MILE Working Group J. Field
Internet-Draft Pivotal
Intended status: Informational S. Banghart
Expires: December 5, 2016 NIST
June 3, 2016
Resource-Oriented Lightweight Information Exchange
draft-ietf-mile-rolie-02
Abstract
This document defines a resource-oriented approach to cyber security
information sharing. Using this approach, operators may share and
exchange representations of cyber security incidents, attack
indicators, software vulnerabilities, and other related information
as Web-addressable resources. Furthermore, consumers and other
stakeholders may access and search this security content as needed,
establishing a rapid and on-demand information exchange network for
restricted internal use or public access repositories. This
specification builds on and extends the Atom Publishing Protocol and
Atom Syndication Format to transport and share cyber security
resource representations. This document leverages the existing
representations IODEF and RID where appropriate, and supports related
cyber security representation standards.
Contributing to this document
The source for this draft is being maintained in GitHub. Suggested
changes should be submitted as pull requests at
<https://github.com/CISecurity/ROLIE>. Instructions are on that page
as well. Editorial changes can be managed in GitHub, but any
substantial issues need to be discussed on the MILE mailing list.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
Field & Banghart Expires December 5, 2016 [Page 1]
Internet-Draft ROLIE June 2016
This Internet-Draft will expire on December 5, 2016.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Background and Motivation . . . . . . . . . . . . . . . . . . 4
3.1. Message-oriented versus Resource-oriented Architecture . 5
3.1.1. Message-oriented Architecture . . . . . . . . . . . . 5
3.1.2. Resource-Oriented Architecture . . . . . . . . . . . 6
4. Atom Publication Protocol and Atom Syndication Format TODO . 7
5. Normative Requirements TODO . . . . . . . . . . . . . . . . . 8
5.1. Atom Requirements . . . . . . . . . . . . . . . . . . . . 8
5.2. Transport Layer Security . . . . . . . . . . . . . . . . 8
5.3. Archiving and Paging . . . . . . . . . . . . . . . . . . 8
5.4. Expectation and Impact Classes . . . . . . . . . . . . . 8
5.5. User Authentication . . . . . . . . . . . . . . . . . . . 9
5.6. User Authorization . . . . . . . . . . . . . . . . . . . 9
5.7. Content Model . . . . . . . . . . . . . . . . . . . . . . 9
5.8. HTTP methods . . . . . . . . . . . . . . . . . . . . . . 10
5.9. Service Discovery . . . . . . . . . . . . . . . . . . . . 11
5.9.1. Workspaces . . . . . . . . . . . . . . . . . . . . . 11
5.9.2. Collections . . . . . . . . . . . . . . . . . . . . . 11
5.9.3. Service Document Security . . . . . . . . . . . . . . 11
5.10. Category Mapping . . . . . . . . . . . . . . . . . . . . 11
5.10.1. Collection Category . . . . . . . . . . . . . . . . 12
5.10.2. Entry Category . . . . . . . . . . . . . . . . . . . 12
5.11. Entry ID . . . . . . . . . . . . . . . . . . . . . . . . 12
5.12. Entry Content . . . . . . . . . . . . . . . . . . . . . . 13
5.13. Link Relations . . . . . . . . . . . . . . . . . . . . . 13
5.13.1. Additional Link Relation Requirements . . . . . . . 15
5.14. Member Entry Forward Security . . . . . . . . . . . . . . 15
5.15. Date Mapping . . . . . . . . . . . . . . . . . . . . . . 16
Field & Banghart Expires December 5, 2016 [Page 2]
Internet-Draft ROLIE June 2016
5.16. Search . . . . . . . . . . . . . . . . . . . . . . . . . 16
5.17. / (forward slash) Resource URL . . . . . . . . . . . . . 16
6. Security Considerations TODO . . . . . . . . . . . . . . . . 17
7. IANA Considerations TODO . . . . . . . . . . . . . . . . . . 19
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 19
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 19
9.1. Normative References . . . . . . . . . . . . . . . . . . 19
9.2. Informative References . . . . . . . . . . . . . . . . . 20
9.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Appendix A. Change Tracking . . . . . . . . . . . . . . . . . . 21
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22
1. Introduction
This document defines a resource-oriented approach to cyber security
information sharing that follows the REST (Architectural Styles and t
he Design of Network-based Software Architectures) architectural
style. In this approach, cyber security resources are maintained in
web-accessible repositories structured as Atom Syndication Format
[RFC4287] feeds. Representations of content are categorized and
organized into indexed collections, which are requested by the
consumer. As the set of resource collections are forward facing, the
consumer may search all available content for which they are
authorized to view and request that which is desired. Granular
authentication and access controls permit only authorized consumers
the ability to view, read, or write to a given feed. This approach
is in contrast to, and meant to improve on, the traditional point-to-
point messaging system, in which consumers must request individual
pieces of information from a server following a triggering event.
