>
</section>
<section anchor="terms" title="Terms and Definitions">
<section title="Requirements Terminology">
<t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described
in <xref target="RFC2119">RFC 2119</xref>.
</t>
</section>
</section>
<section anchor="prob-space" title="Problem Space">
<t>
At the time of developing this document, there is no IETF defined
set of standardized security alert messages and protocols.
Administrators of systems which provide MILE service currently use
"cut-and-past" where they cut selected messages from proprietary
monitoring systems and past these messages into their MILE
environment. The intent here is to standardize and automate this
process. It is recognized that many of these alerts are too
detailed to be actionable. Some implementations of the alert
monitor will include analytic tools to select the actionable
information from the alerts. Alerts which are too detailed to be
actionable or alerts which include analytical tools are outside of
any standardizing process.
</t>
<t>
Many of the needed alerts are scattered throughout the various
standards like IPFIX and IODEF, but are not collected together as
recognized security alerts that should be aggregated into a
reporting framework.
</t>
</section>
<section anchor="firstMILE" title="The first mile of security alerts">
<t>
There are three components to the first MILE process
<list style="symbols">
<t>Register</t>
<t>Subscribe</t>
<t>Publish</t>
</list>
</t>
<section title="Register">
<t>
An Internet security defense device first registers with a security
alert monitoring system. This is typically done at the time the
device is installed, but may occur later as the device is
registered to more monitoring systems. There is no theoretical
limit on the number of monitors a device is registered to. The
limit within a system are practical limits based on internal limits
within the device.
</t>
<t>
Most monitors will be commercial and the registration will be based
on existing business relationships. One such example is the ISP's
security monitor. It is possible that a CERT may accept direct
registration without a business relationship. However this may
require more study to ensure that this will not introduce potential
attacks of false reporting to CERTs.
</t>
<t>
The actual content of the registration has not been determined.
Minimally it needs to include
<list style="symbols">
<t>Identifiers (e.g. X.509 certificates)</t>
<t>Reports available from device (i.e. what to subscribe to)</t>
<t>Subscription protocols(s)</t>
<t>Publication protocols(s)</t>
</list>
A device can alter any of its registered information at any time as
well as cancel a registration.
</t>
</section>
<section title="Subscribe">
<t>
Once a defense device is registered, the monitoring system can
subscribe to it for those alerts in needs to receive. This is
typically done via NETCONF, but is controlled by what the device
registered as supported subscript protocols.
</t>
<t>
A monitor can subscribe or unsubscribe for reports at any time.
With the first subscription, a secure communication transport will
be enabled from the device to the monitor. See <xref
target="Publish" /> for more on the this secure transport.
</t>
</section>
<section anchor="Publish" title="Publish">
<t>
The defense device publishes security alerts to subscribed
monitors. The reports will be sent over the subscribed protocol
using the subscribed data model, either IODEF or IPFIX.
</t>
<t>
Since these alerts may be reported during an attack that degrades
communications, many of the DOTS requirements <xref
target="I-D.ietf-dots-requirements" /> apply here. One that
doesn't is the bi-directional requirement. Even so, the same
security and transport design used for DOTS should be used here.
</t>
<t>
</t>
</section>
</section>
<section title="first MILE data model">
<t>
The data model will support the constraints of the NETCONF
publication/subscription model <xref
target="I-D.ietf-netconf-yang-push"></xref>, and the NETCONF module
library function <xref
target="I-D.ietf-netconf-yang-library"></xref> which indicates
pub/sub support within a model. If the MILE service which to
utilize non-persistent (aka ephemeral) data that disappears on
reboot, the netconf publication/subscription model will support
non-persistent configuration.
</t>
<t> Work on the data model is an open item.
</t>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>
No IANA considerations exist for this document at this time.
</t>
</section>
<section title="Security Considerations">
<t>
An attacker that can disable first MILE may be able to attack a
device at will as those monitoring it expect these attacks to show
up on their monitor. As such each part of the firstMILE system will
need the complete security services that are defined or referenced
here.
</t>
</section>
<section title="Contributors">
<t>
TBD
</t>
</section>
</middle>
<back>
<references title="Normative References">
<?rfc include="reference.RFC.2119.xml"?>
&I-D.ietf-netconf-yang-push;
&I-D.ietf-netconf-yang-library;
</references>
<references title="Informative References">
<?rfc include="reference.RFC.6536.xml"?>
<?rfc include="reference.RFC.6545.xml"?>
<?rfc include="reference.RFC.7011.xml"?>
<?rfc include="reference.I-D.ietf-mile-rfc5070-bis.xml"?>
<?rfc include="reference.I-D.ietf-dots-requirements.xml"?>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-23 08:30:22 |