draft-ietf-mile-enum-reference-format-12.txt   draft-ietf-mile-enum-reference-format-13.txt 
INTERNET-DRAFT Adam W. Montville INTERNET-DRAFT Adam W. Montville
Intended Status: Standards Track (CIS) Intended Status: Standards Track (CIS)
Expires: June 27, 2015 David Black Expires: July 18, 2015 David Black
(EMC) (EMC)
December 24, 2014 January 14, 2015
IODEF Enumeration Reference Format IODEF Enumeration Reference Format
draft-ietf-mile-enum-reference-format-12 draft-ietf-mile-enum-reference-format-13
Abstract Abstract
The Incident Object Description Exchange Format (IODEF) is an XML The Incident Object Description Exchange Format (IODEF) is an XML
data representation framework for sharing information about computer data representation framework for sharing information about computer
security incidents. In IODEF, the Reference class provides security incidents. In IODEF, the Reference class provides
references to externally specified information such as a references to externally specified information such as a
vulnerability, IDS alert, malware sample, advisory, or attack vulnerability, Intrusion Detection System (IDS) alert, malware
technique. In practice, these references are based on external sample, advisory, or attack technique. In practice, these references
enumeration specifications that define both the enumeration format are based on external enumeration specifications that define both the
and the specific enumeration values, but the IODEF Reference class enumeration format and the specific enumeration values, but the IODEF
(as specified in IODEF v1 in RFC 5070) does not indicate how to Reference class (as specified in IODEF v1 in RFC 5070) does not
include both of these important pieces of information. indicate how to include both of these important pieces of
information.
This memo establishes a stand-alone data format to include both the This document establishes a stand-alone data format to include both
external specification and specific enumeration identification value, the external specification and specific enumeration identification
and establishes an IANA registry to manage external enumeration value, and establishes an IANA registry to manage external
specifications. While this memo does not update IODEV v1, this enumeration specifications. While this document does not update
enumeration reference format is used in IODEF v2 and is applicable to IODEF v1, this enumeration reference format is used in IODEF v2 and
other formats that support this class of enumeration references. is applicable to other formats that support this class of enumeration
references.
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as other groups may also distribute working documents as
Internet-Drafts. Internet-Drafts.
skipping to change at page 2, line 4 skipping to change at page 2, line 6
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as other groups may also distribute working documents as
Internet-Drafts. Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
Copyright and License Notice Copyright and License Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1 Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Referencing External Enumerations . . . . . . . . . . . . . . 3 2. Referencing External Enumerations . . . . . . . . . . . . . . 3
3 Security Considerations . . . . . . . . . . . . . . . . . . . . 6 3 Security Considerations . . . . . . . . . . . . . . . . . . . . 6
4 IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 4 IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
5 The ReferenceName Schema . . . . . . . . . . . . . . . . . . . . 8 5 The ReferenceName Schema . . . . . . . . . . . . . . . . . . . . 9
6 References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 6 References . . . . . . . . . . . . . . . . . . . . . . . . . . 9
6.1 Normative References . . . . . . . . . . . . . . . . . . . 9 6.1 Normative References . . . . . . . . . . . . . . . . . . . 9
6.2 Informative References . . . . . . . . . . . . . . . . . . 9 6.2 Informative References . . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10
1 Introduction 1 Introduction
There is an identified need to specify a format to include relevant There is an identified need to specify a format to include relevant
enumeration values from other data representation formats in an IODEF enumeration values from other data representation formats in an IODEF
document. It is anticipated that this requirement will exist in other document. It is anticipated that this requirement will exist in other
standardization efforts within several IETF Working Groups, but the standardization efforts within several IETF Working Groups, but the
scope of this document pertains solely to IODEF. This format is used scope of this document pertains solely to IODEF. This format is used
in IODEF v2 [I-D.draft-ietf-mile-rfc5070-bis] which replaces the in IODEF v2 [I-D.draft-ietf-mile-rfc5070-bis] which replaces the
original IODEF v1 [IODEF] specification. original IODEF v1 [IODEF] specification; this document does not
specify use of this format in IODEF v1 [IODEF].