This traditional approach creates a closed system of information
sharing that encourages duplication of efforts and hinders automated
cyber security systems.
The goal of this document is to define the RESTful approach to cyber
security communication with the intent of increasing communication
and sharing of incident reports, vulnerability assessments, and other
security content between producers, operators, and consumers.
In order to exchange information as web-addressable resources, the
resource representations leverage the existing IODEF [RFC5070] and
RID [RFC6545] specifications and other representation standards as
appropriate. The transport protocol binding is specified as HTTP(S)
with a media type of Atom+XML. An appropriate set of link relation
types specific to cyber security information sharing is defined.
Coexistence with deployments that conform to existing specifications
including RID [RFC6545] and Transport of Real-time Inter-network
Field & Banghart Expires December 5, 2016 [Page 3]
Internet-Draft ROLIE June 2016
Defense (RID) Messages over HTTP/TLS [RFC6546] is supported via
appropriate use of HTTP status codes.
2. Terminology
The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT,"
"SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Definitions for some of the common computer security-related
terminology used in this document can be found in Section 2 of
[RFC5070].
3. Background and Motivation
It is well known that the field of threats to computer security is
evolving ever more rapidly as time goes on. As software increases in
complexity, the number of vulnerabilities in our systems and networks
increase exponentially. Threat actors looking to exploit these
vulnerabilities are making more frequent and more widely distributed
attacks across a large variety of systems. The adoption of liberal
information sharing amongst attackers creates a window of as little
as a few hours between the discovery of a vulnerability and attacks
on the vulnerable system. As the skills and knowledge required to
identify and combat these attacks become more and more specialized,
even a well established and secure system may find itself unable to
quickly respond to an incident. Effective identification of and
response to a sophisticated attack requires open cooperation and
collaboration between defending operators, software vendors, and even
end-users.
Existing approaches to cyber security information sharing are based
upon message exchange patterns that are point-to-point, and event-
driven. Sometimes, information that may be useful to, and sharable
with multiple peers is only made available to peers after they have
specifically requested it. Unfortunately, a sharing peer may not
know, a priori, what information to request from another peer.
Sending unsolicited RID reports does provide a mechanism for
alerting, however these reports are again sent point-to-point, and
must be reviewed for relevance and then prioritized for action by the
recipient. Thus, distribution of some relevant incident and
indicator information may exhibit significant latency.
In order to adequately combat the evolving threats, computer security
resource producers should be enabled to share selected information
proactively as appropriate. Proactive sharing greatly aids knowledge
dissemination as well as improving on response times and usability.
Field & Banghart Expires December 5, 2016 [Page 4]
Internet-Draft ROLIE June 2016
For example, a cyber security analyst would benefit by having the
ability to search a comprehensive collection of attack indicators
that have been published by a government agency, or by another member
of a sharing consortium. The representation of each indicator may
include links to the related resources, enabling an appropriately
authenticated and authorized analyst to freely navigate the
information space of indicators, incidents, vulnerabilities, and
other cyber security domain concepts, as needed. In general, a more
Web-centric sharing approach will enable a more dynamic and agile
collaboration amongst a broader, and varying constituency.
The following sections discuss additional specific technical issues
that motivate the development of an alternative approach.
3.1. Message-oriented versus Resource-oriented Architecture
The existing approaches to cyber security information sharing are
based upon message-oriented interactions. The following paragraphs
explore some of the architectural constraints associated with
message-oriented interactions and consider the relative merits of an
alternative model based on a Resource-oriented architecture for use
in some use case scenarios.
ROLIE specifies a resource-oriented architecture.
3.1.1. Message-oriented Architecture
In general, message-based integration architectures may be based upon
either an RPC-style or a document-style binding. The message types
defined by RID represent an example of an RPC-style request. This
approach imposes implied requirements for conversational state
management on both of the communicating RID endpoint(s). Experience
has shown that this state management frequently becomes the limiting
factor with respect to the runtime scalability of an RPC-style
architecture.
In addition, the practical scalability of a peer-to-peer message-
based approach will be limited by the administrative procedures
required to manage O(N^2) trust relationships and at least O(N)
policy groups.
As long as the number of participating entities in an information
sharing consortium is limited to a relatively small number of nodes
(i.e., O(2^N), where N < 5), these scalability constraints may not
represent a critical concern. However, when there is a requirement
to support a significantly larger number of participating peers, a
different architectural approach will be required. One alternative
Field & Banghart Expires December 5, 2016 [Page 5]
Internet-Draft ROLIE June 2016
to the message-based approach that has demonstrated scalability is
the REST [REST] architectural style.
