The Incident Object Description Exchange Format v2
draft-ietf-mile-rfc5070-bis-14
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 7970.
|
|
|---|---|---|---|
| Authors | Roman Danyliw , Paul Stoecker | ||
| Last updated | 2015-07-20 | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Formats | |||
| Reviews | |||
| Additional resources | Mailing list discussion | ||
| Stream | WG state | WG Document | |
| Document shepherd | (None) | ||
| IESG | IESG state | Became RFC 7970 (Proposed Standard) | |
| Consensus boilerplate | Unknown | ||
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-ietf-mile-rfc5070-bis-14
>
</xs:simpleType>
<xs:element name="ObservableReference">
<xs:complexType>
<xs:attribute name="uid-ref"
type="xs:IDREF" use="required"/>
</xs:complexType>
</xs:element>
<xs:element name="IndicatorReference">
<xs:complexType>
<xs:attribute name="uid-ref"
type="xs:IDREF" use="optional"/>
<xs:attribute name="euid-ref"
type="xs:string" use="optional"/>
<xs:attribute name="version"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Miscellaneous simple classes ==
Danyliw & Stoecker Expires January 21, 2016 [Page 159]
Internet-Draft IODEFv2 July 2015
==================================================================
-->
<xs:element name="Description" type="iodef:MLStringType"/>
<xs:element name="URL" type="xs:anyURI"/>
<!--
==================================================================
== IODEF Basic Data Types ==
==================================================================
-->
<xs:simpleType name="PositiveFloatType">
<xs:restriction base="xs:float">
<xs:minExclusive value="0"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="MLStringType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="translation-id"
type="xs:string" use="optional"/>
<xs:attribute ref="xml:lang" />
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<xs:simpleType name="PortlistType">
<xs:restriction base="xs:string">
<xs:pattern value="\d+(\-\d+)?(,\d+(\-\d+)?)*"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="ExtensionType" mixed="true">
<xs:sequence>
<xs:any namespace="##any" processContents="lax"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="dtype"
type="iodef:dtype-type" use="required"/>
<xs:attribute name="meaning"
type="xs:string"/>
<xs:attribute name="formatid"
type="xs:string"/>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
Danyliw & Stoecker Expires January 21, 2016 [Page 160]
Internet-Draft IODEFv2 July 2015
<xs:complexType name="ApplicationHeaderType" mixed="true">
<xs:sequence>
<xs:any namespace="##any" processContents="lax"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="proto"
type="xs:integer" use="optional"/>
<xs:attribute name="proto-name"
type="xs:integer" use="optional"/>
<xs:attribute name="field"
type="xs:string" use="required"/>
<xs:attribute name="dtype"
type="iodef:proto-dtype-type"
use="required"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
<!--
==================================================================
== Global attribute type declarations ==
==================================================================
-->
<xs:simpleType name="yes-no-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="yes"/>
<xs:enumeration value="no"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="yes-no-unknown-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="yes"/>
<xs:enumeration value="no"/>
<xs:enumeration value="unknown"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="restriction-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="default"/>
<xs:enumeration value="public"/>
<xs:enumeration value="partner"/>
<xs:enumeration value="need-to-know"/>
<xs:enumeration value="private"/>
<xs:enumeration value="white"/>
<xs:enumeration value="green"/>
<xs:enumeration value="amber"/>
Danyliw & Stoecker Expires January 21, 2016 [Page 161]
Internet-Draft IODEFv2 July 2015
<xs:enumeration value="red"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="severity-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="low"/>
<xs:enumeration value="medium"/>
<xs:enumeration value="high"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="duration-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="second"/>
<xs:enumeration value="minute"/>
<xs:enumeration value="hour"/>
<xs:enumeration value="day"/>
<xs:enumeration value="month"/>
<xs:enumeration value="quarter"/>
<xs:enumeration value="year"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="action-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="nothing"/>
<xs:enumeration value="contact-source-site"/>
<xs:enumeration value="contact-target-site"/>
<xs:enumeration value="contact-sender"/>
<xs:enumeration value="investigate"/>
<xs:enumeration value="block-host"/>
<xs:enumeration value="block-network"/>
<xs:enumeration value="block-port"/>
<xs:enumeration value="rate-limit-host"/>
<xs:enumeration value="rate-limit-network"/>
<xs:enumeration value="rate-limit-port"/>
<xs:enumeration value="redirect-traffic"/>
<xs:enumeration value="honeypot"/>
<xs:enumeration value="upgrade-software"/>
<xs:enumeration value="rebuild-asset"/>
<xs:enumeration value="harden-asset"/>
<xs:enumeration value="remediate-other"/>
<xs:enumeration value="status-triage"/>
<xs:enumeration value="status-new-info"/>
<xs:enumeration value="watch-and-report"/>