1.1 Terminology 1.1 Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
2. Referencing External Enumerations 2. Referencing External Enumerations
The need is to place enumeration identifiers and their enumeration The need is to place enumeration identifiers and their enumeration
format references in IODEF's Reference class. There are several ways format references in IODEF's Reference class. There are several ways
to accomplish this goal, but the most appropriate at this point is to to accomplish this goal, but the most appropriate at this point is to
require a specific structure for the ReferenceName string of the require a specific structure for the ReferenceName string of the
IODEF Reference class, and use an IANA registry to manage references IODEF Reference class, and use an IANA registry to manage references
to specific enumeration reference formats. to specific enumeration reference formats.
Per IODEF [IODEF] the ReferenceName is of type ML_STRING. This Per IODEF [IODEF] the ReferenceName is of type ML_STRING. This
becomes problematic when specific references, especially enumeration becomes problematic when specific references, especially enumeration
formats such as CVE [CVE], CCE [CCE], CPE [CPE] and so on, are formats such as Common Vulnerability Enumeration [CVE], Common
referenced - how is an implementer to know which type of reference Configuration Enumeration [CCE], Common Platform Enumeration [CPE]
this is, and thus how to parse it? One solution, presented here, is and so on, are referenced - how is an implementer to know which type
to require that ReferenceName follow a particular format. of reference this is, and thus how to parse it? One solution,
presented here, is to require that ReferenceName follow a particular
format.
Inclusion of such enumeration values, especially those related to Inclusion of such enumeration values, especially those related to
security automation, is important to incident communication and security automation, is important to incident communication and
investigation. Typically, an enumeration identifier is simply an investigation. Typically, an enumeration identifier is simply an
identifier with a specific format as defined by an external party. identifier with a specific format as defined by an external party.
Further, that enumeration identifier is itself a reference to Further, that enumeration identifier is itself a reference to
specific information associated with the identifier. Thus, the specific information associated with the identifier. Thus, the
ReferenceName is an identifier that is formatted in a specific ReferenceName is an identifier that is formatted in a specific
manner, and which identifies some set of associated information. manner, and which identifies some set of associated information.
skipping to change at page 4, line 28 skipping to change at page 4, line 30
| ReferenceName | | ReferenceName |
+-------------------------+ +-------------------------+
| INTEGER specIndex |<>----------[ ID ] | INTEGER specIndex |<>----------[ ID ]
+-------------------------+ +-------------------------+
Figure 1: The ReferenceName Class Figure 1: The ReferenceName Class
The aggregate classes that constitute ReferenceName: The aggregate classes that constitute ReferenceName:
ID ID
One. ID. Name of the reference. One. The identifier assigned to represent the particular
enumeration object being referenced.
The ReferenceName class has one attribute. The ReferenceName class has one attribute.
specIndex specIndex
Required. INTEGER. Enumeration identifier. This value Required. INTEGER. Enumeration identifier. This value
corresponds to an entry in the "Enumeration Reference Type corresponds to an entry in the "Enumeration Reference Type
Identifiers" IANA registry with an identical SpecIndex value. Identifiers" IANA registry with an identical SpecIndex value.
