draft-ietf-mile-rolie-02.txt   draft-ietf-mile-rolie-03.txt 
MILE Working Group J. Field MILE Working Group J. Field
Internet-Draft Pivotal Internet-Draft Pivotal
Intended status: Informational S. Banghart Intended status: Informational S. Banghart
Expires: December 5, 2016 NIST Expires: January 9, 2017 D. Waltermire
June 3, 2016 NIST
July 8, 2016
Resource-Oriented Lightweight Information Exchange Resource-Oriented Lightweight Information Exchange
draft-ietf-mile-rolie-02 draft-ietf-mile-rolie-03
Abstract Abstract
This document defines a resource-oriented approach to cyber security This document defines a resource-oriented approach for security
information sharing. Using this approach, operators may share and automation information publication, discovery, and sharing. Using
exchange representations of cyber security incidents, attack this approach, producers may publish, share and exchange
indicators, software vulnerabilities, and other related information representations of security incidents, attack indicators, software
as Web-addressable resources. Furthermore, consumers and other vulnerabilities, configuration checklists, and other security
stakeholders may access and search this security content as needed, automation information as Web-addressable resources. Furthermore,
establishing a rapid and on-demand information exchange network for consumers and other stakeholders may access and search this security
restricted internal use or public access repositories. This information as needed, establishing a rapid and on-demand information
specification builds on and extends the Atom Publishing Protocol and exchange network for restricted internal use or public access
Atom Syndication Format to transport and share cyber security repositories. This specification extends the Atom Publishing
resource representations. This document leverages the existing Protocol and Atom Syndication Format to transport and share security
representations IODEF and RID where appropriate, and supports related automation resource representations.
cyber security representation standards.
Contributing to this document Contributing to this document
The source for this draft is being maintained in GitHub. Suggested The source for this draft is being maintained in GitHub. Suggested
changes should be submitted as pull requests at changes should be submitted as pull requests at
<https://github.com/CISecurity/ROLIE>. Instructions are on that page <https://github.com/CISecurity/ROLIE>. Instructions are on that page
as well. Editorial changes can be managed in GitHub, but any as well. Editorial changes can be managed in GitHub, but any
substantial issues need to be discussed on the MILE mailing list. substantial issues need to be discussed on the MILE mailing list.
Status of This Memo Status of This Memo
skipping to change at page 2, line 4 skipping to change at page 2, line 4
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 5, 2016. This Internet-Draft will expire on January 9, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Background and Motivation . . . . . . . . . . . . . . . . . . 4 3. XML-related Conventions . . . . . . . . . . . . . . . . . . . 4
3.1. Message-oriented versus Resource-oriented Architecture . 5 3.1. XML Namespaces . . . . . . . . . . . . . . . . . . . . . 4
3.1.1. Message-oriented Architecture . . . . . . . . . . . . 5 3.2. RELAX NG Schema . . . . . . . . . . . . . . . . . . . . . 5
3.1.2. Resource-Oriented Architecture . . . . . . . . . . . 6 4. Background and Motivation . . . . . . . . . . . . . . . . . . 5
4. Atom Publication Protocol and Atom Syndication Format TODO . 7 4.1. Message-oriented versus Resource-oriented Architecture . 6
5. Normative Requirements TODO . . . . . . . . . . . . . . . . . 8 4.1.1. Message-oriented Architecture . . . . . . . . . . . . 6
5.1. Atom Requirements . . . . . . . . . . . . . . . . . . . . 8 4.1.2. Resource-Oriented Architecture . . . . . . . . . . . 7
5.2. Transport Layer Security . . . . . . . . . . . . . . . . 8 4.2. Use of the Atom Publishing Protocol . . . . . . . . . . . 8
5.3. Archiving and Paging . . . . . . . . . . . . . . . . . . 8 5. ROLIE Requirements for the Atom Publishing Protocol . . . . . 9
5.4. Expectation and Impact Classes . . . . . . . . . . . . . 8 5.1. AtomPub Service Documents . . . . . . . . . . . . . . . . 9
5.5. User Authentication . . . . . . . . . . . . . . . . . . . 9 5.1.1. Use of the "app:workspace" Element . . . . . . . . . 9
5.6. User Authorization . . . . . . . . . . . . . . . . . . . 9 5.1.2. Use of the "app:collection" Element . . . . . . . . . 10
5.7. Content Model . . . . . . . . . . . . . . . . . . . . . . 9 5.2. Service Discovery . . . . . . . . . . . . . . . . . . . . 11
5.8. HTTP methods . . . . . . . . . . . . . . . . . . . . . . 10 5.3. Transport Layer Security . . . . . . . . . . . . . . . . 11
5.9. Service Discovery . . . . . . . . . . . . . . . . . . . . 11 5.4. User Authentication . . . . . . . . . . . . . . . . . . . 11
5.9.1. Workspaces . . . . . . . . . . . . . . . . . . . . . 11 5.5. User Authorization . . . . . . . . . . . . . . . . . . . 12
5.9.2. Collections . . . . . . . . . . . . . . . . . . . . . 11 5.6. / (forward slash) Resource URL . . . . . . . . . . . . . 12
5.9.3. Service Document Security . . . . . . . . . . . . . . 11 5.7. HTTP methods . . . . . . . . . . . . . . . . . . . . . . 12
5.10. Category Mapping . . . . . . . . . . . . . . . . . . . . 11 6. ROLIE Requirements for the Atom Syndication Format . . . . . 12
5.10.1. Collection Category . . . . . . . . . . . . . . . . 12 6.1. Use of the "atom:feed" element . . . . . . . . . . . . . 13
5.10.2. Entry Category . . . . . . . . . . . . . . . . . . . 12 6.1.1. Use of the "atom:category" Element . . . . . . . . . 13
5.11. Entry ID . . . . . . . . . . . . . . . . . . . . . . . . 12 6.1.2. Use of the "atom:link" Element . . . . . . . . . . . 14
5.12. Entry Content . . . . . . . . . . . . . . . . . . . . . . 13 6.1.3. Use of the "atom:updated" Element . . . . . . . . . . 16
5.13. Link Relations . . . . . . . . . . . . . . . . . . . . . 13 6.2. Use of the "atom:entry" Element . . . . . . . . . . . . 16
5.13.1. Additional Link Relation Requirements . . . . . . . 15 6.2.1. Use of the "atom:content" Element . . . . . . . . . . 16
5.14. Member Entry Forward Security . . . . . . . . . . . . . . 15 6.2.2. Use of the "atom:link" Element . . . . . . . . . . . 17
5.15. Date Mapping . . . . . . . . . . . . . . . . . . . . . . 16 6.2.3. Use of the "rolie:format" Element . . . . . . . . . . 17
5.16. Search . . . . . . . . . . . . . . . . . . . . . . . . . 16
5.17. / (forward slash) Resource URL . . . . . . . . . . . . . 16 6.3. Link Relations . . . . . . . . . . . . . . . . . . . . . 17
6. Security Considerations TODO . . . . . . . . . . . . . . . . 17 7. Use of OpenSearch . . . . . . . . . . . . . . . . . . . . . . 17
7. IANA Considerations TODO . . . . . . . . . . . . . . . . . . 19 8. Characterizing ROLIE Collections and Resources . . . . . . . 18
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 19 8.1. Identification of Security Automation Information Types . 18
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 8.2. General Use of the "atom:category" Element . . . . . . . 19
9.1. Normative References . . . . . . . . . . . . . . . . . . 19 8.3. Identification of Security Automation Information Formats 20
9.2. Informative References . . . . . . . . . . . . . . . . . 20 9. Formal Syntax for the ROLIE Schema . . . . . . . . . . . . . 20
9.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 21 10. IANA Considerations TODO . . . . . . . . . . . . . . . . . . 20
Appendix A. Change Tracking . . . . . . . . . . . . . . . . . . 21 10.1. XML Namespaces and Schema URNs . . . . . . . . . . . . . 20
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 10.2. ROLIE Parameters . . . . . . . . . . . . . . . . . . . . 21
10.3. Security Resource Information Type Registry . . . . . . 21
11. Security Considerations TODO . . . . . . . . . . . . . . . . 22
12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 24
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 24
13.1. Normative References . . . . . . . . . . . . . . . . . . 25
13.2. Informative References . . . . . . . . . . . . . . . . . 26
13.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Appendix A. Use Case Examples . . . . . . . . . . . . . . . . . 27
A.1. Service Discovery . . . . . . . . . . . . . . . . . . . . 27
A.2. Feed Retrieval . . . . . . . . . . . . . . . . . . . . . 30
A.3. Entry Retrieval . . . . . . . . . . . . . . . . . . . . . 32
A.4. Use Case: Search . . . . . . . . . . . . . . . . . . . . 34
Appendix B. XACML Guidance . . . . . . . . . . . . . . . . . . . 36
Appendix C. Relax NG Schema for ROLIE Extensions . . . . . . . . 38
Appendix D. Change Tracking . . . . . . . . . . . . . . . . . . 38
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 39
1. Introduction 1. Introduction
This document defines a resource-oriented approach to cyber security This document defines a resource-oriented approach to security
information sharing that follows the REST (Architectural Styles and t automation information sharing that follows the REST (Architectural S
he Design of Network-based Software Architectures) architectural tyles and the Design of Network-based Software Architectures)
style. In this approach, cyber security resources are maintained in architectural style. In this approach, computer security resources
web-accessible repositories structured as Atom Syndication Format are maintained in web-accessible repositories structured as Atom
[RFC4287] feeds. Representations of content are categorized and Syndication Format [RFC4287] feeds. Representations of specific
organized into indexed collections, which are requested by the types of security automation information are categorized and
organized into indexed collections, which may be requested by the
consumer. As the set of resource collections are forward facing, the consumer. As the set of resource collections are forward facing, the
consumer may search all available content for which they are consumer may search all available content for which they are
authorized to view and request that which is desired. Granular authorized to view, and request the information resources which are
authentication and access controls permit only authorized consumers desired. Through use of granular authentication and access controls,
the ability to view, read, or write to a given feed. This approach only authorized consumers may be permitted the ability to read or
is in contrast to, and meant to improve on, the traditional point-to- write to a given feed. This approach is in contrast to, and meant to
point messaging system, in which consumers must request individual improve on, the traditional point-to-point messaging system, in which
pieces of information from a server following a triggering event. consumers must request individual pieces of information from a server
This traditional approach creates a closed system of information following a triggering event. The point-to-point approach creates a
sharing that encourages duplication of efforts and hinders automated closed system of information sharing that encourages duplication of
cyber security systems. effort and hinders automated security systems.
The goal of this document is to define the RESTful approach to cyber
security communication with the intent of increasing communication
and sharing of incident reports, vulnerability assessments, and other
security content between producers, operators, and consumers.
In order to exchange information as web-addressable resources, the The goal of this document is to define a RESTful approach to security
resource representations leverage the existing IODEF [RFC5070] and information communication with two primary intents: 1) increasing
RID [RFC6545] specifications and other representation standards as communication and sharing of incident reports, vulnerability
appropriate. The transport protocol binding is specified as HTTP(S) assessments, configuration checklists, and other security automation
with a media type of Atom+XML. An appropriate set of link relation information between providers and consumers; and 2) establishing a
types specific to cyber security information sharing is defined. standardized communication system to support automated computer
security systems.