3.1.2. Resource-Oriented Architecture
Applying the REST architectural style to the problem domain of cyber
security information sharing would take the approach of exposing
incidents, indicators, and any other relevant types as simple Web-
addressable resources. By using this approach, an organization can
more quickly and easily share relevant incident and indicator
information with a much larger and potentially more diverse
constituency. A consumer may leverage virtually any available HTTP
user agent in order to make requests of the service provider. This
improved ease of use could enable more rapid adoption and broader
participation, thereby improving security for everyone.
A key interoperability aspect of any RESTful Web service will be the
choices regarding the available resource representations. For
example, clients may request that a given resource representation be
returned as either XML or JSON. In order to enable back-
compatibility and interoperability with existing implementations,
IODEF [RFC5070] is specified for this transport binding as a
mandatory to implement (MTI) data representation for incident and
indicator resources. In addition to the REQUIRED representation, an
implementation MAY support additional representations if and as
needed such as IODEF extensions, the RID schema, or other schemas.
For example, an implementation may choose to provide support for
returning a JSON representation of an incident resource.
Finally, an important principle of the REST architectural style is
the use of hypertext links as the embodiment of application state
(HATEOAS). Rather than the server maintaining conversational state
for each client context, the server will instead include a suitable
set of hyperlinks in the resource representation that is returned to
the client. In this way, the server remains stateless with respect
to a series of client requests. The included hyperlinks provide the
client with a specific set of permitted state transitions. Using
these links the client may perform an operation, such as updating or
deleting the resource representation. The client may also be
provided with hypertext links that can be used to navigate to any
related resource. For example, the resource representation for an
incident object may contain links to the related indicator
resource(s).
This document specifies the use of Atom Syndication Format [RFC4287]
and Atom Publishing Protocol [RFC5023] as the mechanism for
representing the required hypertext links.
Field & Banghart Expires December 5, 2016 [Page 6]
Internet-Draft ROLIE June 2016
3.1.2.1. A Resource-Oriented Use Case: "Mashup"
In this section we consider a non-normative example use case scenario
for creating a cyber security "mashup".
Any operator can authorize any or all members of the sharing
community to quickly and easily navigate through any of the cyber
security information that that provider is willing to share. An
analyst may then make HTTP(S) requests to collect vulnerability
information known at one producer and threat actor data being made
available from another producer. The resulting correlations may
yield new insights that enable a more timely and effective defensive
response. Of course, this report may, in turn, be made available to
others as a new Web-addressable resource, reachable via another URL.
By employing the RESTful Web service approach the effectiveness of
the collaboration amongst a consortium of cyber security stakeholders
can be greatly improved.
4. Atom Publication Protocol and Atom Syndication Format TODO
As described in Atom Publishing Protocol [RFC5023], an Atom Service
Document is an XML-based document format that allows a client to
dynamically discover the collections provided by a publisher.
As described in Atom Syndication Format [RFC4287], Atom is an XML-
based document format that describes lists of related information
items known as collections, or "feeds". Each feed document contains
a collection of zero or more related information items called "member
entries" or "entries".
When applied to the problem domain of cyber security information
sharing, an Atom feed may be used to represent any meaningful
collection of information resources such as a set of incidents, or
indicators. Each entry in a feed could then represent an individual
incident, or indicator, or some other resource, as appropriate.
Additional feeds could be used to represent other meaningful and
useful collections of cyber security resources. A feed may be
categorized, and any feed may contain information from zero or more
categories. The naming scheme and the semantic meaning of the terms
used to identify an Atom category are application-defined.
This document assumes that the reader has an understanding of both
Atom documents. Further discussion of Atom's application to this
domain a well of examples of its use are provided in the BCG
document.
Field & Banghart Expires December 5, 2016 [Page 7]
Internet-Draft ROLIE June 2016
5. Normative Requirements TODO
This section provides the NORMATIVE requirements for using Atom
format and Atom Pub as a RESTful binding for cyber security
information sharing.
5.1. Atom Requirements
Implementations of this specification MUST implement all requirements
specified in Atom Publishing Protocol and the Atom Syndication
Format. (TODO: work on a more normative and perhaps constrained
requirement.)
5.2. Transport Layer Security
Implementations MUST support server-authenticated TLS.
Implementations MAY support mutually authenticated TLS.
5.3. Archiving and Paging
A feed can contain an arbitrary number of entries. In some cases,
the complete response to a given query may consist of a logical
result set that contains a large number of entries. As a practical
matter, the full result set will likely need to be divided into more
manageable portions. For example, a query may produce a full result
set that may need to be grouped into logical pages, for purposes of
rendering on a user interface.
An historical feed may need to be stable, and/or divided into some
defined epochs. Implementations SHOULD support the mechanisms
described in Feed Paging and Archiving [RFC5005] to provide
capabilities for paging and archiving of feeds.
5.4. Expectation and Impact Classes
It is frequently the case that an organization will need to triage
their investigation and response activities based upon, e.g., the
state of the current threat environment, or simply as a result of
having limited resources.