Danyliw & Stoecker Expires January 21, 2016 [Page 162]
Internet-Draft IODEFv2 July 2015
<xs:enumeration value="defined-coa"/>
<xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="dtype-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="boolean"/>
<xs:enumeration value="byte"/>
<xs:enumeration value="bytes"/>
<xs:enumeration value="character"/>
<xs:enumeration value="date-time"/>
<xs:enumeration value="integer"/>
<xs:enumeration value="ntpstamp"/>
<xs:enumeration value="portlist"/>
<xs:enumeration value="real"/>
<xs:enumeration value="string"/>
<xs:enumeration value="file"/>
<xs:enumeration value="path"/>
<xs:enumeration value="frame"/>
<xs:enumeration value="packet"/>
<xs:enumeration value="ipv4-packet"/>
<xs:enumeration value="ipv6-packet"/>
<xs:enumeration value="url"/>
<xs:enumeration value="csv"/>
<xs:enumeration value="winreg"/>
<xs:enumeration value="xml"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="proto-dtype-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="boolean"/>
<xs:enumeration value="byte"/>
<xs:enumeration value="bytes"/>
<xs:enumeration value="character"/>
<xs:enumeration value="date-time"/>
<xs:enumeration value="integer"/>
<xs:enumeration value="real"/>
<xs:enumeration value="string"/>
<xs:enumeration value="xml"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:schema>
Danyliw & Stoecker Expires January 21, 2016 [Page 163]
Internet-Draft IODEFv2 July 2015
9. Security Considerations
The IODEF data model itself does not directly introduce security
issues. Rather, it simply defines a representation for incident
information. As the data encoded by the IODEF might be considered
privacy sensitive by the parties exchanging the information or by
those described by it, care needs to be taken in ensuring the
appropriate disclosure during both document exchange and subsequent
processing. The former must be handled by a messaging format, but
the latter risk must be addressed by the systems that process, store,
and archive IODEF documents and information derived from them.
Executable content could be embedded into the IODEF document directly
or through an extension. The IODEF parser should handle this content
with care to prevent unintentional automated execution.
The contents of an IODEF document may include a request for action or
an IODEF parser may independently have logic to take certain actions
based on information that it finds. For this reason, care must be
taken by the parser to properly authenticate the recipient of the
document and ascribe an appropriate confidence to the data prior to
action.
The underlying messaging format and protocol used to exchange
instances of the IODEF MUST provide appropriate guarantees of
confidentiality, integrity, and authenticity. The use of a
standardized security protocol is encouraged. The Real-time Inter-
network Defense (RID) protocol [RFC6545] and its associated transport
binding IODEF/RID over HTTP/TLS [RFC6546] provide such security.
In order to suggest data processing and handling guidelines of the
encoded information, the IODEF allows a document sender to convey a
privacy policy using the restriction attribute. The various
instances of this attribute allow different data elements of the
document to be covered by dissimilar policies. While flexible, it
must be stressed that this approach only serves as a guideline from
the sender, as the recipient is free to ignore it. The issue of
enforcement is not a technical problem.
10. IANA Considerations
This document registers a namespace, XML schema, and a number of
registries that map to enumerated values defined in the schema.
Danyliw & Stoecker Expires January 21, 2016 [Page 164]
Internet-Draft IODEFv2 July 2015
10.1. Namespace and Schema
This document uses URNs to describe an XML namespace and schema
conforming to a registry mechanism described in [RFC3688]
Registration for the IODEF namespace:
o URI: urn:ietf:params:xml:ns:iodef-2.0
o Registrant Contact: See the first author of the "Author's Address"
section of this document.
o XML: None. Namespace URIs do not represent an XML specification.
Registration for the IODEF XML schema:
o URI: urn:ietf:params:xml:schema:iodef-2.0
o Registrant Contact: See the first author of the "Author's Address"
section of this document.
o XML: See the "IODEF Schema" in Section 8 of this document.
10.2. Enumerated Value Registries
This document creates xx identically structured registries to be
managed by IANA:
o Name of the parent registry: "Incident Object Description Exchange
Format v2 (IODEF)"
o URL of the registry: http://www.iana.org/assignments/iodef2
o Namespace format: A registry entry consists of:
* Value. An enumerated value for a given IODEF attribute.
* Description. A short description of the enumerated value.
* Reference. An optional list of URIs to further describe the
value.
o Allocation policy: Expert Review per [RFC5226]
The registries to be created are named in the table below in the
"Registry Name" column. The initial values for the Value and
Description fields of a given registry are listed in the "IV (Value)"
and "IV (Description)" columns respectively. The "IV (Value)" points
Danyliw & Stoecker Expires January 21, 2016 [Page 165]
Internet-Draft IODEFv2 July 2015
to a given schema attribute or type per Section 8. Each enumerated
value in the schema gets a corresponding entry in a given registry.