Coexistence with deployments that conform to existing specifications In order to deal with the great variety in security automation
including RID [RFC6545] and Transport of Real-time Inter-network information types and associated resource representations, this
Defense (RID) Messages over HTTP/TLS [RFC6546] is supported via specification defines extension points that can be used to add
appropriate use of HTTP status codes. support for new information types and associated resource
representations by means of additional supplementary specification
documents. This primary document is resource representation
agnostic, and defines the core requirements of all implementations.
Those seeking to provide support for specific security automation
information types should refer to the specification for that format
described by the IANA registry found in section 10.3.
2. Terminology 2. Terminology
The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT,"
"SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
Definitions for some of the common computer security-related Definitions for some of the common computer security-related
terminology used in this document can be found in Section 2 of terminology used in this document can be found in Section 2 of
[RFC5070]. [RFC5070].
3. Background and Motivation 3. XML-related Conventions
It is well known that the field of threats to computer security is 3.1. XML Namespaces
evolving ever more rapidly as time goes on. As software increases in
complexity, the number of vulnerabilities in our systems and networks This specification uses XML Namespaces [W3C.REC-xml-names-20091208]
increase exponentially. Threat actors looking to exploit these to uniquely identify XML element names. It uses the following
namespace prefix mappings for the indicated namespace URI:
"app" is used for the "http://www.w3.org/2007/app" namespace
defined in [RFC5023].
"atom" is used for the "http://www.w3.org/2005/Atom" namespace
defined in [RFC4287].
"rolie" is used for the "urn:ietf:params:xml:ns:rolie:1.0"
namespace defined in section 10.1 of this specification.
3.2. RELAX NG Schema
Some sections of this specification are illustrated with fragments of
a non-normative RELAX NG Compact schema [relax-NG]. However, the
text of this specification provides the definition of conformance.
Complete schemas appear for the "urn:ietf:params:xml:ns:rolie-1.0"
namespace in appendix C. Schema for the "http://www.w3.org/2007/app"
and "http://www.w3.org/2005/Atom" namespaces appear in RFC5023
appendix B [RFC5023] and RFC4287 appendix B [RFC4287] respectively.
4. Background and Motivation
It is well known thatthreats to computer security are evolving ever
more rapidly as time goes on. As software increases in complexity,
the number of vulnerabilities in systems and networks can increase
exponentially. Threat actors looking to exploit these
vulnerabilities are making more frequent and more widely distributed vulnerabilities are making more frequent and more widely distributed
attacks across a large variety of systems. The adoption of liberal attacks across a large variety of systems. The adoption of liberal
information sharing amongst attackers creates a window of as little information sharing amongst attackers creates a window of as little
as a few hours between the discovery of a vulnerability and attacks as a few hours between the discovery of a vulnerability and attacks
on the vulnerable system. As the skills and knowledge required to on a vulnerable system. As the skills and knowledge required to
identify and combat these attacks become more and more specialized, identify and combat these attacks become more and more specialized,
even a well established and secure system may find itself unable to even a well established and secure system may find itself unable to
quickly respond to an incident. Effective identification of and quickly respond to an incident. Effective identification of and
response to a sophisticated attack requires open cooperation and response to a sophisticated attack requires open cooperation and
collaboration between defending operators, software vendors, and even collaboration between defending operators, software vendors, and end-
end-users. users. To improve the timeliness of responses, automation must be
used to acquire, contextualize, and put to use shared computer
security information.
Existing approaches to cyber security information sharing are based Existing approaches to computer security information sharing often
upon message exchange patterns that are point-to-point, and event- use message exchange patterns that are point-to-point, and event-
driven. Sometimes, information that may be useful to, and sharable driven. Sometimes, information that may be useful to share with
with multiple peers is only made available to peers after they have multiple peers is only made available to peers after they have
specifically requested it. Unfortunately, a sharing peer may not specifically requested it. Unfortunately, a sharing peer may not
know, a priori, what information to request from another peer. know, a priori, what information to request from another peer. Some
Sending unsolicited RID reports does provide a mechanism for exsisting systems provide a mechanism for unsolicited information
alerting, however these reports are again sent point-to-point, and requests, however these reports are again sent point-to-point, and
must be reviewed for relevance and then prioritized for action by the must be reviewed for relevance and then prioritized for action by the
recipient. Thus, distribution of some relevant incident and recipient, introducing additional latency.
indicator information may exhibit significant latency.
In order to adequately combat the evolving threats, computer security In order to adequately combat evolving threats, computer security
resource producers should be enabled to share selected information information resource providers should be enabled to share selected
proactively as appropriate. Proactive sharing greatly aids knowledge information proactively as appropriate. Proactive sharing greatly
dissemination as well as improving on response times and usability. aids knowledge dissemination, and improves response times and
usability.
For example, a cyber security analyst would benefit by having the For example, a security analyst can benefit by having the ability to
ability to search a comprehensive collection of attack indicators search a comprehensive collection of attack indicators that have been
that have been published by a government agency, or by another member published by a government agency, or by another member of a sharing
of a sharing consortium. The representation of each indicator may consortium. The representation of each indicator may include links
include links to the related resources, enabling an appropriately to the related resources, enabling an appropriately authenticated and
authenticated and authorized analyst to freely navigate the authorized analyst to freely navigate the information space of
information space of indicators, incidents, vulnerabilities, and indicators, incidents, vulnerabilities, and other computer security
other cyber security domain concepts, as needed. In general, a more domain concepts as needed. In this way, an analyst can more
Web-centric sharing approach will enable a more dynamic and agile effectively utilize the super set of information made publicly
collaboration amongst a broader, and varying constituency. available.
The following sections discuss additional specific technical issues Consider also the case of an automated endpoint management system
that motivate the development of an alternative approach. attempting to proactively prevent software flaws from compromising
the security of the affected systems. During its full network sweep,
the endpoint monitoring system would check each endpoint for outdated
or vulnerable software. This system would benefit from having access
to not only the software vendor's list of vulnerabilities, but also
vulnerabilities discovered by other vulnerability researchers. An
advanced system could even give back to this sharing consortium by
sharing any vulnerabilities that it discovers. The natural
conclusion of such a sharing network is an automated security
solution that can dynamically find and collect information from a
globally distributed web of information repositories.
3.1. Message-oriented versus Resource-oriented Architecture The following section discusses additional specific technical issues
that motivated the development of this alternative approach.
The existing approaches to cyber security information sharing are 4.1. Message-oriented versus Resource-oriented Architecture
The existing approaches to computer security information sharing are
based upon message-oriented interactions. The following paragraphs based upon message-oriented interactions. The following paragraphs
explore some of the architectural constraints associated with explore some of the architectural constraints associated with
message-oriented interactions and consider the relative merits of an message-oriented interactions and consider the relative merits of an
alternative model based on a Resource-oriented architecture for use alternative model based on a resource-oriented architecture for use
in some use case scenarios. in some use case scenarios.
ROLIE specifies a resource-oriented architecture. ROLIE specifies a resource-oriented architecture that attempts to
address the issues present in a message-oriented architecture.
3.1.1. Message-oriented Architecture 4.1.1. Message-oriented Architecture
In general, message-based integration architectures may be based upon In general, message-based integration architectures may be based upon
either an RPC-style or a document-style binding. The message types either an RPC-style or a document-style binding. The message types
defined by RID represent an example of an RPC-style request. This defined by Real-time Inter-network Defense (RID) [RFC6545] represents
approach imposes implied requirements for conversational state an example of an RPC-style request. This approach imposes implied
management on both of the communicating RID endpoint(s). Experience requirements for conversational state management on both of the
has shown that this state management frequently becomes the limiting communicating RID endpoint(s). Experience has shown that this state
factor with respect to the runtime scalability of an RPC-style management frequently becomes the limiting factor with respect to the
architecture. runtime scalability of an RPC-style architecture.
In addition, the practical scalability of a peer-to-peer message- In addition, the practical scalability of a peer-to-peer message-
based approach will be limited by the administrative procedures based approach will be limited by the administrative procedures
required to manage O(N^2) trust relationships and at least O(N) required to manage O(N^2) trust relationships and at least O(N)
policy groups. policy groups.
As long as the number of participating entities in an information As long as the number of participating entities in an information
sharing consortium is limited to a relatively small number of nodes sharing consortium is limited to a relatively small number of nodes
(i.e., O(2^N), where N < 5), these scalability constraints may not (i.e., O(2^N), where N < 5), these scalability constraints may not
represent a critical concern. However, when there is a requirement represent a critical concern. However, when there is a requirement
to support a significantly larger number of participating peers, a to support a significantly larger number of participating peers, a
different architectural approach will be required. One alternative different architectural approach will be required. Towards the goal
to the message-based approach that has demonstrated scalability is to create a large-scale network of entities sharing information, this
the REST [REST] architectural style. traditional architecture only creates small and isolated groupings of
sharing, encouraging effort duplication between these sharing
islands. One alternative to the message-based approach that has
demonstrated scalability and a high degree of connectedness is the
REST [REST] architectural style.
3.1.2. Resource-Oriented Architecture 4.1.2. Resource-Oriented Architecture
Applying the REST architectural style to the problem domain of cyber Applying the REST architectural style to the problem domain of
security information sharing would take the approach of exposing security information sharing involves exposing information in any
incidents, indicators, and any other relevant types as simple Web- relevant type as simple Web-addressable resources. Each provider
addressable resources. By using this approach, an organization can maintains their own repository of data, with public and private
more quickly and easily share relevant incident and indicator sections as needed. Any producer or consumer can then discover these
information with a much larger and potentially more diverse repositories, search for relevant feeds, and pull information from
constituency. A consumer may leverage virtually any available HTTP them. By using this approach, an organization can more quickly and
user agent in order to make requests of the service provider. This easily share relevant data representations with a much larger and
improved ease of use could enable more rapid adoption and broader potentially more diverse constituency. A consumer may leverage
participation, thereby improving security for everyone. virtually any available HTTP user agent in order to make requests of
the service provider. This improved ease of use enables more rapid
adoption and broader participation, thereby improving security for
everyone.
A key interoperability aspect of any RESTful Web service will be the A key aspect of any RESTful Web service is the ability provide
choices regarding the available resource representations. For multiple resource representations. For example, clients may request
example, clients may request that a given resource representation be that a given resource representation be returned as XML, JSON, or in
returned as either XML or JSON. In order to enable back- some other format. In order to enable backwards-compatibility and
compatibility and interoperability with existing implementations, interoperability with existing implementations, the RESTful approach
IODEF [RFC5070] is specified for this transport binding as a allows the provider to make differing formats available proactively,
mandatory to implement (MTI) data representation for incident and allowing the consumer to simply select the version that best suits
indicator resources. In addition to the REQUIRED representation, an them.
implementation MAY support additional representations if and as
needed such as IODEF extensions, the RID schema, or other schemas.
For example, an implementation may choose to provide support for
returning a JSON representation of an incident resource.
Finally, an important principle of the REST architectural style is Finally, an important principle of the REST architectural style is
the use of hypertext links as the embodiment of application state the focus on hypermedia as the engine of application state (HATEOAS).
(HATEOAS). Rather than the server maintaining conversational state
for each client context, the server will instead include a suitable
set of hyperlinks in the resource representation that is returned to
the client. In this way, the server remains stateless with respect
to a series of client requests. The included hyperlinks provide the
client with a specific set of permitted state transitions. Using
these links the client may perform an operation, such as updating or
deleting the resource representation. The client may also be
provided with hypertext links that can be used to navigate to any
related resource. For example, the resource representation for an
incident object may contain links to the related indicator
resource(s).