In order to enable operators to effectively prioritize their response
activity, it is RECOMMENDED that feed implementers provide Atom
categories that correspond to the IODEF Expectation and Impact
classes. The availability of these feed categories will enable
clients to more easily retrieve and prioritize cyber security
information that has already been identified as having a specific
potential impact, or having a specific expectation.
Field & Banghart Expires December 5, 2016 [Page 8]
Internet-Draft ROLIE June 2016
Support for these categories may also enable efficiencies for
organizations that already have established (or plan to establish)
operational processes and workflows that are based on these IODEF
classes.
5.5. User Authentication
Implementations MUST support user authentication. User
authentication MAY be enabled for specific feeds.
Implementations MAY support more than one client authentication
method.
Servers participating in an information sharing consortium and
supporting interactive user logins by members of the consortium
SHOULD support client authentication via a federated identity scheme
as per SAML 2.0.
Implementations MAY support client authenticated TLS.
5.6. User Authorization
This document does not mandate the use of any specific user
authorization mechanisms. However, service implementers SHOULD
provide appropriate authorization checking for all resource accesses,
including individual Atom Entries, Atom Feeds, and Atom Service
Documents.
Authorization for a resource MAY be adjudicated based on the value(s)
of the associated Atom <category> element(s).
When the content model for the Atom <content> element of an Atom
Entry contains an <IODEF-Document>, then authorization MUST be
adjudicated based upon the Atom <category> element(s), whose values
have been mapped as per Section 5.10.
Any use of the <category> element(s) as an input to an authorization
policy decision MUST include both the "scheme" and "term" attributes
contained therein. As described in Section 5.10 below, the namespace
of the "term" attribute is scoped by the associated "scheme"
attribute.
5.7. Content Model
Member entry resources providing a representation of an incident
resource (e.g., as specified in the link relation type) MUST use the
IODEF schema as the content model for the Atom Entry <content>
element.
Field & Banghart Expires December 5, 2016 [Page 9]
Internet-Draft ROLIE June 2016
Member Entry resources providing a representation of an indicator
resource (e.g., as specified in the link relation type) MUST use the
IODEF schema as the content model for the Atom Entry <content>
element.
The resource representation MAY include an appropriate indicator
schema type within the <AdditionalData> element of the IODEF Incident
class. Supported indicator schema types SHALL be registered via an
IANA table (todo: IANA registration/review).
Member Entry resources providing a representation of a RID report
resource (e.g., as specified in the link relation type) MUST use the
RID schema as the content model for the Atom Entry <content> element.
Member Entry resources providing representation of other types,
SHOULD use the schema appropriate for their data category as the
content model for the Atom Entry <content> element. These data
categories SHALL be registered via an IANA table.
The <content> element of the Atom entry MUST contain an appropriate
XML namespace declaration.
5.8. HTTP methods
The following table defines the HTTP [RFC7235] uniform interface
methods supported by this specification:
+--------+----------------------------------------------------------+
| HTTP | Description |
| method | |
+--------+----------------------------------------------------------+
| GET | Returns a representation of an individual member entry |
| | resource, or a feed collection. |
| PUT | Replaces the current representation of the specified |
| | member entry resource with the representation provided |
| | in the HTTP request body. |
| POST | Creates a new instance of a member entry resource. The |
| | representation of the new resource is provided in the |
| | HTTP request body. |
| DELETE | Removes the indicated member entry resource, or feed |
| | collection. |
| HEAD | Returns metadata about the member entry resource, or |
| | feed collection, contained in HTTP response headers. |
| PATCH | Support TBD. |
+--------+----------------------------------------------------------+
Table 1: Uniform Interface for Resource-Oriented Lightweight
Indicator Exchange
Field & Banghart Expires December 5, 2016 [Page 10]
Internet-Draft ROLIE June 2016
Clients MUST be capable of recognizing and prepared to process any
standard HTTP status code, as defined in [RFC7235]
5.9. Service Discovery
This specification requires that a implementation MUST publish an
Atom Service Document that describes the set of cyber security
information sharing feeds that are provided.
The service document SHOULD be discoverable via the organization's
Web home page or another well-known public resource.
5.9.1. Workspaces
The service document MAY include multiple workspaces. Any producer
providing both public feeds and private consortium feeds MUST place
these different classes of feeds into different workspaces, and
provide appropriate descriptions and naming conventions to indicate
the intended audience of each workspace.
5.9.2. Collections
An implementation MAY provide any number of collections within a
given Workspace. It is RECOMMENDED that each collection appear in
only a single Workspace. It is RECOMMENDED that at least one
collection be provided that accepts new incident reports from users.
At least one collection MUST provide a feed of incident information
for which the content model for the entries uses the IODEF schema.
The title of this collection SHOULD be "Incidents".
5.9.3. Service Document Security
Access to the service document MUST be protected via server-
authenticated TLS and a server-side certificate.
