The Incident Object Description Exchange Format v2
draft-ietf-mile-rfc5070-bis-14
The information below is for an old version of the document.
Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 7970.
|
|
---|---|---|---|
Authors | Roman Danyliw , Paul Stoecker | ||
Last updated | 2015-07-20 | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Formats | |||
Reviews | |||
Additional resources | Mailing list discussion | ||
Stream | WG state | WG Document | |
Document shepherd | (None) | ||
IESG | IESG state | Became RFC 7970 (Proposed Standard) | |
Consensus boilerplate | Unknown | ||
Telechat date | (None) | ||
Responsible AD | (None) | ||
Send notices to | (None) |
draft-ietf-mile-rfc5070-bis-14
> </xs:simpleType> <xs:element name="ObservableReference"> <xs:complexType> <xs:attribute name="uid-ref" type="xs:IDREF" use="required"/> </xs:complexType> </xs:element> <xs:element name="IndicatorReference"> <xs:complexType> <xs:attribute name="uid-ref" type="xs:IDREF" use="optional"/> <xs:attribute name="euid-ref" type="xs:string" use="optional"/> <xs:attribute name="version" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <!-- ================================================================== == Miscellaneous simple classes == Danyliw & Stoecker Expires January 21, 2016 [Page 159] Internet-Draft IODEFv2 July 2015 ================================================================== --> <xs:element name="Description" type="iodef:MLStringType"/> <xs:element name="URL" type="xs:anyURI"/> <!-- ================================================================== == IODEF Basic Data Types == ================================================================== --> <xs:simpleType name="PositiveFloatType"> <xs:restriction base="xs:float"> <xs:minExclusive value="0"/> </xs:restriction> </xs:simpleType> <xs:complexType name="MLStringType"> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="translation-id" type="xs:string" use="optional"/> <xs:attribute ref="xml:lang" /> </xs:extension> </xs:simpleContent> </xs:complexType> <xs:simpleType name="PortlistType"> <xs:restriction base="xs:string"> <xs:pattern value="\d+(\-\d+)?(,\d+(\-\d+)?)*"/> </xs:restriction> </xs:simpleType> <xs:complexType name="ExtensionType" mixed="true"> <xs:sequence> <xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="dtype" type="iodef:dtype-type" use="required"/> <xs:attribute name="meaning" type="xs:string"/> <xs:attribute name="formatid" type="xs:string"/> <xs:attribute name="restriction" type="iodef:restriction-type"/> <xs:attribute name="ext-restriction" type="xs:string" use="optional"/> </xs:complexType> Danyliw & Stoecker Expires January 21, 2016 [Page 160] Internet-Draft IODEFv2 July 2015 <xs:complexType name="ApplicationHeaderType" mixed="true"> <xs:sequence> <xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="proto" type="xs:integer" use="optional"/> <xs:attribute name="proto-name" type="xs:integer" use="optional"/> <xs:attribute name="field" type="xs:string" use="required"/> <xs:attribute name="dtype" type="iodef:proto-dtype-type" use="required"/> <xs:attribute name="observable-id" type="xs:ID" use="optional"/> </xs:complexType> <!-- ================================================================== == Global attribute type declarations == ================================================================== --> <xs:simpleType name="yes-no-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="yes"/> <xs:enumeration value="no"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="yes-no-unknown-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="yes"/> <xs:enumeration value="no"/> <xs:enumeration value="unknown"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="restriction-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="default"/> <xs:enumeration value="public"/> <xs:enumeration value="partner"/> <xs:enumeration value="need-to-know"/> <xs:enumeration value="private"/> <xs:enumeration value="white"/> <xs:enumeration value="green"/> <xs:enumeration value="amber"/> Danyliw & Stoecker Expires January 21, 2016 [Page 161] Internet-Draft IODEFv2 July 2015 <xs:enumeration value="red"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="severity-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="low"/> <xs:enumeration value="medium"/> <xs:enumeration value="high"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="duration-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="second"/> <xs:enumeration value="minute"/> <xs:enumeration value="hour"/> <xs:enumeration value="day"/> <xs:enumeration value="month"/> <xs:enumeration value="quarter"/> <xs:enumeration value="year"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="action-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="nothing"/> <xs:enumeration