An example of such a reference is as follows: An example of such a reference is as follows:
<iodef:Reference> <iodef:Reference>
<iodef-enum:ReferenceName specIndex="1"> <enum:ReferenceName specIndex="1">
<iodef-enum:ID>CXI-1234-XYZ</iodef-enum:ID> <enum:ID>CXI-1234-XYZ</enum:ID>
</iodef-enum:ReferenceName> </enum:ReferenceName>
<iodef:URL>http://cxi.example.com</iodef:URL> <iodef:URL>http://cxi.example.com</iodef:URL>
<iodef:Description>Foo</iodef:Description> <iodef:Description>Foo</iodef:Description>
</iodef:Reference> </iodef:Reference>
Information in the IANA table (see Section 4) would include: Information in the IANA table (see Section 4) would include:
Full Name: Concept X Identifier Full Name: Concept X Identifier
SpecIndex: 1 SpecIndex: 1
Version: any Version: any
Specification URI: http://cxi.example.com/spec_url Specification URI: http://cxi.example.com/spec_url
2.2 Reference Method Applicability 2.2 Reference Method Applicability
While the scope of this document pertains to IODEF, it should be While the scope of this document pertains to IODEF, any standard
readily apparent that any standard needing to reference an needing to reference an enumeration identified by a specially
enumeration identified by a specially formatted string can use formatted string can use this method of providing structure after
this method of providing structure after the standard has been the standard has been published. In effect, this method provides
published. In effect, this method provides a standardized a standardized interface for enumeration formats, thus allowing a
interface for enumeration formats, thus allowing a loose coupling loose coupling between a given standard and the enumeration
between a given standard and the enumeration identifiers it needs identifiers it needs to reference now and in the future.
to reference now and in the future.
3 Security Considerations 3 Security Considerations
Producers of IODEF [IODEF] content SHOULD be careful to ensure a Ensuring a proper mapping of enumeration reference ID elements to
proper mapping of enumeration reference ID elements to the correct the correct SpecIndex is important. Potential consequences of not
SpecIndex. Potential consequences of not mapping correctly include mapping correctly include inaccurate information references and
inaccurate information references and similar distribution of similar distribution of misinformation.
misinformation.
Use of enumeration reference IDs from trusted sources SHOULD be Use of enumeration reference IDs from trusted sources are
preferred by implementers to mitigate the risk of receiving and/or preferred to mitigate the risk of receiving and/or providing
providing misinformation. Trust decisions with respect to misinformation. Trust decisions with respect to enumeration
enumeration reference providers are beyond the scope of this reference providers are beyond the scope of this document.
document. However, receiving an IODEF [IODEF] document containing However, receiving an IODEF [IODEF] document containing an unknown
an unknown ReferenceName (i.e. the SpecIndex does not exist in the ReferenceName (i.e. the SpecIndex does not exist in the IANA
IANA table) may indicate a misled or malicious source. table) may indicate a misled or malicious source.
In some cases it might be possible for a third-party to host In some cases it might be possible for a third-party to host
content associated with an enumeration reference ID. In such a content associated with an enumeration reference ID. In such a
circumstance, trust SHOULD extend from the origin of the circumstance, trust extends from the origin of the enumeration
enumeration reference ID to the third-party, effectively making reference ID to the third-party, effectively making the third-
the third-party a trusted third-party in the context of providing party a trusted third-party in the context of providing a
a particular set of enumeration reference IDs. particular set of enumeration reference IDs.
This document is establishing a container for publicly available This document is establishing a container for publicly available
enumeration values to be included in an IODEF [IODEF] document, enumeration values to be included in an IODEF [IODEF] document,
and it is important to note the distinction between the and it is important to note the distinction between the
enumeration value's format and the information conveyed by the enumeration value's format and the information conveyed by the
value itself. While the enumeration value may hold information value itself. While the enumeration value may hold information
deemed to be private by relying parties, the enumeration format is deemed to be private by relying parties, the enumeration format is
likely not subject to privacy concerns. likely not subject to privacy concerns.
However, if the Reference class includes an enumeration value in However, if the Reference class includes an enumeration value in
skipping to change at page 7, line 5 skipping to change at page 6, line 51
protecting IODEF [IODEF] documents in transit and at rest, protecting IODEF [IODEF] documents in transit and at rest,
ensuring proper recipient authentication, data confidence levels, ensuring proper recipient authentication, data confidence levels,
underlying transport security characteristics, and proper use of underlying transport security characteristics, and proper use of
IODEF's restriction attribute. IODEF's restriction attribute.