When deploying a service document for use by a closed consortium, the
service document MAY also be digitally signed and/or encrypted, using
XML DigSig and/or XML Encryption, respectively.
5.10. Category Mapping
This section defines normative requirements for mapping IODEF
metadata to corresponding Atom category elements. (todo: decide
between IANA registration of scheme, or use a full URI).
Field & Banghart Expires December 5, 2016 [Page 11]
Internet-Draft ROLIE June 2016
5.10.1. Collection Category
An Atom collection MAY hold entries from one or more categories. The
collection category set MUST contain at least the union of all the
member entry categories. A collection MAY have additional category
metadata that are unique to the collection, and not applicable to any
individual member entry. A collection containing IODEF incident
content MUST contain at least two <category> elements. One category
MUST be specified with the value of the "scheme" attribute as
"restriction". One category MUST be specified with the value of the
"scheme" attribute as "purpose". The value of the "fixed" attribute
for both of these category elements MUST be "yes". When the category
scheme="restriction", the allowable values for the "term" attribute
are constrained as per section 3.2 of IODEF, e.g. public, need-to-
know, private, default. When the category scheme="purpose", the
allowable values for the "term" attribute are constrained as per
section 3.2 of IODEF, e.g. traceback, mitigation, reporting, other.
5.10.2. Entry Category
An Atom entry containing IODEF content MUST contain at least two
<category> elements. One category MUST be specified with the value
of the "scheme" attribute as "restriction". One category MUST be
specified with the value of the "scheme" attribute as "purpose".
When the category scheme="restriction", the value of the "term"
attribute must be exactly one of ( public, need-to-know, private,
default). When the category scheme="purpose", the value of the
"term" attribute must be exactly one of (traceback, mitigation,
reporting, other). When the purpose is "other"....
Any member entry MAY have any number of additional categories.
5.11. Entry ID
The ID element for an Atom entry SHOULD be established via the
concatenation of the value of the name attribute from the IODEF
<IncidentID> element and the corresponding value of the <IncidentID>
element. This requirement ensures a simple and direct one-to-one
relationship between an IODEF incident ID and a corresponding Feed
entry ID and avoids the need for any system to maintain a persistent
store of these identity mappings.
(todo: Note that this implies a constraint on the IODEF document that
is more restrictive than the current IODEF schema. IODEF section 3.3
requires only that the name be a STRING type. Here we are stating
that name must be an IRI. Possible request to update IODEF to
constrain, or to support a new element or attribute).
Field & Banghart Expires December 5, 2016 [Page 12]
Internet-Draft ROLIE June 2016
5.12. Entry Content
The <content> element of an Atom <entry> SHOULD include an IODEF
document. The <entry> element SHOULD include an appropriate XML
namespace declaration for the IODEF schema. If the content model of
the <entry> element does not follow the IODEF schema, then the
<entry> element MUST include an appropriate XML namespace
declaration.
A client MAY ignore content that is not using the IODEF schema.
5.13. Link Relations
In addition to the standard Link Relations defined by the Atom
specification, this specification defines the following additional
Link Relation terms, which are introduced specifically in support of
the Resource-Oriented Lightweight Information Exchange protocol.
+-----------------------+-----------------------------+-------------+
| Name | Description | Conformance |
+-----------------------+-----------------------------+-------------+
| service | Provides a link to an atom | MUST |
| | service document associated | |
| | with the collection feed. | |
| search | Provides a link to an | MUST |
| | associated Open Search | |
| | document that describes a | |
| | URL template for search | |
| | queries. | |
| history | Provides a link to a | MUST |
| | collection of zero or more | |
| | historical entries that are | |
| | associated with the | |
| | resource. | |
| incidents | Provides a link to a | MUST |
| | collection of zero or more | |
| | instances of incident | |
| | representations associated | |
| | with the resource. | |
| indicators | Provides a link to a | MUST |
| | collection of zero or more | |
| | instances of cyber security | |
| | indicators that are | |
| | associated with the | |
| | resource. | |
| information | Provides a link to a | MUST |
| | collection of zero or more | |
| | instances of cyber security | |
Field & Banghart Expires December 5, 2016 [Page 13]
Internet-Draft ROLIE June 2016
| | information that is | |
| | associated with the | |
| | resource. | |
| evidence | Provides a link to a | SHOULD |
| | collection of zero or more | |
| | resources that provides | |
| | some proof of attribution | |
| | for an incident. The | |
| | evidence may or may not | |
| | have any identified chain | |
| | of custody. | |
| campaign | Provides a link to a | SHOULD |
| | collection of zero or more | |
| | resources that provides a | |
| | representation of the | |
| | associated cyber attack | |
| | campaign. | |
| attacker | Provides a link to a | SHOULD |
| | collection of zero or more | |
| | resources that provides a | |
| | representation of the | |
| | attacker. | |
| vector | Provides a link to a | SHOULD |
| | collection of zero or more | |
| | resources that provides a | |
| | representation of the | |
| | method used by the | |
| | attacker. | |
| assessments | Provides a link to a | SHOULD |
| | collection of zero or more | |
| | resources that represent | |
| | the results of executing a | |
| | benchmark. | |
| reports | Provides a link to a | SHOULD |
| | collection of zero or more | |
| | resources that represent | |
| | RID reports. | |
| traceRequests | Provides a link to a | SHOULD |
| | collection of zero or more | |
| | resources that represent | |
| | RID traceRequests. | |
| investigationRequests | Provides a link to a | SHOULD |
| | collection of zero or more | |
| | resources that represent | |
| | RID investigationRequests. | |
+-----------------------+-----------------------------+-------------+
Field & Banghart Expires December 5, 2016 [Page 14]
Internet-Draft ROLIE June 2016
Table 2: Link Relations for Resource-Oriented Lightweight Indicator
Exchange
Unless specifically registered with IANA these short names MUST be
fully qualified via concatenation with a base-uri. An appropriate
base-uri could be established via agreement amongst the members of an
information sharing consortium. For example, the rel="indicators"
relationship would become
rel="http://www.example.org/rolie/incidents/relationships/
indicators."