The "IV (Description)" points to a section in the text of this
document. The initial value of the Reference field of every registry
entry described below should be this document.
+--------------------------+-----------------------+----------------+
| Registry Name | IV (Value) | IV |
| | | (Description) |
+--------------------------+-----------------------+----------------+
| Restriction | iodef-restriction- | Section 3.3.1 |
| | type | |
| | | |
| Incident-purpose | Incident@purpose | Section 3.2 |
| | | |
| Incident-status | Incident@status | Section 3.2 |
| | | |
| Contact-role | Contact@role | Section 3.10 |
| | | |
| Contact-type | Contact@type | Section 3.10 |
| | | |
| RegistryHandle-registry | RegistryHandle@regist | Section 3.10.1 |
| | ry | |
| | | |
| Expectation-action | iodef:action-type | Section 3.17 |
| | | |
| Discovery-source | Discovery@source | Section 3.12 |
| | | |
| SystemImpact-type | SystemImpact@type | Section 3.14.1 |
| | | |
| BusinessImpact-severity | BusinessImpact@severi | Section 3.14.2 |
| | ty | |
| | | |
| BusinessImpact-type | BusinessImpact@type | Section 3.14.2 |
| | | |
| TimeImpact-metrics | TimeImpact@metric | Section 3.14.3 |
| | | |
| TimeImpact-duration | iodef:duration-type | Section 3.14.3 |
| | | |
| NodeRole-category | NodeRole@category | Section 3.20.2 |
| | | |
| System-category | System@category | Section 3.19 |
| | | |
| System-ownership | System@ownership | Section 3.19 |
| | | |
| Address-category | Address@category | Section 3.20.1 |
| | | |
| Counter-type | Counter@type | Section 3.20.3 |
Danyliw & Stoecker Expires January 21, 2016 [Page 166]
Internet-Draft IODEFv2 July 2015
| | | |
| Counter-unit | Counter@unit | Section 3.20.3 |
| | | |
| DomainData-system-status | DomainData@system- | Section 3.21 |
| | status | |
| | | |
| DomainData-domain-status | DomainData@domain- | Section 3.21 |
| | status | |
| | | |
| RelatedDNS-record-type | RelatedDNS@record- | Section 3.21.1 |
| | type | |
| | | |
| RecordPattern-type | RecordPattern@type | Section 3.25.2 |
| | | |
| RecordPattern-offsetunit | RecordPattern@offsetu | Section 3.25.2 |
| | nit | |
| | | |
| Key-registryaction | Key@registryaction | Section 3.26.1 |
| | | |
| HashData-scope | HashData@scope | Section 3.29 |
| | | |
| BulkObservable-type | BulkObservable@type | Section |
| | | 3.32.3.1 |
| | | |
| AdditionalData-dtype | iodef:dtype-type | Section 3.9 |
| | | |
| ApplicationHeader-proto- | iodef:proto-dtype- | Section 3.22.2 |
| dtype | type | |
| | | |
| SoftwareReference-dtype | SoftwareReference | Section 3.22.4 |
+--------------------------+-----------------------+----------------+
Table 1: IANA Enumerated Value Registries
11. Acknowledgments
The following groups and individuals, listed alphabetically,
contributed substantially to this document and should be recognized
for their efforts.
o Kathleen Moriarty, EMC Corporation
o Brian Trammell, ETH Zurich
o Patrick Cain, Cooper-Cain Group, Inc.
o ... TODO many more to add ...
Danyliw & Stoecker Expires January 21, 2016 [Page 167]
Internet-Draft IODEFv2 July 2015
12. References
12.1. Normative References
[W3C.XML] World Wide Web Consortium, "Extensible Markup Language
(XML) 1.0 (Second Edition)", W3C Recommendation , October
2000, <http://www.w3.org/TR/2000/REC-xml-20001006>.
[W3C.SCHEMA]
World Wide Web Consortium, "XML XML Schema Part 1:
Structures Second Edition", W3C Recommendation , October
2004, <http://www.w3.org/TR/xmlschema-1/>.
[W3C.SCHEMA.DTYPES]
World Wide Web Consortium, "XML Schema Part 2: Datatypes
Second Edition", W3C Recommendation , October 2004,
<http://www.w3.org/TR/xmlschema-2/>.
[W3C.XMLNS]
World Wide Web Consortium, "Namespaces in XML", W3C
Recommendation , January 1999,
<http://www.w3.org/TR/REC-xml-names/>.
[W3C.XPATH]
World Wide Web Consortium, "XML Path Language (XPath)
2.0", W3C Candidate Recommendation , June 2006,
<http://www.w3.org/TR/xpath20/>.