This document specifies the use of Atom Syndication Format [RFC4287] Rather than the server maintaining conversational state for each
and Atom Publishing Protocol [RFC5023] as the mechanism for client, the server will instead include a suitable set of hyperlinks
representing the required hypertext links. in the resource representation that is returned to the client. The
included hyperlinks provide the client with a specific set of
permitted state transitions. Using these links the client may
perform an operation, such as updating or deleting the resource
representation. The client may also be provided with hypertext links
that can be used to navigate to any related resource. For example,
the resource representation for an incident object may contain links
to the related indicator resource(s). In this way, the server
remains stateless with respect to a series of client requests.
3.1.2.1. A Resource-Oriented Use Case: "Mashup" 4.1.2.1. A Resource-Oriented Use Case: "Mashup"
In this section we consider a non-normative example use case scenario In this section we consider an example scenario for creating a
for creating a cyber security "mashup". computer security "mashup".
Any operator can authorize any or all members of the sharing A producer creates and maintains a feed of information on threat
community to quickly and easily navigate through any of the cyber actors, whilst another creates and maintains a feed of attack
security information that that provider is willing to share. An indicators. Each has authorized a large consortium of security
analyst may then make HTTP(S) requests to collect vulnerability analysts to access these feeds as they see fit. Any one of these
information known at one producer and threat actor data being made analysts can then make HTTP(s) requests to the servers to collect
available from another producer. The resulting correlations may sets of information from each provider. The resulting correlations
yield new insights that enable a more timely and effective defensive may yield new insights that enable a more timely and effective
response. Of course, this report may, in turn, be made available to defensive response. Of course, this report may, in turn, be made
others as a new Web-addressable resource, reachable via another URL. available to others as a new Web-addressable resource, reachable via
By employing the RESTful Web service approach the effectiveness of another URL. By exposing information using the RESTful approach in
the collaboration amongst a consortium of cyber security stakeholders this way, the effectiveness of the collaboration amongst a consortium
can be greatly improved. of cyber security stakeholders can be greatly improved.
4. Atom Publication Protocol and Atom Syndication Format TODO 4.2. Use of the Atom Publishing Protocol
As described in Atom Publishing Protocol [RFC5023], an Atom Service This specification defines a profile of the Atom Publishing Protocol
Document is an XML-based document format that allows a client to (AtomPub) [RFC5023] and Atom Syndication Format [RFC4287] providing
dynamically discover the collections provided by a publisher. implementation requirements for a security information sharing
solution as a RESTful Web service.
As described in Atom Syndication Format [RFC4287], Atom is an XML- This document assumes that the reader has an understanding of both
based document format that describes lists of related information the AtomPub and Atom Syndication Format specifications.
items known as collections, or "feeds". Each feed document contains
a collection of zero or more related information items called "member
entries" or "entries".
When applied to the problem domain of cyber security information The following two sections of this document provide requirements for
sharing, an Atom feed may be used to represent any meaningful using the Atom Syndication Format and AtomPub as a RESTful binding
collection of information resources such as a set of incidents, or for security automation information sharing.
indicators. Each entry in a feed could then represent an individual
incident, or indicator, or some other resource, as appropriate.
Additional feeds could be used to represent other meaningful and
useful collections of cyber security resources. A feed may be
categorized, and any feed may contain information from zero or more
categories. The naming scheme and the semantic meaning of the terms
used to identify an Atom category are application-defined.
This document assumes that the reader has an understanding of both 5. ROLIE Requirements for the Atom Publishing Protocol
Atom documents. Further discussion of Atom's application to this
domain a well of examples of its use are provided in the BCG
document.
5. Normative Requirements TODO This section describes a number of restrictions of and extensions to
the Atom Publishing Protocol (AtomPub) [RFC5023] that define the use
of that protocol in the context of a ROLIE-based solution.
This section provides the NORMATIVE requirements for using Atom 5.1. AtomPub Service Documents
format and Atom Pub as a RESTful binding for cyber security
information sharing.
5.1. Atom Requirements As described in RFC5023 section 8 [RFC5023], a Service Document is an
XML-based document format that allows a client to dynamically
discover the collections provided by a publisher. A Service Document
consists of one or more app:workspace elements that may each contain
a number of app:collection elements.
Implementations of this specification MUST implement all requirements The general structure of a service document is as follows (from
specified in Atom Publishing Protocol and the Atom Syndication RFC5023 section 4.2 [RFC5023]):
Format. (TODO: work on a more normative and perhaps constrained
requirement.)
5.2. Transport Layer Security Service
o- Workspace
| |
| o- Collection
| |
| o- IRI, categories, media types
|
o- Workspace
|
o- Collection
|
o- IRI, categories, media types
Implementations MUST support server-authenticated TLS. 5.1.1. Use of the "app:workspace" Element
Implementations MAY support mutually authenticated TLS. In AtomPub, a Workspace, represented by the "app:workspace" element,
describes a group of one or more Collections. Building on the
AtomPub concept of a Workspace, in ROLIE a Workspace represents an
aggregation of Collections pertaining to security automation
information resources. This specification does not impose any
restrictions on the number of Workspaces that may be in a Service
Document or the specific Collections to be provided within a given
Workspace.
5.3. Archiving and Paging The following restrictions are imposed on the use of the
app:workspace element in ROLIE:
A feed can contain an arbitrary number of entries. In some cases, o A ROLE repository can host Collections containing both public and
the complete response to a given query may consist of a logical private information entries. It is RECOMMENDED that public and
result set that contains a large number of entries. As a practical private collections be segregated into different Workspaces. By
matter, the full result set will likely need to be divided into more doing this, Workspaces that contain private information can be
manageable portions. For example, a query may produce a full result ignored by clients.
set that may need to be grouped into logical pages, for purposes of
rendering on a user interface.
An historical feed may need to be stable, and/or divided into some o Appropriate descriptions and naming conventions SHOULD be used to
defined epochs. Implementations SHOULD support the mechanisms indicate the intended audience of each workspace. This helps to
described in Feed Paging and Archiving [RFC5005] to provide facilitate the selection of appropriate Workspaces by clients.
capabilities for paging and archiving of feeds.
5.4. Expectation and Impact Classes o An implementation can provide any number of Collections within a
given Workspace. It is RECOMMENDED that each collection appear in
only a single Workspace. This helps to reduce the number of
duplicate collections that need to be examined to discover
information that is relevant to a given client.
It is frequently the case that an organization will need to triage 5.1.2. Use of the "app:collection" Element
their investigation and response activities based upon, e.g., the
state of the current threat environment, or simply as a result of
having limited resources.
In order to enable operators to effectively prioritize their response In AtomPub, a Collection in a Service Document, represented by the
activity, it is RECOMMENDED that feed implementers provide Atom "app:collection" element, provides metadata that can be used to point
categories that correspond to the IODEF Expectation and Impact to a specific Atom Feed that contains information Entries that may be
classes. The availability of these feed categories will enable of interest to a client. The association between a Collection and a
clients to more easily retrieve and prioritize cyber security Feed is provided by the "href" attribute of the app:collection
information that has already been identified as having a specific element. Building on the AtomPub concept of a Collection, in ROLIE a
potential impact, or having a specific expectation. Collection represents a pointer to a group of security automation
information resources pertaining to a given type of security
automation information. Collections are represented as Atom feeds as
per RFC 5023. Feed specific requirements are defined in section 6.1.
Support for these categories may also enable efficiencies for The following restrictions are imposed on the use of the
organizations that already have established (or plan to establish) app:collection element for ROLIE:
operational processes and workflows that are based on these IODEF
classes.
5.5. User Authentication o The atom:category elements contained in the app:categories element
MUST be the same set of atom:categories used in the Atom Feed
indicated by the app:collection "href" attribute value. This
ensures that the category metadata associated with the Feed is
discoverable in the corresponding Collection in the Service
Document.
o An app:collection pertaining to a security automation information
resource Feed MUST contain an app:categories element that
minimally contains a single atom:category element with the
"scheme" attribute value of "urn:ietf:params:rolie:information-
type". This category MUST have an appropriate "term" attribute
value as defined in section 8.2. This ensures that a given
Collection corresponds to a specific type of security automation
information.
o Any app:collection element that does not contain a descendant
atom:category element with the "scheme" attribute value of
"urn:ietf:params:rolie:information-type" MUST be considered a non-
ROLIE Collection. This allows Collections pertaining to security
automation information to co-exist alongside Collections of other
non-ROLIE information within the same AtomPub instance.
o The app:categories element in an app:collection may include
additional atom:category elements using a scheme other than
"urn:ietf:params:rolie:information-type". This allows other
category metadata to be included.
5.2. Service Discovery
This specification requires that an implementation MUST publish an
Atom Service Document that describes the set of security information
sharing collections that are provided by the repository.
The service document SHOULD be discoverable via the organization's
Web home page or another well-known public resource. An example of
this can be found in appendix A.1.
The service document SHOULD (TODO: MUST?) be located at the
standardized location "https://{host:port}/rolie/servicedocument",
where {host:port} is the authority portion of the URI. Dereferencing
this URI MAY result in a redirect based on a HTTP 3xx status code to
direct the client to the actual service document. This allows
clients to have a well-known location to find a ROLIE service
document, while giving implmentations flexibility over how the
service is deployed.
When deploying a service document for use by a closed consortium, the
service document MAY also be digitally signed and/or encrypted.
5.3. Transport Layer Security
Implementations MUST support server-authenticated TLS.
Implementations MAY support mutually authenticated TLS.
Implementations MAY support client authenticated TLS.
5.4. User Authentication
Implementations MUST support user authentication. User Implementations MUST support user authentication. User
authentication MAY be enabled for specific feeds. authentication MAY be enabled for specific feeds.
Implementations MAY support more than one client authentication Implementations MAY support more than one client authentication
method. method.
Servers participating in an information sharing consortium and Servers participating in an information sharing consortium and
supporting interactive user logins by members of the consortium supporting interactive user logins by members of the consortium
SHOULD support client authentication via a federated identity scheme SHOULD support client authentication via a federated identity scheme
as per SAML 2.0. as per SAML 2.0.
Implementations MAY support client authenticated TLS. 5.5. User Authorization
5.6. User Authorization
This document does not mandate the use of any specific user This document does not mandate the use of any specific user
authorization mechanisms. However, service implementers SHOULD authorization mechanisms. However, service implementers SHOULD
provide appropriate authorization checking for all resource accesses, provide appropriate authorization checking for all resource accesses,
including individual Atom Entries, Atom Feeds, and Atom Service including individual Atom Entries, Atom Feeds, and Atom Service
Documents. Documents.
Authorization for a resource MAY be adjudicated based on the value(s) Authorization for a resource MAY be adjudicated based on the value(s)
of the associated Atom <category> element(s). of the associated Atom <category> element(s).
When the content model for the Atom <content> element of an Atom 5.6. / (forward slash) Resource URL
Entry contains an <IODEF-Document>, then authorization MUST be
adjudicated based upon the Atom <category> element(s), whose values
have been mapped as per Section 5.10.