5.13.1. Additional Link Relation Requirements
An IODEF document that is carried in an Atom Entry SHOULD NOT contain
a <relatedActivity> element. Instead, the related activity SHOULD be
available via a link rel=related.
An IODEF document that is carried in an Atom Entry SHOULD NOT contain
a <history> element. Instead, the related history SHOULD be
available via a link rel="history" (todo: or a fully qualified link
rek name). The associated href MAY leverage OpenSearch to specify
the required query.
An Atom Entry MAY include additional link relationships not specified
here. If a client encounters a link relationship of an unknown type
the client MUST ignore the offending link and continue processing the
remaining resource representation as if the offending link element
did not appear.
5.14. Member Entry Forward Security
As described in Authorization Policy Enforcement a RESTful model for
cyber security information sharing requires that all of the required
security enforcement for feeds and entries MUST be enforced at the
source system, at the point the representation of the given
resource(s) is created. A provider SHALL NOT return any feed content
or member entry content for which the client identity has not been
specifically authenticated, authorized, and audited.
Sharing communities that have a requirement for forward message
security (such that client systems are required to participate in
providing message level security and/or distributed authorization
policy enforcement), MUST use the RID schema as the content model for
the member entry <content> element.
Field & Banghart Expires December 5, 2016 [Page 15]
Internet-Draft ROLIE June 2016
5.15. Date Mapping
The Atom feed <updated> element MUST be populated with the current
time at the instant the feed representation was generated. The Atom
entry <published> element MUST be populated with the same time value
as the <reportTime> element from the IODEF document.
5.16. Search
Implementers MUST support OpenSearch 1.1 [opensearch] as the
mechanism for describing how clients may form search requests.
Implementers MUST provide a link with a relationship type of
"search". This link SHALL return an Open Search Description Document
as defined in OpenSearch 1.1.
Implementers MUST support an OpenSearch 1.1 compliant search URL
template that enables a search query via Atom Category, including the
scheme attribute and terms attribute as search parameters.
Implementers SHOULD support search based upon the IODEF AlternativeID
class as a search parameter.
Implementers SHOULD support search based upon the four timestamp
elements of the IODEF Incident class: <startTime>, <EndTime>,
<DetectTime>, and <ReportTime>.
Implementers MAY support additional search capabilities based upon
any of the remaining elements of the IODEF Incident class, including
the <Description> element.
Collections that support use of the RID schema as a content model in
the Atom member entry <content> element (e.g. in a report resource
representation reachable via the "report" link relationship) MUST
support search operations that include the RID MessageType as a
search parameter, in addition to the aforementioned IODEF schema
elements, as contained within the <ReportSchema> element.
Implementers MUST fully qualify all OpenSearch URL template parameter
names using the defined IODEF or RID XML namespaces, as appropriate.
5.17. / (forward slash) Resource URL
The "/" resource MAY be provided for compatibility with existing
deployments that are using Transport of Real-time Inter-network
Defense (RID) Messages over HTTP/TLS [RFC6546]. Consistent with
RFC6546 errata, a client requesting a GET on "/" MUST receive an HTTP
status code 405 Method Not Allowed. An implementation MAY provide
Field & Banghart Expires December 5, 2016 [Page 16]
Internet-Draft ROLIE June 2016
full support for RFC6546 such that a POST to "/" containing a
recognized RID message type just works. Alternatively, a client
requesting a POST to "/" MAY receive an HTTP status code 307
Temporary Redirect. In this case, the location header in the HTTP
response will provide the URL of the appropriate RID endpoint, and
the client may repeat the POST method at the indicated location.