4 IANA Considerations 4 IANA Considerations
This document specifies an enumeration reference identifier This document specifies an enumeration reference identifier
format. All fields, including abbreviation, are mandatory. format. All fields, including abbreviation, are mandatory.
This memo creates the following registry for IANA to manage: This document creates the following registry for IANA to manage:
Name of the Registry: "Security External Enumeration Registry" Name of the Registry: "Security External Enumeration Registry"
Location of Registry: https://www.iana.org/assignments/sec-ext- Location of Registry: https://www.iana.org/assignments/sec-ext-
enum enum
Fields to record in the registry: Fields to record in the registry:
Full Name: The full name of the enumeration as a string from Full Name: The full name of the enumeration (i.e. the
the printable ASCII character set. referenced specification) as a string from the printable ASCII
character set [RFC0020] with individual embedded spaces
allowed. The ABNF [RFC5234] syntax for this field is:
1*VCHAR *(SP 1*VCHAR)
Abbreviation: An abbreviation may be an acronym - it consists Abbreviation: An abbreviation may be an acronym - it consists
of upper-case characters (at least two, upper-case is used to of upper-case characters (at least two, upper-case is used to
avoid mismatches due to case differences), as specified by this avoid mismatches due to case differences), as specified by this
ABNF [RFC5234] syntax: ABNF [RFC5234] syntax:
ABBREVIATION = 2*UC-ALPHA ; At least two ABBREVIATION = 2*UC-ALPHA ; At least two
UC-ALPHA = %x41-5A ; A-Z UC-ALPHA = %x41-5A ; A-Z
Multiple registrations MAY use the same Abbreviation but Multiple registrations MAY use the same Abbreviation but
MUST have different Versions. MUST have different Versions.
SpecIndex: This is an IANA-assigned positive integer that SpecIndex: This is an IANA-assigned positive integer that
identifies the registration. The first entry added to this identifies the registration. The first entry added to this
registry uses the value 1, and this value is incremented for registry uses the value 1, and this value is incremented for
each subsequent entry added to the registry. each subsequent entry added to the registry.
Version: The version of the enumeration (i.e. the referenced Version: The version of the enumeration (i.e. the referenced
specification) as a free-form string from the printable ASCII specification) as a free-form string from the printable ASCII
character set excepting white space. character set [RFC0020] excepting white space, i.e., from VCHAR
as defined in [RFC5234]. Some of the characters allowed in the
version string are escaped when that string is used in XML
documents (e.g., '<' is represented as &lt;); the registered
version string contains the unescaped ASCII character in all
such cases.
Specification URI/Reference: A list of one or more URIs Specification URI/Reference: A list of one or more URIs
[RFC3986] from which the registered specification can be [RFC3986] from which the registered specification can be
obtained. The registered specification MUST be readily and obtained. The registered specification MUST be readily and
publicly available from that URI. The URI SHOULD be a stable publicly available from that URI. The URI SHOULD be a stable
reference to a specific version of the specification. URIs reference to a specific version of the specification. URIs
that designate the latest version of a specification (which that designate the latest version of a specification (which
changes when a new version appears) SHOULD NOT be used. changes when a new version appears) SHOULD NOT be used.
Initial registry contents: None. Initial registry contents:
Full Name: Common Vulnerabilities and Exposures
Abbreviation: CVE
SpecIndex: 1
Version: 1.0
Specification URI/Reference:
https://nvd.nist.gov/download.cfm#CVE_FEED
Allocation Policy: Specification Required [RFC5226] (which implies Allocation Policy: Specification Required [RFC5226] (which implies
Expert Review [RFC5226]). Expert Review [RFC5226]).