Any use of the <category> element(s) as an input to an authorization The "/" resource MAY be provided for compatibility with existing
policy decision MUST include both the "scheme" and "term" attributes deployments that are using Transport of Real-time Inter-network
contained therein. As described in Section 5.10 below, the namespace Defense (RID) Messages over HTTP/TLS [RFC6546]. Consistent with
of the "term" attribute is scoped by the associated "scheme" RFC6546 errata, a client requesting a GET on "/" MUST receive an HTTP
attribute. status code 405 Method Not Allowed. An implementation MAY provide
full support for RFC6546 such that a POST to "/" containing a
recognized RID message type just works. Alternatively, a client
requesting a POST to "/" MAY receive an HTTP status code 307
Temporary Redirect. In this case, the location header in the HTTP
response will provide the URL of the appropriate RID endpoint, and
the client may repeat the POST method at the indicated location.
This resource could also leverage the new draft by reschke that
proposes HTTP status code 308 (cf: draft-reschke-http-status-
308-07.txt). TODO
5.7. Content Model 5.7. HTTP methods
Member entry resources providing a representation of an incident Clients MUST be capable of recognizing and processing any standard
resource (e.g., as specified in the link relation type) MUST use the HTTP status code, as defined in [RFC5023] Section 5
IODEF schema as the content model for the Atom Entry <content>
element.
Member Entry resources providing a representation of an indicator 6. ROLIE Requirements for the Atom Syndication Format
resource (e.g., as specified in the link relation type) MUST use the
IODEF schema as the content model for the Atom Entry <content>
element.
The resource representation MAY include an appropriate indicator This section describes a number of restrictions of and extensions to
schema type within the <AdditionalData> element of the IODEF Incident the Atom Syndication Format [RFC4287] that define the use of that
class. Supported indicator schema types SHALL be registered via an format in the context of a ROLIE-based solution.
IANA table (todo: IANA registration/review).
Member Entry resources providing a representation of a RID report 6.1. Use of the "atom:feed" element
resource (e.g., as specified in the link relation type) MUST use the
RID schema as the content model for the Atom Entry <content> element.
Member Entry resources providing representation of other types, As described in RFC4287 section 4.1.1 [RFC4287], an Atom Feed is an
SHOULD use the schema appropriate for their data category as the XML-based document format that describes a list of related
content model for the Atom Entry <content> element. These data information items, also known as a collection. Each Feed document,
categories SHALL be registered via an IANA table. represented using the atom:feed element, contains a collection of
zero or more related information items individually called a "member
entry" or "entry".
The <content> element of the Atom entry MUST contain an appropriate When applied to the problem domain of security automation information
XML namespace declaration. sharing, an Atom Feed may be used to represent any meaningful
collection of security automation information resources including a
set of configuration checklists or software vulnerabilities. Each
entry in an atom:feed represents an individual resource, such as a
specific checklist or software vulnerability record. Additional
Feeds can be used to represent collections of other meaningful and
useful security automation resources.
5.8. HTTP methods This Atom feed definition represents a stricter definition of the
Atom entry element. Any element not specified here inherits its
definition and requirements from RFC 4287.
The following table defines the HTTP [RFC7235] uniform interface atomFeed =
methods supported by this specification: element atom:feed {
atomCommonAttributes,
(atomAuthor*
& atomCategory+
& atomContributor*
& atomGenerator?
& atomIcon?
& atomId
& atomLink*
& atomLogo?
& atomRights?
& atomSubtitle?
& atomTitle
& atomUpdated
& extensionElement*),
atomEntry*
}
+--------+----------------------------------------------------------+ 6.1.1. Use of the "atom:category" Element
| HTTP | Description |
| method | |
+--------+----------------------------------------------------------+
| GET | Returns a representation of an individual member entry |
| | resource, or a feed collection. |
| PUT | Replaces the current representation of the specified |
| | member entry resource with the representation provided |
| | in the HTTP request body. |
| POST | Creates a new instance of a member entry resource. The |
| | representation of the new resource is provided in the |
| | HTTP request body. |
| DELETE | Removes the indicated member entry resource, or feed |
| | collection. |
| HEAD | Returns metadata about the member entry resource, or |
| | feed collection, contained in HTTP response headers. |
| PATCH | Support TBD. |
+--------+----------------------------------------------------------+
Table 1: Uniform Interface for Resource-Oriented Lightweight An atom:feed may be categorized and may contain information from zero
Indicator Exchange or more categories. In Atom the naming scheme and the semantic
meaning of the terms used to identify an Atom category are
application-defined.
Clients MUST be capable of recognizing and prepared to process any The following restrictions are imposed on the use of the
standard HTTP status code, as defined in [RFC7235] atom:category element when used in a ROLIE atom:feed:
5.9. Service Discovery o An atom:feed element MUST minimally contain a single atom:category
element with the "scheme" attribute value of
"urn:ietf:params:rolie:information-type". This category MUST have
an appropriate "term" attribute value as defined in section 8.2.
This ensures that a given Collection corresponds to a specific
type of security automation information. All member entries in
the collection MUST represent security automation information
records of this information type.
This specification requires that a implementation MUST publish an o Any atom:feed element that does not contain a child atom:category
Atom Service Document that describes the set of cyber security element with the "scheme" attribute value of
information sharing feeds that are provided. "urn:ietf:params:rolie:information-type" MUST NOT be considered a
ROLIE Collection. This allows Feeds pertaining to security
automation information to co-exist alongside Feeds of other non-
ROLIE information within the same AtomPub instance.
The service document SHOULD be discoverable via the organization's o An atom:feed may include additional atom:category elements using a
Web home page or another well-known public resource. scheme other than "urn:ietf:params:rolie:information-type". This
allows other category metadata to be included.
5.9.1. Workspaces 6.1.2. Use of the "atom:link" Element
The service document MAY include multiple workspaces. Any producer Link relations defined by the atom:link element are used to represent
providing both public feeds and private consortium feeds MUST place state transitions using a stateless approach. In Atom a type of link
these different classes of feeds into different workspaces, and relationship can be defined using the "rel" attribute. The following
provide appropriate descriptions and naming conventions to indicate are link relations that provide state transitions related to a ROLIE
the intended audience of each workspace. Atom feed.
5.9.2. Collections o "service" - Indicates that the href value of the link identifies a
resource IRI that can be used to retrieve an Atom Service Document
associated with the feed. A feed MUST include one or more links
with rel="service" to point to the service document(s) that are
associated with the feed. The "service" link relationship type is
defined in the IANA Link Relations Registry [1].
An implementation MAY provide any number of collections within a o "search" - Indicates that the href value of the link identifies a
given Workspace. It is RECOMMENDED that each collection appear in resource IRI that can be used to search through the containing
only a single Workspace. It is RECOMMENDED that at least one feed and related resources. A feed MAY include one or more links
collection be provided that accepts new incident reports from users. with rel="search" to point TBD. The "search" link relationship
At least one collection MUST provide a feed of incident information type is defined in the IANA Link Relations Registry [2].
for which the content model for the entries uses the IODEF schema.
The title of this collection SHOULD be "Incidents".
5.9.3. Service Document Security An atom:feed MAY include additional link relationships not specified
in this document. If a client encounters an unknown link
relationship type, the client MUST ignore the unrecognized link and
continue processing the remaining resource representation as if the
unrecognized link element did not appear.
Access to the service document MUST be protected via server- The Feed Paging and Archiving [RFC5005] Atom extension provides
authenticated TLS and a server-side certificate. capabilities for paging and archiving of feeds.
When deploying a service document for use by a closed consortium, the A atom:feed can contain an arbitrary number of entries. In some
service document MAY also be digitally signed and/or encrypted, using cases, a complete feed may consist of a large number of entries.
XML DigSig and/or XML Encryption, respectively. Additionally, as new and updated entries are ordered at the beginning
of a feed, a client may only be interested in retriving the first X
entries in a feed to process only the entries that have changed since
the last access to a ROLIE repository feed. As a practical matter,
the full result set will likely need to be divided into more
manageable portions. Based on RFC5005 section 3 [RFC5005], the links
SHOULD be included in all feeds to support paging using the following
link relation types:
5.10. Category Mapping o "first" - Indicates that the href value of the link identifies a
resource IRI for the furthest preceding page of the feed.
This section defines normative requirements for mapping IODEF o "last" - Indicates that the href value of the link identifies a
metadata to corresponding Atom category elements. (todo: decide resource IRI for the furthest following page of the feed.
between IANA registration of scheme, or use a full URI).
5.10.1. Collection Category o "previous" - Indicates that the href value of the link identifies
a resource IRI for the immediately preceeding page of the feed.
An Atom collection MAY hold entries from one or more categories. The o "next" - Indicates that the href value of the link identifies a
collection category set MUST contain at least the union of all the resource IRI for the immediately following page of the feed.
member entry categories. A collection MAY have additional category
metadata that are unique to the collection, and not applicable to any
individual member entry. A collection containing IODEF incident
content MUST contain at least two <category> elements. One category
MUST be specified with the value of the "scheme" attribute as
"restriction". One category MUST be specified with the value of the
"scheme" attribute as "purpose". The value of the "fixed" attribute
for both of these category elements MUST be "yes". When the category
scheme="restriction", the allowable values for the "term" attribute
are constrained as per section 3.2 of IODEF, e.g. public, need-to-
know, private, default. When the category scheme="purpose", the
allowable values for the "term" attribute are constrained as per
section 3.2 of IODEF, e.g. traceback, mitigation, reporting, other.
5.10.2. Entry Category For example:
An Atom entry containing IODEF content MUST contain at least two <?xml version="1.0" encoding="UTF-8"?>
<category> elements. One category MUST be specified with the value <feed xmlns="http://www.w3.org/2005/Atom">
of the "scheme" attribute as "restriction". One category MUST be <title>Paged Feed</title>
specified with the value of the "scheme" attribute as "purpose". <link rel="self" href="http://example.org/feedA?page=5"/>
When the category scheme="restriction", the value of the "term" <link rel="first" href="http://example.org/feedA?page=1"/>
attribute must be exactly one of ( public, need-to-know, private, <link rel="prev" href="http://example.org/feedA?page=4"/>
default). When the category scheme="purpose", the value of the <link rel="next" href="http://example.org/feedA?page=6"/>
"term" attribute must be exactly one of (traceback, mitigation, <link rel="last" href="http://example.org/feedA?page=10"/>
reporting, other). When the purpose is "other".... <updated>2012-05-04T18:13:51.0Z</updated>
Any member entry MAY have any number of additional categories. <!-- remainder of feed elements -->
</feed>
5.11. Entry ID Example Paged Feed
The ID element for an Atom entry SHOULD be established via the An historical feed may need to be stable, and/or divided into some
concatenation of the value of the name attribute from the IODEF defined epochs. Implementations SHOULD support the mechanisms
<IncidentID> element and the corresponding value of the <IncidentID> described in RFC5005 section 4 [RFC5005] to provide capabilities for
element. This requirement ensures a simple and direct one-to-one maintaining archiving of feeds.
relationship between an IODEF incident ID and a corresponding Feed
entry ID and avoids the need for any system to maintain a persistent
store of these identity mappings.
(todo: Note that this implies a constraint on the IODEF document that 6.1.3. Use of the "atom:updated" Element
is more restrictive than the current IODEF schema. IODEF section 3.3
requires only that the name be a STRING type. Here we are stating
that name must be an IRI. Possible request to update IODEF to
constrain, or to support a new element or attribute).
5.12. Entry Content The atom:updated element MUST be populated with the current time at
the instant the feed representation was last updated by adding,
updating, or deleting an entry; or changing any metadata for the
feed.