This resource could also leverage the new draft by reschke that
proposes HTTP status code 308 (cf: draft-reschke-http-status-
308-07.txt).
6. Security Considerations TODO
This document defines a resource-oriented approach to lightweight
information exchange using HTTP, TLS, Atom Syndicate Format, and Atom
Publishing Protocol. As such, implementers must understand the
security considerations described in those specifications.
In addition, there are a number of additional security considerations
that are unique to this specification.
The approach described herein is based upon all policy enforcements
being implemented at the point when a resource representation is
created. As such, producers sharing cyber security information using
this specification must take care to authenticate their HTTP clients
using a suitably strong user authentication mechanism. Sharing
communities that are exchanging information on well-known indicators
and incidents for purposes of public education may choose to rely
upon, e.g. HTTP Authentication, or similar. However, sharing
communities that are engaged in sensitive collaborative analysis and/
or operational response for indicators and incidents targeting high
value information systems should adopt a suitably stronger user
authentication solution, such as TLS client certificates, or a risk-
based or multi-factor approach. In general, trust in the sharing
consortium will depend upon the members maintaining adequate user
authentication mechanisms.
Collaborating consortiums may benefit from the adoption of a
federated identity solution, such as those based upon SAML-core
[SAML-core] and SAML-bind [SAML-bind] and SAML-prof [SAML-prof] for
Web-based authentication and cross-organizational single sign-on.
Dependency on a trusted third party identity provider implies that
appropriate care must be exercised to sufficiently secure the
Identity provider. Any attacks on the federated identity system
would present a risk to the CISRT, as a relying party. Potential
mitigations include deployment of a federation-aware identity
provider that is under the control of the information sharing
consortium, with suitably stringent technical and management
controls.
Field & Banghart Expires December 5, 2016 [Page 17]
Internet-Draft ROLIE June 2016
Authorization of resource representations is the responsibility of
the source system, i.e. based on the authenticated user identity
associated with an HTTP(S) request. The required authorization
policies that are to be enforced must therefore be managed by the
security administrators of the source system. Various authorization
architectures would be suitable for this purpose, such as RBAC [1]
and/or ABAC, as embodied in XACML [XACML]. In particular,
implementers adopting XACML may benefit from the capability to
represent their authorization policies in a standardized,
interoperable format.
Additional security requirements such as enforcing message-level
security at the destination system could supplement the security
enforcements performed at the source system, however these
destination-provided policy enforcements are out of scope for this
specification. Implementers requiring this capability should
consider leveraging, e.g. the <RIDPolicy> element in the RID schema.
Refer to RFC6545 section 9 for more information.
When security policies relevant to the source system are to be
enforced at both the source and destination systems, implementers
must take care to avoid unintended interactions of the separately
enforced policies. Potential risks will include unintended denial of
service and/or unintended information leakage. These problems may be
mitigated by avoiding any dependence upon enforcements performed at
the destination system. When distributed enforcement is unavoidable,
the usage of a standard language (e.g. XACML) for the expression of
authorization policies will enable the source and destination systems
to better coordinate and align their respective policy expressions.
Adoption of the information sharing approach described in this
document will enable users to more easily perform correlations across
separate, and potentially unrelated, cyber security information
providers. A client may succeed in assembling a data set that would
not have been permitted within the context of the authorization
policies of either provider when considered individually. Thus,
providers may face a risk of an attacker obtaining an access that
constitutes an undetected separation of duties (SOD) violation. It
is important to note that this risk is not unique to this
specification, and a similar potential for abuse exists with any
other cyber security information sharing protocol. However, the wide
availability of tools for HTTP clients and Atom feed handling implies
that the resources and technical skills required for a successful
exploit may be less than it was previously. This risk can be best
mitigated through appropriate vetting of the client at account
provisioning time. In addition, any increase in the risk of this
type of abuse should be offset by the corresponding increase in
effectiveness that this specification affords to the defenders.
Field & Banghart Expires December 5, 2016 [Page 18]
Internet-Draft ROLIE June 2016
While it is a goal of this specification to enable more agile cyber
security information sharing across a broader and varying
constituency, there is nothing in this specification that necessarily
requires this type of deployment. A cyber security information
sharing consortium may chose to adopt this specification while
continuing to operate as a gated community with strictly limited
membership.
7. IANA Considerations TODO
TODO.
8. Acknowledgements
The author gratefully acknowledges the valuable contributions of Tom
Maguire, Kathleen Moriarty, and Vijayanand Bharadwaj. These
individuals provided detailed review comments on earlier drafts, and
many suggestions that have helped to improve this document .
9. References
9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC7235] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Authentication", RFC 7235,
DOI 10.17487/RFC7235, June 2014,
<http://www.rfc-editor.org/info/rfc7235>.