value="contact-source-site"/> <xs:enumeration value="contact-target-site"/> <xs:enumeration value="contact-sender"/> <xs:enumeration value="investigate"/> <xs:enumeration value="block-host"/> <xs:enumeration value="block-network"/> <xs:enumeration value="block-port"/> <xs:enumeration value="rate-limit-host"/> <xs:enumeration value="rate-limit-network"/> <xs:enumeration value="rate-limit-port"/> <xs:enumeration value="redirect-traffic"/> <xs:enumeration value="honeypot"/> <xs:enumeration value="upgrade-software"/> <xs:enumeration value="rebuild-asset"/> <xs:enumeration value="harden-asset"/> <xs:enumeration value="remediate-other"/> <xs:enumeration value="status-triage"/> <xs:enumeration value="status-new-info"/> <xs:enumeration value="watch-and-report"/> Danyliw & Stoecker Expires January 21, 2016 [Page 162] Internet-Draft IODEFv2 July 2015 <xs:enumeration value="defined-coa"/> <xs:enumeration value="other"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="dtype-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="boolean"/> <xs:enumeration value="byte"/> <xs:enumeration value="bytes"/> <xs:enumeration value="character"/> <xs:enumeration value="date-time"/> <xs:enumeration value="integer"/> <xs:enumeration value="ntpstamp"/> <xs:enumeration value="portlist"/> <xs:enumeration value="real"/> <xs:enumeration value="string"/> <xs:enumeration value="file"/> <xs:enumeration value="path"/> <xs:enumeration value="frame"/> <xs:enumeration value="packet"/> <xs:enumeration value="ipv4-packet"/> <xs:enumeration value="ipv6-packet"/> <xs:enumeration value="url"/> <xs:enumeration value="csv"/> <xs:enumeration value="winreg"/> <xs:enumeration value="xml"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="proto-dtype-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="boolean"/> <xs:enumeration value="byte"/> <xs:enumeration value="bytes"/> <xs:enumeration value="character"/> <xs:enumeration value="date-time"/> <xs:enumeration value="integer"/> <xs:enumeration value="real"/> <xs:enumeration value="string"/> <xs:enumeration value="xml"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:schema> Danyliw & Stoecker Expires January 21, 2016 [Page 163] Internet-Draft IODEFv2 July 2015 9. Security Considerations The IODEF data model itself does not directly introduce security issues. Rather, it simply defines a representation for incident information. As the data encoded by the IODEF might be considered privacy sensitive by the parties exchanging the information or by those described by it, care needs to be taken in ensuring the appropriate disclosure during both document exchange and subsequent processing. The former must be handled by a messaging format, but the latter risk must be addressed by the systems that process, store, and archive IODEF documents and information derived from them. Executable content could be embedded into the IODEF document directly or through an extension. The IODEF parser should handle this content with care to prevent unintentional automated execution. The contents of an IODEF document may include a request for action or an IODEF parser may independently have logic to take certain actions based on information that it finds. For this reason, care must be taken by the parser to properly authenticate the recipient of the document and ascribe an appropriate confidence to the data prior to action. The underlying messaging format and protocol used to exchange instances of the IODEF MUST provide appropriate guarantees of confidentiality, integrity, and authenticity. The use of a standardized security protocol is encouraged. The Real-time Inter- network Defense (RID) protocol [RFC6545] and its associated transport binding IODEF/RID over HTTP/TLS [RFC6546] provide such security. In order to suggest data processing and handling guidelines of the encoded information, the IODEF allows a document sender to convey a privacy policy using the restriction attribute. The various instances of this attribute allow different data elements of the document to be covered by dissimilar policies. While flexible, it must be stressed that this approach only serves as a guideline from the sender, as the recipient is free to ignore it. The issue of enforcement is not a technical problem. 10. IANA Considerations This document registers a namespace, XML schema, and a number of registries that map to enumerated values defined in the schema. Danyliw & Stoecker Expires January 21, 2016 [Page 164] Internet-Draft IODEFv2 July 2015 10.1. Namespace and Schema This document uses URNs to describe an XML namespace and schema conforming to a registry mechanism described in [RFC3688] Registration for the IODEF namespace: o URI: urn:ietf:params:xml:ns:iodef-2.0 o Registrant Contact: See the first author of the "Author's Address" section of this document. o XML: None. Namespace URIs do not represent an XML specification. Registration for the IODEF XML schema: o URI: urn:ietf:params:xml:schema:iodef-2.0 o Registrant Contact: See the first author of the "Author's Address" section of this document. o XML: See the "IODEF Schema" in Section 8 of this document. 