The <content> element of an Atom <entry> SHOULD include an IODEF 6.2. Use of the "atom:entry" Element
document. The <entry> element SHOULD include an appropriate XML
namespace declaration for the IODEF schema. If the content model of
the <entry> element does not follow the IODEF schema, then the
<entry> element MUST include an appropriate XML namespace
declaration.
A client MAY ignore content that is not using the IODEF schema. Each entry in an Atom feed, represented by the atom:entry element,
describes a single information record, format, and type combination.
The following atom:entry schema definition represents a stricter
representation of the atom:entry element defined in RFC 4287 for use
in a ROLE-based Atom Feed.
5.13. Link Relations atomEntry =
element atom:entry {
atomCommonAttributes,
(atomAuthor*
& atomCategory*
& atomContent
& atomContributor*
& atomId
& atomLink*
& atomPublished?
& atomRights?
& atomSource?
& atomSummary?
& atomTitle
& atomUpdated
& rolieFormat
& extensionElement*)
}
In addition to the standard Link Relations defined by the Atom 6.2.1. Use of the "atom:content" Element
specification, this specification defines the following additional
Link Relation terms, which are introduced specifically in support of
the Resource-Oriented Lightweight Information Exchange protocol.
+-----------------------+-----------------------------+-------------+ There MUST be exactly one atomContent element in the entry. The
| Name | Description | Conformance | content element MUST adhere to this definition:
+-----------------------+-----------------------------+-------------+
| service | Provides a link to an atom | MUST |
| | service document associated | |
| | with the collection feed. | |
| search | Provides a link to an | MUST |
| | associated Open Search | |
| | document that describes a | |
| | URL template for search | |
| | queries. | |
| history | Provides a link to a | MUST |
| | collection of zero or more | |
| | historical entries that are | |
| | associated with the | |
| | resource. | |
| incidents | Provides a link to a | MUST |
| | collection of zero or more | |
| | instances of incident | |
| | representations associated | |
| | with the resource. | |
| indicators | Provides a link to a | MUST |
| | collection of zero or more | |
| | instances of cyber security | |
| | indicators that are | |
| | associated with the | |
| | resource. | |
| information | Provides a link to a | MUST |
| | collection of zero or more | |
| | instances of cyber security | |
| | information that is | |
| | associated with the | |
| | resource. | |
| evidence | Provides a link to a | SHOULD |
| | collection of zero or more | |
| | resources that provides | |
| | some proof of attribution | |
| | for an incident. The | |
| | evidence may or may not | |
| | have any identified chain | |
| | of custody. | |
| campaign | Provides a link to a | SHOULD |
| | collection of zero or more | |
| | resources that provides a | |
| | representation of the | |
| | associated cyber attack | |
| | campaign. | |
| attacker | Provides a link to a | SHOULD |
| | collection of zero or more | |
| | resources that provides a | |
| | representation of the | |
| | attacker. | |
| vector | Provides a link to a | SHOULD |
| | collection of zero or more | |
| | resources that provides a | |
| | representation of the | |
| | method used by the | |
| | attacker. | |
| assessments | Provides a link to a | SHOULD |
| | collection of zero or more | |
| | resources that represent | |
| | the results of executing a | |
| | benchmark. | |
| reports | Provides a link to a | SHOULD |
| | collection of zero or more | |
| | resources that represent | |
| | RID reports. | |
| traceRequests | Provides a link to a | SHOULD |
| | collection of zero or more | |
| | resources that represent | |
| | RID traceRequests. | |
| investigationRequests | Provides a link to a | SHOULD |
| | collection of zero or more | |
| | resources that represent | |
| | RID investigationRequests. | |
+-----------------------+-----------------------------+-------------+
Table 2: Link Relations for Resource-Oriented Lightweight Indicator
Exchange
Unless specifically registered with IANA these short names MUST be atomContent =
fully qualified via concatenation with a base-uri. An appropriate element atom:content {
base-uri could be established via agreement amongst the members of an atomCommonAttributes,
information sharing consortium. For example, the rel="indicators" attribute type { atomMediaType },
relationship would become attribute src { atomUri },
rel="http://www.example.org/rolie/incidents/relationships/ empty
indicators." }
5.13.1. Additional Link Relation Requirements The type attribute MUST be the serialization type of the content, for
example, XML or JSON. The src attribute is a link to the payload.
An IODEF document that is carried in an Atom Entry SHOULD NOT contain 6.2.2. Use of the "atom:link" Element
a <relatedActivity> element. Instead, the related activity SHOULD be
available via a link rel=related.
An IODEF document that is carried in an Atom Entry SHOULD NOT contain There MAY be zero or more atom:link elements in the entry. The
a <history> element. Instead, the related history SHOULD be content element MUST adhere to this definition:
available via a link rel="history" (todo: or a fully qualified link
rek name). The associated href MAY leverage OpenSearch to specify
the required query.
An Atom Entry MAY include additional link relationships not specified The link element follows the definition laid out in the Atom
here. If a client encounters a link relationship of an unknown type Syndication Document.
the client MUST ignore the offending link and continue processing the
remaining resource representation as if the offending link element
did not appear.
5.14. Member Entry Forward Security If there entries with the same format and category but a different
type, it MUST be linked to using the "alternate" link relation.
As described in Authorization Policy Enforcement a RESTful model for 6.2.3. Use of the "rolie:format" Element
cyber security information sharing requires that all of the required
security enforcement for feeds and entries MUST be enforced at the
source system, at the point the representation of the given
resource(s) is created. A provider SHALL NOT return any feed content
or member entry content for which the client identity has not been
specifically authenticated, authorized, and audited.
Sharing communities that have a requirement for forward message There MUST be exactly one rolie:format element in the Entry. This
security (such that client systems are required to participate in format SHOULD be one of the formats listed under the category of this
providing message level security and/or distributed authorization entry as discussed in the and Content Model section. The format is
policy enforcement), MUST use the RID schema as the content model for contained in the content of this tag.
the member entry <content> element.
5.15. Date Mapping 6.3. Link Relations
The Atom feed <updated> element MUST be populated with the current In addition to the standard Link Relations defined by the Atom
time at the instant the feed representation was generated. The Atom specification, this specification defines the following additional
entry <published> element MUST be populated with the same time value Link Relation terms, which are introduced specifically in support of
as the <reportTime> element from the IODEF document. the Resource-Oriented Lightweight Information Exchange protocol.
5.16. Search TODO: This section needs to be expanded.
7. Use of OpenSearch
Implementers MUST support OpenSearch 1.1 [opensearch] as the Implementers MUST support OpenSearch 1.1 [opensearch] as the
mechanism for describing how clients may form search requests. mechanism for describing how clients may form search requests.
Implementers MUST provide a link with a relationship type of Implementers MUST provide a link with a relationship type of
"search". This link SHALL return an Open Search Description Document "search". This link SHALL return an Open Search Description Document
as defined in OpenSearch 1.1. as defined in OpenSearch 1.1.
Implementers MUST support an OpenSearch 1.1 compliant search URL Implementers MUST fully qualify all OpenSearch URL template parameter
template that enables a search query via Atom Category, including the names using the defined XML namespaces, as appropriate.
scheme attribute and terms attribute as search parameters.
Implementers SHOULD support search based upon the IODEF AlternativeID 8. Characterizing ROLIE Collections and Resources
class as a search parameter.
Implementers SHOULD support search based upon the four timestamp This specification does not require a particular security automation
elements of the IODEF Incident class: <startTime>, <EndTime>, information type or content format; rather, it provides extension
<DetectTime>, and <ReportTime>. points using IANA tables to allow for future extensions of supported
information types and formats.
Implementers MAY support additional search capabilities based upon A given security automation information type is respresented using
any of the remaining elements of the IODEF Incident class, including the "atom:category" element. In this way, an "atom:category" element
the <Description> element. can be used to:
Collections that support use of the RID schema as a content model in 1. identify that an "app:collection" element in a Service Document
the Atom member entry <content> element (e.g. in a report resource points to an Atom feed that contains entries pertaining to a
representation reachable via the "report" link relationship) MUST specific type of security automation information (see section
support search operations that include the RID MessageType as a 5.1.2), or
search parameter, in addition to the aforementioned IODEF schema
elements, as contained within the <ReportSchema> element.
Implementers MUST fully qualify all OpenSearch URL template parameter 2. identify that an "atom:feed" element in an Atom feed contains
names using the defined IODEF or RID XML namespaces, as appropriate. entries pertaining to a specific type of security automation
information (see section 6.1.1).
5.17. / (forward slash) Resource URL As mentioned earlier, a key goal of this specification is to allow a
consumer to identify security automation information resources of
interest, and then choose a suitable format of the information to
retrieve. For a given type of security automation information, it is
expected that a number of different formats may be used to represent
this information. To support this use case, both the serialization
format and the specific data model expressed in that format must be
known by the consumer.
The "/" resource MAY be provided for compatibility with existing The following sections describe how information types are defined and
deployments that are using Transport of Real-time Inter-network used, and how specific content formats are declared in ROLIE.
Defense (RID) Messages over HTTP/TLS [RFC6546]. Consistent with
RFC6546 errata, a client requesting a GET on "/" MUST receive an HTTP
status code 405 Method Not Allowed. An implementation MAY provide
full support for RFC6546 such that a POST to "/" containing a
recognized RID message type just works. Alternatively, a client
requesting a POST to "/" MAY receive an HTTP status code 307
Temporary Redirect. In this case, the location header in the HTTP
response will provide the URL of the appropriate RID endpoint, and
the client may repeat the POST method at the indicated location.
This resource could also leverage the new draft by reschke that
proposes HTTP status code 308 (cf: draft-reschke-http-status-
308-07.txt).
6. Security Considerations TODO 8.1. Identification of Security Automation Information Types
A security automation information type represents a class of
information that represents the same or similar information model
[RFC3444]. Notional examples of information types include:
indicator: Computing device- or network-related "observable features
and phenomenon that aid in the forensic or proactive detection of
malicious activity; and associated meta-data" (from
[I-D.ietf-mile-rfc5070-bis]).
incident: Information pertaining to and "derived analysis from
security incidents" (from [I-D.ietf-mile-rfc5070-bis]).
vulnerability reports: Information identifying and describing a
vulnerability in hardware or software.
configuration checklists: Content that can be used to assess the
configuration settings related to installed software.
software tags: Metadata used to identify and characterize
installable software.
This is a short list to inspire thought on possible information
types, which will also include other information used to automate
security processes.
This document does not specific any information types. Instead,
information types in ROLIE are expected to be defined in extension
documents that describe one or more new information types. This
allows the information types used by ROLIE implementations to grow
over time to support new security automation use cases. These
extension documents may also enhance ROLIE resource representations
by defining link relations, categories, and other AtomPub and Atom
Syndication Format data model extensions to address the
representational needs of specific information types. New
information types are added to ROLIE through registrations to the
IANA Security Resource Information Type registry defined in section
10.3.
8.2. General Use of the "atom:category" Element
The core extension point within this specification is the ability to
define different security automation information types, which can be
used to characterize the type of information contained in a ROLIE
resource collection. The information type of a resource collection
is characterized using an "atom:category" element with a "scheme"
attribute value of "urn:ietf:params:rolie:information-type", and a
"term" attribute value identifying the specific information type
declared.
For example, the security automation information type "incident"
would be identified as follows:
<atom:category scheme="urn:ietf:params:rolie:information-type"
term="incident"/>
The Uniform Resource Name (URN) [RFC2141]
"urn:ietf:params:rolie:information-type" is registered with IANA as
described in section 10.2.