The Designated Expert is expected to consult with the MILE (Managed The Designated Expert is expected to consult with the MILE (Managed
Incident Lightweight Exchange) working group or its successor if any Incident Lightweight Exchange) working group or its successor if any
such WG exists (e.g., via email to the working group's mailing list). such WG exists (e.g., via email to the working group's mailing list).
The Designated Expert is expected to review the request and validate The Designated Expert is expected to review the request and validate
the appropriateness of the enumeration for the attribute. If a the appropriateness of the enumeration for the attribute. This
specification is associated with the request, it MUST be reviewed by review includes review of the specification associated with the
the Designated Expert. request.
The Designated Expert is expected to ensure that the Full Name, The Designated Expert is expected to ensure that the Full Name,
Abbreviation and Version are appropriate and that the information at Abbreviation and Version are appropriate and that the information at
the Specification URI is sufficient to unambiguously parse the Specification URI is sufficient to unambiguously parse
identifiers based on that specification. Additionally, the Designated identifiers based on that specification. Additionally, the Designated
Expert should prefer short Abbreviations over long ones. Expert should prefer short Abbreviations over long ones.
This document uses URNs to describe XML namespaces and XML schemas This document uses URNs to describe XML namespaces and XML schemas
conforming to a registry mechanism described in [RFC3688]. conforming to a registry mechanism described in [RFC3688].
skipping to change at page 8, line 33 skipping to change at page 9, line 4
Registrant Contact : See the "Authors' Addresses" section of this Registrant Contact : See the "Authors' Addresses" section of this
document. document.
XML : None. XML : None.
Registration request for the IODEF enumeration reference format XML Registration request for the IODEF enumeration reference format XML
schema: schema:
URI : urn:ietf:params:xml:schema:iodef-enum-1.0 URI : urn:ietf:params:xml:schema:iodef-enum-1.0
Registrant Contact See the "Authors' Addresses" section of this Registrant Contact See the "Authors' Addresses" section of this
document. document.
XML : See Section 6, "XML Schema", of this document. XML : See Section 5, "The ReferenceName Schema", of this document.
5 The ReferenceName Schema 5 The ReferenceName Schema
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<xs:schema attributeFormDefault="unqualified" <xs:schema attributeFormDefault="unqualified"
elementFormDefault="qualified" elementFormDefault="qualified"
targetNamespace="urn:ietf:params:xml:ns:iodef-enum-1.0" targetNamespace="urn:ietf:params:xml:ns:iodef-enum-1.0"
xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:enum="urn:ietf:params:xml:ns:iodef-enum-1.0"> xmlns:enum="urn:ietf:params:xml:ns:iodef-enum-1.0">
skipping to change at page 9, line 44 skipping to change at page 10, line 14
[RFC5234] Crocker, D., Ed., and P. Overell, "Augmented BNF for [RFC5234] Crocker, D., Ed., and P. Overell, "Augmented BNF for
Syntax Specifications: ABNF", STD 68, RFC 5234, January Syntax Specifications: ABNF", STD 68, RFC 5234, January
2008. 2008.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
January 2004. January 2004.
6.2 Informative References 6.2 Informative References
[RFC0020] Cerf, V., "ASCII format for network interchange", RFC 20,
October 1969.
[I-D.draft-ietf-mile-rfc5070-bis] Danyliw, R., and Stoecker, P., "The [I-D.draft-ietf-mile-rfc5070-bis] Danyliw, R., and Stoecker, P., "The
Incident Object Description Exchange Format v2", draft- Incident Object Description Exchange Format v2", draft-
ietf-mile-rfc5070-bis-10 (work in progress), November ietf-mile-rfc5070-bis-10 (work in progress), November
2014. 2014.
[CCE] http://cce.mitre.org [CCE] http://cce.mitre.org
[CPE] http://cpe.mitre.org [CPE] http://cpe.mitre.org
[CVE] http://cve.mitre.org [CVE] http://cve.mitre.org
 End of changes. 26 change blocks. 
62 lines changed or deleted 88 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/