MILE Working Group | J. Field |
Internet-Draft | Pivotal |
Intended status: Standards Track | S. Banghart |
Expires: June 17, 2018 | D. Waltermire |
NIST | |
December 14, 2017 |
Resource-Oriented Lightweight Information Exchange
draft-ietf-mile-rolie-16
This document defines a resource-oriented approach for security automation information publication, discovery, and sharing. Using this approach, producers may publish, share, and exchange representations of software descriptors, security incidents, attack indicators, software vulnerabilities, configuration checklists, and other security automation information as web-addressable resources. Furthermore, consumers and other stakeholders may access and search this security information as needed, establishing a rapid and on-demand information exchange network for restricted internal use or public access repositories. This specification extends the Atom Publishing Protocol and Atom Syndication Format to transport and share security automation resource representations.
The source for this draft is being maintained on GitHub. Suggested changes should be submitted as pull requests at <https://github.com/CISecurity/ROLIE>. Instructions are on that page as well. Editorial changes can be managed in GitHub, but any substantial issues need to be discussed on the MILE mailing list.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 17, 2018.
Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
This document defines a resource-oriented approach to security automation information sharing that follows the Representational State Transfer (REST) architectural style [REST]. In this approach, computer security resources are maintained in web-accessible repositories structured as Atom Syndication Format Feeds. Within a given Feed, which may be requested by the consumer, representations of specific types of security automation information are organized, categorized, and described. Furthermore, all collections available to a given user are discoverable, allowing the consumer to search all available content they are authorized to view, and to locate and request the desired information resources. Through use of granular authentication and access controls, only authorized consumers may be permitted the ability to read or write to a given Feed.
The goal of this approach is to increase the communication and sharing of security information between providers and consumers that can be used to automate security processes (e.g., incident reports, vulnerability assessments, configuration checklists, and other security automation information). Such sharing allows human operators and computer systems to leverage this standardized communication system to gather information that supports the automation of security processes.
To support new types of security automation information being used as time goes on, this specification defines a number of extension points that can be used either privately or globally. These global extensions are IANA registered by ROLIE extension specifications, and provide enhanced interoperability for new use cases and domains. Sections 5 and 6 of this document define the core requirements of all implementations of this specification, and is resource representation agnostic. An overview of the extension system is provided in Section 7. Implementers seeking to provide support for specific security automation information types should refer to the specification for that domain described by the IANA registry found in Section 8.4.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
The previous key words are used in this document to define the requirements for implementations of this specification. As a result, the key words in this document are not used for recommendations or requirements for the use of ROLIE.
Definitions for some of the common computer security-related terminology used in this document can be found in Section 2 of [RFC7970].
The following terms are unique to this specification:
This specification uses XML Namespaces [W3C.REC-xml-names-20091208] to uniquely identify XML element names. It uses the following namespace prefix mappings for the indicated namespace URI:
Some sections of this specification are illustrated with fragments of a non-normative RELAX NG Compact schema [relax-NG]. The text of this specification provides the definition of conformance. Schema for the "http://www.w3.org/2007/app" and "http://www.w3.org/2005/Atom" namespaces appear in RFC5023 appendix B and RFC4287 appendix B respectively.
A complete informative RELAX NG Compact Schema for the new elements introduced by ROLIE is provided in Appendix A.
In order to automate security process, tools need access to sufficient sources of structured security information that can be used to drive security processes. Thus, security information sharing is one of the core components of automating security processes. Vulnerabilities, configurations, software identification, security incidents, and patch data are just a few of the classes of information that are shared today to enable effective security on a wide scale. However, as the scale of defense broadens as networks become larger and more complex, and the volume of information to process makes humans-in-the-loop difficult to scale, the need for automation and machine-to-machine communication becomes increasingly critical.
ROLIE seeks to address this need by providing four major information sharing benefits:
These benefits result in an information sharing protocol that is lightweight, interactive, open, and most importantly, machine readable.
The requirements in this specification are broken into two major sections, extensions to the Atom Publishing Protocol (AtomPub) [RFC5023], and extensions to the Atom Syndication Format [RFC4287]. All normative requirements in AtomPub and Atom Syndication are inherited from their respective specifications, and apply here unless the requirement is explicitly overridden in this document. In this way, this document may upgrade the requirement (e.g., make a SHOULD a MUST), but will never downgrade a given requirement (e.g., make a MUST a SHOULD).