Registered security automation information type values are defined in
the IANA table described in section 10.3.
8.3. Identification of Security Automation Information Formats
A given information type may have a number of supported formats.
Each format is expected to have a specification that defines the data
model for the format. As described in section 6.2.3, the
"rolie:format" element is used to describe the specific data model
used to represent the resource referenced by a given "atom:entry".
By declaring the data model used in this way, a consumer can choose
to download or ignore the resource, or look for alternate formats.
This saves the consumer from downloading and parsing resources that
the consumer is not interested in or resources expressed in formats
that are not understandable by the consumer.
TODO: Need to describe the structure and use of the rolie:format
element.
9. Formal Syntax for the ROLIE Schema
TODO: define a schema for the "rolie:format" element.
10. IANA Considerations TODO
This document defines a resource-oriented approach to security
information sharing, where such information may include a variety of
security resource categories, such as software identifiers (e.g.
tags), incident reports, configuration assessment guidance,
vulnerability assessment guidance, and so on.
TODO: Complete registration request specifics.
10.1. XML Namespaces and Schema URNs
This document uses URNs to describe XML namespaces and XML schemas
conforming to a registry mechanism described in [RFC3688].
ROLIE XML Namespace The ROLIE namespace (rolie-1.0) has been
registered in the "ns" registry.
URI: urn:ietf:params:xml:ns:rolie-1.0
Registrant Contact: IESG
XML: None. Namespace URIs do not represent an XML specification.
ROLIE XML Schema The ROLIE schema (rolie-1.0) has been registered in
the "schema" registry.
URI: urn:ietf:params:xml:schema:rolie-1.0
Registrant Contact: IESG
XML: See section 9 of this document.
10.2. ROLIE Parameters
ROLIE uses URNs to represent category schemes. This section creates
and registers an IETF URN sub-namespace for use in ROLIE
specifications and future extensions.
TODO: Add entry for: "urn:ietf:params:rolie:category:information-
type"
10.3. Security Resource Information Type Registry
This document creates the following registry for IANA to manage:
Name of Registry: "Security Resource Information Type"
Location of Registry: https://www.iana.org/assignments/security-
resource-information-type
Fields to record in the registry:
Full Name: The full name of the security resource information
type as a string from the printable ASCII character set RFC0020
with individual embedded spaces allowed. The ABNF RFC5234
syntax for this field is:
1*VCHAR *(SP 1*VCHAR)
Security Resource Index: This is an IANA-assigned positive
integer that identifies the registration. The first entry
added to this registry uses the value 1, and this value is
incremented for each subsequent entry added to the registry.
Description: A complete description of the security resource
information type as a string from the printable ASCII character
set RFC0020 with individual embedded spaces allowed. The ABNF
RFC5324 syntax for this field is:
1*VCHAR *(SP 1*VCHAR)
Specification URI/Reference: A list of one or more URIs
[RFC3986] from which the registered specification can be
obtained. The registered specification MUST be readily and
publicly available from that URI. The URI SHOULD be a stable
reference.
Initial registry contents: None.
Allocation Policy: Specification required RFC5226 (which implies
expert review RFC5226).
The Designated Expert is expected to consult with the MILE (Managed
Incident Lightweight Exchange) working group or is successor if any
such WG exists (e.g., via email to the working group's mailing list).
The Designated Expert is expected to review the request and validate
the appropriateness of the name, description, and associated
specifications for the security resource category.
11. Security Considerations TODO
This document defines a resource-oriented approach to lightweight This document defines a resource-oriented approach to lightweight
information exchange using HTTP, TLS, Atom Syndicate Format, and Atom information exchange using HTTP, TLS, Atom Syndicate Format, and Atom
Publishing Protocol. As such, implementers must understand the Publishing Protocol. As such, implementers must understand the
security considerations described in those specifications. security considerations described in those specifications.
In addition, there are a number of additional security considerations In addition, there are a number of additional security considerations
that are unique to this specification. that are unique to this specification.
The approach described herein is based upon all policy enforcements The approach described herein is based upon all policy enforcements
skipping to change at page 17, line 42 skipping to change at page 23, line 4
communities that are engaged in sensitive collaborative analysis and/ communities that are engaged in sensitive collaborative analysis and/
or operational response for indicators and incidents targeting high or operational response for indicators and incidents targeting high
value information systems should adopt a suitably stronger user value information systems should adopt a suitably stronger user
authentication solution, such as TLS client certificates, or a risk- authentication solution, such as TLS client certificates, or a risk-
based or multi-factor approach. In general, trust in the sharing based or multi-factor approach. In general, trust in the sharing
consortium will depend upon the members maintaining adequate user consortium will depend upon the members maintaining adequate user
authentication mechanisms. authentication mechanisms.
Collaborating consortiums may benefit from the adoption of a Collaborating consortiums may benefit from the adoption of a
federated identity solution, such as those based upon SAML-core federated identity solution, such as those based upon SAML-core
[SAML-core] and SAML-bind [SAML-bind] and SAML-prof [SAML-prof] for [SAML-core] and SAML-bind [SAML-bind] and SAML-prof [SAML-prof] for
Web-based authentication and cross-organizational single sign-on. Web-based authentication and cross-organizational single sign-on.
Dependency on a trusted third party identity provider implies that Dependency on a trusted third party identity provider implies that
appropriate care must be exercised to sufficiently secure the appropriate care must be exercised to sufficiently secure the
Identity provider. Any attacks on the federated identity system Identity provider. Any attacks on the federated identity system
would present a risk to the CISRT, as a relying party. Potential would present a risk to the CSIRT, as a relying party. Potential
mitigations include deployment of a federation-aware identity mitigations include deployment of a federation-aware identity
provider that is under the control of the information sharing provider that is under the control of the information sharing
consortium, with suitably stringent technical and management consortium, with suitably stringent technical and management
controls. controls.
All security measures MUST be enforced at the source, that is, a
provider SHALL NOT return any feed content or member entry content
for which the client identity has not been specifically
authenticated, authorized, and audited.
Sharing communities that have a requirement for forward message
security (such that client systems are required to participate in
providing message level security and/or distributed authorization
policy enforcement), MUST use TODO.
The implementation details of the authorization scheme chosen by a
ROLIE-compliant provider are out of scope for this specification.
Implementers are free to choose any suitable authorization mechanism
that is capable of fulfilling the policy enforcement requirements
relevant to their consortium and/or organization.
Authorization of resource representations is the responsibility of Authorization of resource representations is the responsibility of
the source system, i.e. based on the authenticated user identity the source system, i.e. based on the authenticated user identity
associated with an HTTP(S) request. The required authorization associated with an HTTP(S) request. The required authorization
policies that are to be enforced must therefore be managed by the policies that are to be enforced must therefore be managed by the
security administrators of the source system. Various authorization security administrators of the source system. Various authorization
architectures would be suitable for this purpose, such as RBAC [1] architectures would be suitable for this purpose, such as RBAC [3]
and/or ABAC, as embodied in XACML [XACML]. In particular, and/or ABAC, as embodied in XACML [XACML]. In particular,
implementers adopting XACML may benefit from the capability to implementers adopting XACML may benefit from the capability to
represent their authorization policies in a standardized, represent their authorization policies in a standardized,
interoperable format. interoperable format.
Additional security requirements such as enforcing message-level Additional security requirements such as enforcing message-level
security at the destination system could supplement the security security at the destination system could supplement the security
enforcements performed at the source system, however these enforcements performed at the source system, however these
destination-provided policy enforcements are out of scope for this destination-provided policy enforcements are out of scope for this
specification. Implementers requiring this capability should specification. Implementers requiring this capability should
skipping to change at page 19, line 13 skipping to change at page 24, line 40
effectiveness that this specification affords to the defenders. effectiveness that this specification affords to the defenders.
While it is a goal of this specification to enable more agile cyber While it is a goal of this specification to enable more agile cyber
security information sharing across a broader and varying security information sharing across a broader and varying
constituency, there is nothing in this specification that necessarily constituency, there is nothing in this specification that necessarily
requires this type of deployment. A cyber security information requires this type of deployment. A cyber security information
sharing consortium may chose to adopt this specification while sharing consortium may chose to adopt this specification while
continuing to operate as a gated community with strictly limited continuing to operate as a gated community with strictly limited
membership. membership.
7. IANA Considerations TODO 12. Acknowledgements
TODO.
8. Acknowledgements
The author gratefully acknowledges the valuable contributions of Tom The author gratefully acknowledges the valuable contributions of Tom
Maguire, Kathleen Moriarty, and Vijayanand Bharadwaj. These Maguire, Kathleen Moriarty, and Vijayanand Bharadwaj. These
individuals provided detailed review comments on earlier drafts, and individuals provided detailed review comments on earlier drafts, and
many suggestions that have helped to improve this document . many suggestions that have helped to improve this document .
9. References 13. References
13.1. Normative References
9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC7235] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
Protocol (HTTP/1.1): Authentication", RFC 7235, DOI 10.17487/RFC3688, January 2004,
DOI 10.17487/RFC7235, June 2014, <http://www.rfc-editor.org/info/rfc3688>.
<http://www.rfc-editor.org/info/rfc7235>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, DOI 10.17487/RFC3986, January 2005,
<http://www.rfc-editor.org/info/rfc3986>.
[RFC4287] Nottingham, M., Ed. and R. Sayre, Ed., "The Atom [RFC4287] Nottingham, M., Ed. and R. Sayre, Ed., "The Atom
Syndication Format", RFC 4287, DOI 10.17487/RFC4287, Syndication Format", RFC 4287, DOI 10.17487/RFC4287,
December 2005, <http://www.rfc-editor.org/info/rfc4287>. December 2005, <http://www.rfc-editor.org/info/rfc4287>.
[RFC5005] Nottingham, M., "Feed Paging and Archiving", RFC 5005, [RFC5005] Nottingham, M., "Feed Paging and Archiving", RFC 5005,
DOI 10.17487/RFC5005, September 2007, DOI 10.17487/RFC5005, September 2007,
<http://www.rfc-editor.org/info/rfc5005>. <http://www.rfc-editor.org/info/rfc5005>.
[RFC5023] Gregorio, J., Ed. and B. de hOra, Ed., "The Atom [RFC5023] Gregorio, J., Ed. and B. de hOra, Ed., "The Atom
Publishing Protocol", RFC 5023, DOI 10.17487/RFC5023, Publishing Protocol", RFC 5023, DOI 10.17487/RFC5023,
October 2007, <http://www.rfc-editor.org/info/rfc5023>. October 2007, <http://www.rfc-editor.org/info/rfc5023>.
[RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "The Incident [RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "The Incident
Object Description Exchange Format", RFC 5070, Object Description Exchange Format", RFC 5070,
DOI 10.17487/RFC5070, December 2007, DOI 10.17487/RFC5070, December 2007,
<http://www.rfc-editor.org/info/rfc5070>. <http://www.rfc-editor.org/info/rfc5070>.
[RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)", [RFC6546] Trammell, B., "Transport of Real-time Inter-network
RFC 6545, DOI 10.17487/RFC6545, April 2012, Defense (RID) Messages over HTTP/TLS", RFC 6546,
<http://www.rfc-editor.org/info/rfc6545>. DOI 10.17487/RFC6546, April 2012,
<http://www.rfc-editor.org/info/rfc6546>.
[W3C.REC-xml-names-20091208]
Bray, T., Hollander, D., Layman, A., Tobin, R., and H.