10.2. Enumerated Value Registries This document creates xx identically structured registries to be managed by IANA: o Name of the parent registry: "Incident Object Description Exchange Format v2 (IODEF)" o URL of the registry: http://www.iana.org/assignments/iodef2 o Namespace format: A registry entry consists of: * Value. An enumerated value for a given IODEF attribute. * Description. A short description of the enumerated value. * Reference. An optional list of URIs to further describe the value. o Allocation policy: Expert Review per [RFC5226] The registries to be created are named in the table below in the "Registry Name" column. The initial values for the Value and Description fields of a given registry are listed in the "IV (Value)" and "IV (Description)" columns respectively. The "IV (Value)" points Danyliw & Stoecker Expires January 21, 2016 [Page 165] Internet-Draft IODEFv2 July 2015 to a given schema attribute or type per Section 8. Each enumerated value in the schema gets a corresponding entry in a given registry. The "IV (Description)" points to a section in the text of this document. The initial value of the Reference field of every registry entry described below should be this document. +--------------------------+-----------------------+----------------+ | Registry Name | IV (Value) | IV | | | | (Description) | +--------------------------+-----------------------+----------------+ | Restriction | iodef-restriction- | Section 3.3.1 | | | type | | | | | | | Incident-purpose | Incident@purpose | Section 3.2 | | | | | | Incident-status | Incident@status | Section 3.2 | | | | | | Contact-role | Contact@role | Section 3.10 | | | | | | Contact-type | Contact@type | Section 3.10 | | | | | | RegistryHandle-registry | RegistryHandle@regist | Section 3.10.1 | | | ry | | | | | | | Expectation-action | iodef:action-type | Section 3.17 | | | | | | Discovery-source | Discovery@source | Section 3.12 | | | | | | SystemImpact-type | SystemImpact@type | Section 3.14.1 | | | | | | BusinessImpact-severity | BusinessImpact@severi | Section 3.14.2 | | | ty | | | | | | | BusinessImpact-type | BusinessImpact@type | Section 3.14.2 | | | | | | TimeImpact-metrics | TimeImpact@metric | Section 3.14.3 | | | | | | TimeImpact-duration | iodef:duration-type | Section 3.14.3 | | | | | | NodeRole-category | NodeRole@category | Section 3.20.2 | | | | | | System-category | System@category | Section 3.19 | | | | | | System-ownership | System@ownership | Section 3.19 | | | | | | Address-category | Address@category | Section 3.20.1 | | | | | | Counter-type | Counter@type | Section 3.20.3 | Danyliw & Stoecker Expires January 21, 2016 [Page 166] Internet-Draft IODEFv2 July 2015 | | | | | Counter-unit | Counter@unit | Section 3.20.3 | | | | | | DomainData-system-status | DomainData@system- | Section 3.21 | | | status | | | | | | | DomainData-domain-status | DomainData@domain- | Section 3.21 | | | status | | | | | | | RelatedDNS-record-type | RelatedDNS@record- | Section 3.21.1 | | | type | | | | | | | RecordPattern-type | RecordPattern@type | Section 3.25.2 | | | | | | RecordPattern-offsetunit | RecordPattern@offsetu | Section 3.25.2 | | | nit | | | | | | | Key-registryaction | Key@registryaction | Section 3.26.1 | | | | | | HashData-scope | HashData@scope | Section 3.29 | | | | | | BulkObservable-type | BulkObservable@type | Section | | | | 3.32.3.1 | | | | | | AdditionalData-dtype | iodef:dtype-type | Section 3.9 | | | | | | ApplicationHeader-proto- | iodef:proto-dtype- | Section 3.22.2 | | dtype | type | | | | | | | SoftwareReference-dtype | SoftwareReference | Section 3.22.4 | +--------------------------+-----------------------+----------------+ Table 1: IANA Enumerated Value Registries 11. Acknowledgments The following groups and individuals, listed alphabetically, contributed substantially to this document and should be recognized for their efforts. o Kathleen Moriarty, EMC Corporation o Brian Trammell, ETH Zurich o Patrick Cain, Cooper-Cain Group, Inc. o ... TODO many more to add ... Danyliw & Stoecker Expires January 21, 2016 [Page 167] Internet-Draft IODEFv2 July 2015 12. References 12.1. Normative References [W3C.XML] World Wide Web Consortium, "Extensible Markup Language (XML) 1.0 (Second Edition)", W3C Recommendation , October 2000, <http://www.w3.org/TR/2000/REC-xml-20001006>. [W3C.SCHEMA] World Wide Web Consortium, "XML XML Schema Part 1: Structures Second Edition", W3C