[W3C.XMLSIG]
World Wide Web Consortium, "XML Signature Syntax and
Processing 2.0", W3C Candidate Recommendation , June 2008,
<http://www.w3.org/TR/xmldsig-core/>.
[IEEE.POSIX]
Institute of Electrical and Electronics Engineers,
"Information Technology - Portable Operating System
Interface (POSIX) - Part 1: Base Definitions",
IEEE 1003.1, June 2001.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997.
[RFC5646] Philips, A. and M. Davis, "Tags for Identifying of
Languages", RFC 5646, September 2009.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifiers (URI): Generic Syntax", RFC 3986,
January 2005`.
Danyliw & Stoecker Expires January 21, 2016 [Page 168]
Internet-Draft IODEFv2 July 2015
[RFC2978] Freed, N. and J. Postel, "IANA Charset Registration
Procedures", BCP 2978, October 2000.
[RFC4519] Sciberras, A., "Schema for User Applications", RFC 4519,
June 2006.
[RFC5322] Resnick, P., "Internet Message Format", RFC 5322, October
2008.
[RFC3339] Klyne, G. and C. Newman, "Date and Time on the Internet:
Timestamps", RFC 3339, July 2002.
[RFC-ENUM]
Montville, A. and D. Black, "IODEF Enumeration Reference
Format", RFC ENUM, January 2015.
[ISO8601] International Organization for Standardization,
"International Standard: Data elements and interchange
formats - Information interchange - Representation of
dates and times", ISO 8601, Second Edition, December 2000.
[ISO4217] International Organization for Standardization,
"International Standard: Codes for the representation of
currencies and funds, ISO 4217:2001", ISO 4217:2001,
August 2001.
[RFC3688] Mealling, M., "The IETF XML Registry", RFC 3688, January
2004.
[IANA.Ports]
Internet Assigned Numbers Authority, "Service Name and
Transport Protocol Port Number Registry", January 2014,
<http://www.iana.org/assignments/service-names-port-
numbers/service-names-port-numbers.txt>.
[IANA.Protocols]
Internet Assigned Numbers Authority, "Assigned Internet
Protocol Numbers", January 2014,
<http://www.iana.org/assignments/protocol-numbers/
protocol-numbers.txt>.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", RFC 3629, November 2003.
[RFC2781] Hoffman, P. and F. Yergeau, "UTF-16, an encoding of ISO
10646", RFC 2781, February 2000.
Danyliw & Stoecker Expires January 21, 2016 [Page 169]
Internet-Draft IODEFv2 July 2015
[IANA.Media]
Internet Assigned Numbers Authority, "Media Types", March
2015, <http://www.iana.org/assignments/media-types/
media-types.xhtml>.
12.2. Informative References
[RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "Incident
Object Description Exchange Format", RFC 5070, December
2007.
[refs.requirements]
Keeni, G., Demchenko, Y., and R. Danyliw, "Requirements
for the Format for Incident Information Exchange (FINE)",
Work in Progress, June 2006.
[RFC4765] Debar, H., Curry, D., Debar, H., and B. Feinstein,
"Intrusion Detection Message Exchange Format", RFC 4765,
March 2007.
[RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)",
RFC 6545, April 2012.
[RFC6546] Trammell, B., "Transport of Real-time Inter-network
Defense (RID) Messages over HTTP/TLS", RFC 6546, April
2012.
[RFC5901] Cain, P. and D. Jevans, "Extensions to the IODEF-Document
Class for Reporting Phishing", RFC 5901, July 2010.
[NIST800.61rev2]
Cichonski, P., Millar, T., Grance, T., and K. Scarfone,
"NIST Special Publication 800-61 Revision 2: Computer
Security Incident Handling Guide", January 2012,
<http://csrc.nist.gov/publications/nistpubs/800-61rev2/
SP800-61rev2.pdf>.
[RFC3982] Newton, A. and M. Sanz, "IRIS: A Domain Registry (dreg)
Type for the Internet Registry Information Service
(IRIS)", RFC 3982, January 2005.
[KB310516]
Microsoft Corporation, "How to add, modify, or delete
registry subkeys and values by using a registration
entries (.reg) file", December 2007.
[RFC4180] Shafranovich, Y., "Common Format and MIME Type for Comma-
Separated Values (CSV) File", RFC 4180, October 2005.
Danyliw & Stoecker Expires January 21, 2016 [Page 170]
Internet-Draft IODEFv2 July 2015
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", RFC 5226, May 2008.
Authors' Addresses
Roman Danyliw
CERT - Software Engineering Institute
Pittsburgh, PA
USA
EMail: rdd@cert.org
Paul Stoecker
RSA
Reston, VA
USA
EMail: paul.stoecker@rsa.com
Danyliw & Stoecker Expires January 21, 2016 [Page 171]