Thompson, "Namespaces in XML 1.0 (Third Edition)", World
Wide Web Consortium Recommendation REC-xml-names-20091208,
December 2009,
<http://www.w3.org/TR/2009/REC-xml-names-20091208>.
[relax-NG]
Clark, J., Ed., "RELAX NG Compact Syntax", 11 2002,
<https://www.oasis-open.org/committees/relax-ng/compact-
20021121.html>.
[opensearch] [opensearch]
Clinton, D., "OpenSearch 1.1 draft 5 specification", 2011, Clinton, D., "OpenSearch 1.1 draft 5 specification", OASIS
Committee Specification saml-core-2.0-os, 2011,
<http://www.opensearch.org/Specifications/OpenSearch/1.1>. <http://www.opensearch.org/Specifications/OpenSearch/1.1>.
[SAML-core] [SAML-core]
Cantor, S., Kemp, J., Philpott, R., and E. Mahler, Cantor, S., Kemp, J., Philpott, R., and E. Maler,
"Assertions and Protocols for the OASIS Security Assertion "Assertions and Protocol for the OASIS Security Assertion
Markup Language (SAML) V2.0", OASIS Standard , March 2005, Markup Language (SAML) V2.0", OASIS Standard saml-core-
<http://docs.oasis-open.org/security/saml/v2.0/ 2.0-os, March 2005, <http://docs.oasis-
saml-core-2.0-os.pdf>. open.org/security/saml/v2.0/saml-core-2.0-os.pdf>.
[SAML-prof] [SAML-prof]
Hughes, J., Cantor, S., Hodges, J., Hirsch, F., Mishra, Hughes, J., Cantor, S., Hodges, J., Hirsch, F., Mishra,
P., Philpott, R., and E. Mahler, "Profiles for the OASIS P., Philpott, R., and E. Maler, "Profiles for the OASIS
Security Assertion Markup Language (SAML) V2.0", OASIS Security Assertion Markup Language (SAML) V2.0", OASIS
Standard , March 2005, <http://docs.oasis- Standard OASIS.saml-profiles-2.0-os, March 2005,
open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf>. <http://docs.oasis-open.org/security/saml/v2.0/
saml-profiles-2.0-os.pdf>.
[SAML-bind] [SAML-bind]
Cantor, S., Hirsch, F., Kemp, J., Philpott, R., and E. Cantor, S., Hirsch, F., Kemp, J., Philpott, R., and E.
Mahler, "Bindings for the OASIS Security Assertion Markup Maler, "Bindings for the OASIS Security Assertion Markup
Language (SAML) V2.0", OASIS Standard , March 2005, Language (SAML) V2.0", OASIS Standard saml-bindings-
<http://docs.oasis-open.org/security/saml/v2.0/ 2.0-os, March 2005, <http://docs.oasis-
saml-bindings-2.0-os.pdf>. open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf>.
9.2. Informative References 13.2. Informative References
[RFC2141] Moats, R., "URN Syntax", RFC 2141, DOI 10.17487/RFC2141,
May 1997, <http://www.rfc-editor.org/info/rfc2141>.
[RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between
Information Models and Data Models", RFC 3444,
DOI 10.17487/RFC3444, January 2003,
<http://www.rfc-editor.org/info/rfc3444>.
[RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)",
RFC 6545, DOI 10.17487/RFC6545, April 2012,
<http://www.rfc-editor.org/info/rfc6545>.
[I-D.ietf-mile-rfc5070-bis]
Danyliw, R., "The Incident Object Description Exchange
Format v2", draft-ietf-mile-rfc5070-bis-25 (work in
progress), June 2016.
[XACML] Rissanen, E., "eXtensible Access Control Markup Language [XACML] Rissanen, E., "eXtensible Access Control Markup Language
(XACML) Version 3.0", August 2010, <http://docs.oasis- (XACML) Version 3.0", August 2010, <http://docs.oasis-
open.org/xacml/3.0/xacml-3.0-core-spec-cs-01-en.pdf>. open.org/xacml/3.0/xacml-3.0-core-spec-cs-01-en.pdf>.
[REST] Fielding, R., "Architectural Styles and the Design of [REST] Fielding, R., "Architectural Styles and the Design of
Network-based Software Architectures", 2000, Network-based Software Architectures", 2000,
<http://www.ics.uci.edu/~fielding/pubs/dissertation/ <http://www.ics.uci.edu/~fielding/pubs/dissertation/
top.htm>. top.htm>.
[RFC6546] Trammell, B., "Transport of Real-time Inter-network 13.3. URIs
Defense (RID) Messages over HTTP/TLS", RFC 6546,
DOI 10.17487/RFC6546, April 2012,
<http://www.rfc-editor.org/info/rfc6546>.
9.3. URIs [1] https://www.iana.org/assignments/link-relations/link-
relations.xhtml
[1] http://csrc.nist.gov/groups/SNS/rbac/ [2] https://www.iana.org/assignments/link-relations/link-
relations.xhtml
Appendix A. Change Tracking [3] http://csrc.nist.gov/groups/SNS/rbac/
Appendix A. Use Case Examples
A.1. Service Discovery
This section provides a non-normative example of a client doing
service discovery. TODO: Standardize location of doc?
An Atom service document enables a client to dynamically discover
what feeds a particular publisher makes available. Thus, a provider
uses an Atom service document to enable clients or other authorized
parties to determine what specific information the provider makes
available to the community. The service document could be made
available at any well known location, such as via a link from the
CSIRT's home page. One common technique is to include a link in the
<HEAD> section of the organization's home page, as shown below:
Example of bootstrapping Service Document discovery:
<link rel="introspection"
type="application/atomsvc+xml"
title="Atom Publishing Protocol Service Document"
href="/csirt/svcdoc.xml" />
A client may then format an HTTP GET request to retrieve the service
document:
GET /provider/svcdoc.xml
Host: www.example.org
Accept: application/atomsvc+xml
Notice the use of the HTTP Accept: request header, indicating the
MIME type for Atom service discovery. The response to this GET
request will be an XML document that contains information on the
specific feed collections that are provided by the CSIRT.
Example HTTP GET response:
HTTP/1.1 200 OK
Date: Fri, 24 Aug 2012 17:09:11 GMT
Content-Length: 570
Content-Type: application/atomsvc+xml;charset="utf-8"
<?xml version="1.0" encoding="UTF-8"?>
<service xmlns="http://www.w3.org/2007/app"
xmlns:atom="http://www.w3.org/2005/Atom"
xmlns:xml="http://www.w3.org/XML/1998/namespace"
xml:lang="en-US">
<workspace>
<atom:title type="text">Incidents</atom:title>
<collection href="http://example.org/provider/incidents">
<atom:title type="text">Incidents Feed</atom:title>
<categories fixed="yes">
<atom:category
scheme="urn:ietf:params:rolie:information-type"
term="vulnerability"/>
</categories>
<accept>application/atom+xml; type=entry</accept>
</collection>
</workspace>
</service>
This simple Service Document example shows that this server provides
one workspace, named "Incidents". Within that workspace, the
producer makes one feed collection available. When attempting to GET
or POST entries to that feed collection, the client must indicate a
content type of application/atom+xml.
A server may also offer a number of different feeds, each containing
different types of security automation information. In the following
example, the feeds have been categorized. This categorization will
help the clients to decide which feeds will meet their needs.
HTTP/1.1 200 OK
Date: Fri, 24 Aug 2012 17:10:11 GMT
Content-Length: 1912
Content-Type: application/atomsvc+xml;charset="utf-8"
<?xml version="1.0" encoding='utf-8'?>
<service xmlns="http://www.w3.org/2007/app"
xmlns:atom="http://www.w3.org/2005/Atom">
<workspace>
<atom:title>Public Security Information Sharing</atom:title>
<collection
href="http://example.org/provider/public/vulnerabilties">
<atom:title>Public Vulnerabilities</atom:title>
<accept>application/atom+xml; type=entry</accept>
<categories fixed="yes">
<atom:category
scheme="urn:ietf:params:rolie:information-type"
term="vulnerability"/>
</categories>
</collection>
<collection
href="http://example.org/provider/public/incidents">
<atom:title>Public Incidents</atom:title>
<accept>application/atom+xml; type=entry</accept>
<categories fixed="yes">
<atom:category
scheme="urn:ietf:params:rolie:information-type"
term="incident"/>
</categories>
</collection>
</workspace>
<workspace>
<atom:title>Private Consortium Sharing</atom:title>
<collection
href="http://example.org/provider/private/incidents" >
<atom:title>Incidents</atom:title>
<accept>application/atom+xml;type=entry</accept>
<categories fixed="yes">
<atom:category
scheme="urn:ietf:params:rolie:information-type"
term="incident"/>
</categories>
</collection>
</workspace>
</service>
In this example, the CSIRT is providing a total of three feed
collections, organized into two different workspaces. The first
workspace contains two feeds, consisting of publicly available
software vulnerabilities and publicly available incidents,
respectively. The second workspace provides one additional feed, for
use by a sharing consortium. The feed contains incident information
containing entries related to three purposes: traceback, mitigation,
and reporting. The entries in this feed are categorized with a
restriction of either "Need-to-Know" or "private". An appropriately
authenticated and authorized client may then proceed to make GET
requests for one or more of these feeds. The publicly provided
incident information may be accessible with or without
authentication. However, users accessing the feed targeted to the
private sharing consortium would be expected to authenticate, and
appropriate authorization policies would subsequently be enforced by
the feed provider.
A.2. Feed Retrieval
This section provides a non-normative example of a client retrieving
an incident feed. TODO
Having discovered the available security information sharing feeds,
an authenticated and authorized client who is a member of the private
sharing consortium may be interested in receiving the feed of known
incidents. The client may retrieve this feed by performing an HTTP
GET operation on the indicated URL.
Example HTTP GET request for a Feed:
GET /provider/private/incidents
Host: www.example.org
Accept: application/atom+xml
The corresponding HTTP response would be an XML document containing
the incidents feed:
Example HTTP GET response for a Feed:
HTTP/1.1 200 OK
Date: Fri, 24 Aug 2012 17:20:11 GMT
Content-Length: 2882
Content-Type: application/atom+xml;type=feed;charset="utf-8"
<?xml version="1.0" encoding="UTF-8"?>
<feed xmlns="http://www.w3.org/2005/Atom"
xml:lang="en-US">
<generator version="1.0">
Example Provider ROLIE Feed Generator
</generator>
<id>http://www.example.org/provider/private/incidents</id>
<title type="text">
Atom formatted representation of
a feed of XML incident documents
</title>
<!-- The category is taken from the related IANA table -->
<atom:category
scheme="urn:ietf:params:rolie:information-type"
term="incident"/>
<updated>2012-05-04T18:13:51.0Z</updated>
<author>
<email>provider@example.org</email>
<name>Example Provider</name>
</author>
<!-- By convention there is usually a self link for the feed -->
<link href="http://www.example.org/provider/private/incidents"
rel="self" type="application/atom+xml"/>
<entry>
<id>
http://www.example.org/provider/private/incidents/123456
</id>
<title>Sample Incident</title>
<!-- by convention -->
<link
href="http://www.example.org/provider/private/incidents/12345"
rel="self" type="application/atom+xml"/>
<!-- required by Atom spec -->
<link
href="http://www.example.org/provider/private/incidents/12345"
rel="alternate" type="xml"/>
<published>2014-08-04T18:13:51.0Z</published>
<updated>2014-08-05T18:13:51.0Z</updated>
<summary>A short description of this resource</summary>
</entry>
<entry>
<!-- ...another entry... -->
</entry>
</feed>
This feed document has two atom entries, one of which has been
elided. The completed entry illustrates an Atom <entry> element that
provides a summary of essential details about one particular
incident. Based upon this summary information and the provided
category information, a client may choose to do an HTTP GET operation
to retrieve the full details of the incident. This example
exemplifies the benefits a RESTful alternative has to traditional
point-to-point messaging systems.