Recommendation , October 2004, <http://www.w3.org/TR/xmlschema-1/>. [W3C.SCHEMA.DTYPES] World Wide Web Consortium, "XML Schema Part 2: Datatypes Second Edition", W3C Recommendation , October 2004, <http://www.w3.org/TR/xmlschema-2/>. [W3C.XMLNS] World Wide Web Consortium, "Namespaces in XML", W3C Recommendation , January 1999, <http://www.w3.org/TR/REC-xml-names/>. [W3C.XPATH] World Wide Web Consortium, "XML Path Language (XPath) 2.0", W3C Candidate Recommendation , June 2006, <http://www.w3.org/TR/xpath20/>. [W3C.XMLSIG] World Wide Web Consortium, "XML Signature Syntax and Processing 2.0", W3C Candidate Recommendation , June 2008, <http://www.w3.org/TR/xmldsig-core/>. [IEEE.POSIX] Institute of Electrical and Electronics Engineers, "Information Technology - Portable Operating System Interface (POSIX) - Part 1: Base Definitions", IEEE 1003.1, June 2001. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997. [RFC5646] Philips, A. and M. Davis, "Tags for Identifying of Languages", RFC 5646, September 2009. [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifiers (URI): Generic Syntax", RFC 3986, January 2005`. Danyliw & Stoecker Expires January 21, 2016 [Page 168] Internet-Draft IODEFv2 July 2015 [RFC2978] Freed, N. and J. Postel, "IANA Charset Registration Procedures", BCP 2978, October 2000. [RFC4519] Sciberras, A., "Schema for User Applications", RFC 4519, June 2006. [RFC5322] Resnick, P., "Internet Message Format", RFC 5322, October 2008. [RFC3339] Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, July 2002. [RFC-ENUM] Montville, A. and D. Black, "IODEF Enumeration Reference Format", RFC ENUM, January 2015. [ISO8601] International Organization for Standardization, "International Standard: Data elements and interchange formats - Information interchange - Representation of dates and times", ISO 8601, Second Edition, December 2000. [ISO4217] International Organization for Standardization, "International Standard: Codes for the representation of currencies and funds, ISO 4217:2001", ISO 4217:2001, August 2001. [RFC3688] Mealling, M., "The IETF XML Registry", RFC 3688, January 2004. [IANA.Ports] Internet Assigned Numbers Authority, "Service Name and Transport Protocol Port Number Registry", January 2014, <http://www.iana.org/assignments/service-names-port- numbers/service-names-port-numbers.txt>. [IANA.Protocols] Internet Assigned Numbers Authority, "Assigned Internet Protocol Numbers", January 2014, <http://www.iana.org/assignments/protocol-numbers/ protocol-numbers.txt>. [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 10646", RFC 3629, November 2003. [RFC2781] Hoffman, P. and F. Yergeau, "UTF-16, an encoding of ISO 10646", RFC 2781, February 2000. Danyliw & Stoecker Expires January 21, 2016 [Page 169] Internet-Draft IODEFv2 July 2015 [IANA.Media] Internet Assigned Numbers Authority, "Media Types", March 2015, <http://www.iana.org/assignments/media-types/ media-types.xhtml>. 12.2. Informative References [RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "Incident Object Description Exchange Format", RFC 5070, December 2007. [refs.requirements] Keeni, G., Demchenko, Y., and R. Danyliw, "Requirements for the Format for Incident Information Exchange (FINE)", Work in Progress, June 2006. [RFC4765] Debar, H., Curry, D., Debar, H., and B. Feinstein, "Intrusion Detection Message Exchange Format", RFC 4765, March 2007. [RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)", RFC 6545, April 2012. [RFC6546] Trammell, B., "Transport of Real-time Inter-network Defense (RID) Messages over HTTP/TLS", RFC 6546, April 2012. [RFC5901] Cain, P. and D. Jevans, "Extensions to the IODEF-Document Class for Reporting Phishing", RFC 5901, July 2010. [NIST800.61rev2] Cichonski, P., Millar, T., Grance, T., and K. Scarfone, "NIST Special Publication 800-61 Revision 2: Computer Security Incident Handling Guide", January 2012, <http://csrc.nist.gov/publications/nistpubs/800-61rev2/ SP800-61rev2.pdf>. [RFC3982] Newton, A. and M. Sanz, "IRIS: A Domain Registry (dreg) Type for the Internet Registry Information Service (IRIS)", RFC 3982, January 2005. [KB310516] Microsoft Corporation, "How to add, modify, or delete registry subkeys and values by using a registration entries (.reg) file", December 2007. [RFC4180] Shafranovich, Y., "Common Format and MIME Type for Comma- Separated Values (CSV) File", RFC 4180, October 2005. Danyliw & Stoecker Expires January 21, 2016 [Page 170] Internet-Draft IODEFv2 July 2015 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", RFC 5226, May 2008. Authors' Addresses Roman Danyliw CERT - Software Engineering Institute Pittsburgh, PA USA EMail: rdd@cert.org Paul Stoecker RSA Reston, VA USA EMail: paul.stoecker@rsa.com Danyliw & Stoecker Expires January 21, 2016 [Page 171]