[RFC4287] Nottingham, M., Ed. and R. Sayre, Ed., "The Atom
Syndication Format", RFC 4287, DOI 10.17487/RFC4287,
December 2005, <http://www.rfc-editor.org/info/rfc4287>.
[RFC5005] Nottingham, M., "Feed Paging and Archiving", RFC 5005,
DOI 10.17487/RFC5005, September 2007,
<http://www.rfc-editor.org/info/rfc5005>.
[RFC5023] Gregorio, J., Ed. and B. de hOra, Ed., "The Atom
Publishing Protocol", RFC 5023, DOI 10.17487/RFC5023,
October 2007, <http://www.rfc-editor.org/info/rfc5023>.
Field & Banghart Expires December 5, 2016 [Page 19]
Internet-Draft ROLIE June 2016
[RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "The Incident
Object Description Exchange Format", RFC 5070,
DOI 10.17487/RFC5070, December 2007,
<http://www.rfc-editor.org/info/rfc5070>.
[RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)",
RFC 6545, DOI 10.17487/RFC6545, April 2012,
<http://www.rfc-editor.org/info/rfc6545>.
[opensearch]
Clinton, D., "OpenSearch 1.1 draft 5 specification", 2011,
<http://www.opensearch.org/Specifications/OpenSearch/1.1>.
[SAML-core]
Cantor, S., Kemp, J., Philpott, R., and E. Mahler,
"Assertions and Protocols for the OASIS Security Assertion
Markup Language (SAML) V2.0", OASIS Standard , March 2005,
<http://docs.oasis-open.org/security/saml/v2.0/
saml-core-2.0-os.pdf>.
[SAML-prof]
Hughes, J., Cantor, S., Hodges, J., Hirsch, F., Mishra,
P., Philpott, R., and E. Mahler, "Profiles for the OASIS
Security Assertion Markup Language (SAML) V2.0", OASIS
Standard , March 2005, <http://docs.oasis-
open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf>.
[SAML-bind]
Cantor, S., Hirsch, F., Kemp, J., Philpott, R., and E.
Mahler, "Bindings for the OASIS Security Assertion Markup
Language (SAML) V2.0", OASIS Standard , March 2005,
<http://docs.oasis-open.org/security/saml/v2.0/
saml-bindings-2.0-os.pdf>.
9.2. Informative References
[XACML] Rissanen, E., "eXtensible Access Control Markup Language
(XACML) Version 3.0", August 2010, <http://docs.oasis-
open.org/xacml/3.0/xacml-3.0-core-spec-cs-01-en.pdf>.
[REST] Fielding, R., "Architectural Styles and the Design of
Network-based Software Architectures", 2000,
<http://www.ics.uci.edu/~fielding/pubs/dissertation/
top.htm>.
Field & Banghart Expires December 5, 2016 [Page 20]
Internet-Draft ROLIE June 2016
[RFC6546] Trammell, B., "Transport of Real-time Inter-network
Defense (RID) Messages over HTTP/TLS", RFC 6546,
DOI 10.17487/RFC6546, April 2012,
<http://www.rfc-editor.org/info/rfc6546>.
9.3. URIs
[1] http://csrc.nist.gov/groups/SNS/rbac/
Appendix A. Change Tracking
Changes since draft-field-mile-rolie-01 version, December, 2015 to
May 27, 2016:
o Spun section 4 and some related contextual information into its
own document see TODO:Add reference
o Recast document into a more general use perspective. The
implication of CSIRTs as the defacto end-user has been removed
where ever possible. All of the original CSIRT based use cases
remain completely supported by this document, it has been opened
up to supported many other use cases.
o Changed the content model to broaden support of representation
o Edited and rewrote much of sections 1,2 and 3 in order to
accomplish a broader scope and greater readability
o Removed any requirements from the Background section and, if not
already stated, placed them in the requirements section
o Re-formatted the requirements section to make it clearer that it
contains the lions-share of the requirements of the specification
Changes made in draft-ietf-mile-rolie-01 since draft-field-mile-
rolie-02 version, August 15, 2013 to December 2, 2015:
o Added section specifying the use of RFC5005 for Archive and Paging
of feeds. See: Section 5.3
o Added section describing use of atom categories that correspond to
IODEF expectation class and impact classes. See: Section 5.4
o Dropped references to adoption of a MILE-specific HTTP media type
parameter.
o Updated IANA Considerations section to clarify that no IANA
actions are required.
Field & Banghart Expires December 5, 2016 [Page 21]
Internet-Draft ROLIE June 2016
Authors' Addresses
John P. Field
Pivotal Software, Inc.
625 Avenue of the Americas
New York, New York
USA
Phone: (646)792-5770
Email: jfield@pivotal.io
Stephen A. Banghart
National Institute of Standards and Technology
100 Bureau Drive
Gaithersburg, Maryland
USA
Phone: (301)975-4288
Email: sab3@nist.gov
Field & Banghart Expires December 5, 2016 [Page 22]