A.3. Entry Retrieval
This section provides a non-normative example of a client retrieving
an incident as an Atom entry. TODO
Having retrieved the feed of interest, the client may then decide
based on the description and/or category information that one of the
entries in the feed is of further interest. The client may retrieve
this incident Entry by performing an HTTP GET operation on the
indicated URL.
Example HTTP GET request for an Entry:
GET /provider/private/incidents/123456
Host: www.example.org
Accept: application/atom+xml
The corresponding HTTP response would be an XML document containing
the incident:
Example HTTP GET response for an Entry:
HTTP/1.1 200 OK
Date: Fri, 24 Aug 2012 17:30:11 GMT
Content-Length: 4965
Content-Type: application/atom+xml;type=entry;charset="utf-8"
<?xml version="1.0" encoding="UTF-8"?>
<entry>
<id>http://www.example.org/provider/private/incidents/123456</id>
<title>Sample Incident</title>
<!-- by convention -->
<link href="http://www.example.org/csirt/private/incidents/123456"
rel="self" type="application/atom+xml"/>
<!-- required by Atom spec -->
<link href="http://www.example.org/csirt/private/incidents/123456"
rel="alternate" type="IODEF"/>
<published>2012-08-04T18:13:51.0Z</published>
<updated>2012-08-05T18:13:51.0Z</updated>
<!-- The category is taken from the related IANA table -->
<atom:category
scheme="urn:ietf:params:rolie:information-type"
term="incident"/>
<summary>A short description of this incident resource</summary>
<!-- Typical operations that can be
performed on this entry include edit -->
<link href="http://www.example.org/csirt/private/incidents/123456"
rel="edit"/>
<!-- the next and previous are just sequential access,
may not map to anything related to this resource -->
<link href="http://www.example.org/csirt/private/incidents/123457"
rel="next"/>
<link href="http://www.example.org/csirt/private/incidents/123455"
rel="previous"/>
<!-- navigate up to the full collection.
Might also be rel="collection" as per IANA registry -->
<link href="http://www.example.org/csirt/private/incidents"
rel="up"/>
<content type="application/xml">
<xml>
<tag>
<data> Example </data>
</tag>
</xml>
</content>
</entry>
As can be seen in the example response, above, an XML document is
contained within the Atom <content> element. The client may now
process the XML document as needed.
Note also that, as described previously, the content of the Atom
<category> element is application-defined. The Atom categories have
been assigned based on the IANA table content model.
Finally, it should be noted that in order to optimize the client
experience, and avoid an additional round trip, a feed provider may
choose to include the entry content inline, as part of the feed
document. That is, an Atom <entry> element within a Feed document
may contain an Atom <content> element as a child. In this case, the
client will receive the full content of the entries within the feed.
The decision of whether to include the entry content inline or to
include it as a link is a design choice left to the feed provider
(e.g. based upon local environmental factors such as the number of
entries contained in a feed, the available network bandwidth, the
available server compute cycles, the expected client usage patterns,
etc.).
A.4. Use Case: Search
This section provides a non-normative example of a search use case.
The following example provides a RESTful solution to handling search
results. Note that in the RESTful approach described herein there is
no requirement to define a query language. Instead, implementations
may provide support for search operations via existing search
facilities, and advertise these capabilities via an appropriate URL
template. Clients dynamically retrieve the search description
document, and invoke specific searches via an instantiated URL
template.
An HTTP response body may include a link relationship of type
"search." This link provides a reference to an OpenSearch
description document.
Example HTTP response that includes a "search" link:
HTTP/1.1 200 OK
Date: Fri, 24 Aug 2012 17:20:11 GMT
Content-Length: nnnn
Content-Type: application/atom+xml;type=feed;charset="utf-8"
<?xml version="1.0" encoding="UTF-8"?>
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.w3.org/2005/Atom file:/
C:/schemas/atom.xsd
urn:ietf:params:xml:ns:iodef-1.0
file:/C:/schemas/iodef-1.0.xsd"
xml:lang="en-US">
<link href="http://www.example.org/opensearchdescription.xml"
rel="search"
type="application/opensearchdescription+xml"
title="CSIRT search facility" />
<!-- ...other links... -->
<entry>
<!-- ...zero or more entries... -->
</entry>
</feed>
The OpenSearch Description document contains the information needed
by a client to request a search. An example of an Open Search
description document is shown below:
Example HTTP response that includes a "search" link:
<?xml version="1.0" encoding="UTF-8"?>
<OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/">
<ShortName>CSIRT search example</ShortName>
<Description>Cyber security information
sharing consortium search interface</Description>
<Tags>example csirt indicator search</Tags>
<Contact>admin@example.org</Contact>
<!-- optionally, other elements, as per OpenSearch specification -->
<Url type="application/opensearchdescription+xml" rel="self"
template="http://www.example.com/csirt/opensearchdescription.xml"/>
<Url type="application/atom+xml" rel="results"
template="http://www.example.org/csirt?q={searchTerms}&amp;
format=Atom+xml"/>
<LongName>www.example.org CSIRT search</LongName>
<Query role="example" searchTerms="incident" />
<Language>en-us</Language>
<OutputEncoding>UTF-8</OutputEncoding>
<InputEncoding>UTF-8</InputEncoding>
</OpenSearchDescription>
The OpenSearch Description document shown above contains two <Url>
elements that contain parametrized URL templates. These templates
provide a representation of how the client should make search
requests. The exact format of the query string, including the
parametrization is specified by the feed provider
This OpenSearch Description Document also contains an example of a
<Query> element. Each <Query> element describes a specific search
request that can be made by the client. Note that the parameters of
the <Query> element correspond to the URL template parameters. In
this way, a provider may fully describe the search interface
available to the clients. The search section, above, provides
specific NORMATIVE requirements for the use of Open Search.
Appendix B. XACML Guidance
ROLIE assumes that all authorization policy enforcement is provided
at the source server. The implementation details of the
authorization scheme chosen by a ROLIE-compliant provider are out of
scope for this specification. Implementers are free to choose any
suitable authorization mechanism that is capable of fulfilling the
policy enforcement requirements relevant to their consortium and/or
organization.
It is well known that one of the major barriers to information
sharing is ensuring acceptable use of the information shared. In the
case of ROLIE, one way to lower that barrier may be to develop a
XACML profile. Use of XACML would allow a ROLIE-compliant provider
to express their information sharing authorization policies in a
standards-compliant, and machine-readable format.
This improved interoperability may, in turn, enable more agile
interactions in the cyber security sharing community. For example, a
peer CSIRT, or another interested stakeholder such as an auditor,
would be able to review and compare CSIRT sharing policies using
appropriate tooling.
The XACML 3.0 standard is based upon the notion that authorization
policies are defined in terms of predicate logic expressions written
against the attributes associated with one or more of the following
four entities:
o SUBJECT
o ACTION
o RESOURCE
o ENVIRONMENT
Thus, a suitable approach to a XACML 3.0 profile for ROLIE
authorization policies could begin by using the 3-tuple of [SUBJECT,
ACTION, RESOURCE] where:
o SUBJECT is the suitably authenticated identity of the requestor.
o ACTION is the associated HTTP method, GET, PUT, POST, DELETE,
HEAD, (PATCH).
o RESOURCE is an XPath expression that uniquely identifies the
instance or type of the ROLIE resource being requested.
Implementers who have a need may also choose to evaluate based upon
the additional ENVIRONMENT factors, such as current threat level, and
so on. One could also write policy to consider the CVSS score
associated with the resource, or the lifecycle phase of the resource
(vulnerability unverified, confirmed, patch available, etc.), and so
on.
Having these policies expressed in a standards-compliant and machine-
readable format could improve the agility and effectiveness of a
cyber security information sharing group or consortium, and enable
better cyber defenses.
Appendix C. Relax NG Schema for ROLIE Extensions
TODO
Appendix D. Change Tracking
Changes since draft-field-mile-rolie-01 version, December, 2015 to Changes since draft-field-mile-rolie-01 version, December, 2015 to
May 27, 2016: May 27, 2016:
o Spun section 4 and some related contextual information into its o All CSIRT and IODEF/RID material moved to companion CSIRT document
own document see TODO:Add reference TODO: add reference
o Recast document into a more general use perspective. The o Recast document into a more general use perspective. The
implication of CSIRTs as the defacto end-user has been removed implication of CSIRTs as the defacto end-user has been removed
where ever possible. All of the original CSIRT based use cases where ever possible. All of the original CSIRT based use cases
remain completely supported by this document, it has been opened remain completely supported by this document, it has been opened
up to supported many other use cases. up to support many other use cases.
o Changed the content model to broaden support of representation o Changed the content model to broaden support of representation
o Edited and rewrote much of sections 1,2 and 3 in order to o Edited and rewrote much of sections 1,2 and 3 in order to
accomplish a broader scope and greater readability accomplish a broader scope and greater readability
o Removed any requirements from the Background section and, if not o Removed any requirements from the Background section and, if not
already stated, placed them in the requirements section already stated, placed them in the requirements section
o Re-formatted the requirements section to make it clearer that it o Re-formatted the requirements section to make it clearer that it
contains the lions-share of the requirements of the specification contains the lions-share of the requirements of the specification
Changes made in draft-ietf-mile-rolie-01 since draft-field-mile- Changes made in draft-ietf-mile-rolie-01 since draft-field-mile-
rolie-02 version, August 15, 2013 to December 2, 2015: rolie-02 version, August 15, 2013 to December 2, 2015:
o Added section specifying the use of RFC5005 for Archive and Paging o Added section specifying the use of RFC5005 for Archive and Paging
of feeds. See: Section 5.3 of feeds.
o Added section describing use of atom categories that correspond to o Added section describing use of atom categories that correspond to
IODEF expectation class and impact classes. See: Section 5.4 IODEF expectation class and impact classes. See: normative-
expectation-impact
o Dropped references to adoption of a MILE-specific HTTP media type o Dropped references to adoption of a MILE-specific HTTP media type
parameter. parameter.
o Updated IANA Considerations section to clarify that no IANA o Updated IANA Considerations section to clarify that no IANA
actions are required. actions are required.
Authors' Addresses Authors' Addresses
John P. Field John P. Field
skipping to change at line 1015 skipping to change at page 39, line 24
Email: jfield@pivotal.io Email: jfield@pivotal.io
Stephen A. Banghart Stephen A. Banghart
National Institute of Standards and Technology National Institute of Standards and Technology
100 Bureau Drive 100 Bureau Drive
Gaithersburg, Maryland Gaithersburg, Maryland
USA USA
Phone: (301)975-4288 Phone: (301)975-4288
Email: sab3@nist.gov Email: sab3@nist.gov
David Waltermire
National Institute of Standards and Technology
100 Bureau Drive
Gaithersburg, Maryland 20877
USA
Email: david.waltermire@nist.gov
 End of changes. 139 change blocks. 
589 lines changed or deleted 1344 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/