This section describes a number of restrictions of and extensions to the Atom Publishing Protocol (AtomPub) that define the use of that protocol in the context of a ROLIE-based solution. The normative requirements in this section are generally oriented towards client and server implementations. An understanding of the Atom Publishing Protocol specification [RFC5023] is helpful to understand the requirements in this section.
As described in RFC5023 section 8, a Service Document is an XML-based document format that allows a client to dynamically discover the Collections provided by a publisher. A Service Document consists of one or more app:workspace elements that may each contain a number of app:collection elements.
The general structure of a service document is as follows (from RFC5023 section 4.2):
Service o- Workspace | | | o- Collection | | | | | o- URI, categories, media types | | | o- ... | o- Workspace | | | o- Collection | | | | | o- URI, categories, media types | | | o- ... | o- ...
Note that the IRIs in the original diagram have been replaced with URIs.
In AtomPub, a Workspace, represented by the "app:workspace" element, describes a group of one or more Collections. Building on the AtomPub concept of a Workspace, in ROLIE a Workspace represents an aggregation of Collections pertaining to security automation information resources. This specification does not restrict the number of Workspaces that may be in a Service Document or the specific Collections to be provided within a given Workspace.
A ROLIE implementation can host Collections containing both public and private information entries. It is suggested that implementations segregate Collections into different app:workspace elements by their client access requirements. With proper naming of workspaces, this reduces the amount of trial and error a human user would need to utilize to discover accessible Collections.
In AtomPub, a Collection in a Service Document, represented by the "app:collection" element, provides metadata that can be used to point to a specific Atom Feed that contains information Entries that may be of interest to a client. The association between a Collection and a Feed is provided by the "href" attribute of the app:collection element. Building on the AtomPub concept of a Collection, in ROLIE a Collection represents a pointer to a group of security automation information resources pertaining to a given type of security automation information. Collections are represented as Atom Feeds as per RFC 5023. Atom Feed specific requirements are defined in Section 6.1.
ROLIE defines specialized data requirements for Collections, Feeds, and Entries containing security automation related data. The difference between a ROLIE and a non-ROLIE Collection defined in a Service Document can be determined as follows:
By distinguishing between ROLIE and non-ROLIE Collections in this way, implementations supporting ROLIE can host Collections pertaining to security automation information alongside Collections of other non-ROLIE information within the same AtomPub instance.
The following are additional requirements on the use of the app:collection element for a ROLIE Collection:
The Service Document serves as the "head" of a given ROLIE repository: from the Service Document all other repository content can be discovered. A client will need to determine the URL of this Service Document to discover the Collections provided by the repository. The client might determine the URL from a web page, based on out-of-band communication, or through a "service" link relation in a Feed or Entry document that the client has already retrieved. The latter is a typical scenario if the client learns of a specific feed or entry through an out-of-band mechanism, and wishes to discover additional information provided by the repository.
This document does not provide a fully automated discovery mechanism. A mechanism may be defined in the future that allows automated clients to discover the URL to use to retrieve a ROLIE Service Document representing the head of the ROLIE repository.
As described in RFC5023 section 7, a Category Document is an XML-based document format that allows a client to dynamically discover the Categories used within AtomPub Service Documents, Atom Syndication Feeds, and Entry documents provided by a publisher. A Category Document consists of one app:categories element that contains a number of inline atom:category elements, or a URI referencing a Category Document.
ROLIE is intended to be handled with TLS. TLS version 1.2 MUST be supported. TLS 1.2 SHOULD be implemented according to all recommendations and best practices present in [RFC7525].
It is RECOMMENDED that the most recent published version of TLS is supported. If this version is TLS 1.3 [I-D.ietf-tls-tls13] it is suggested that 0-RTT (Zero Round Trip Time Resumption) is not used in order to prevent replay attacks. Replay attacks on PUT, POST, or DELETE requests can disrupt repository operation by modifying data unexpectedly.
For example, an automated ROLIE repository that updates very frequently may receive a PUT request against a given resource a few times an hour (or more). An attacker may store an early PUT request, and at the end of the resumption window replay the PUT request, reverting the resource to an old version. Not only could an attacker be doing this replay continuously to cause havoc on the server, but the client is completely unaware of the attack taking place.
Given the potentially sensitive nature of data handled by ROLIE, all appropriate precautions should be taken at the transport layer to protect forward secrecy and user privacy.
The server MUST implement certificate-based client authentication. This MAY be enabled on a workspace by workspace basis.
Implementations MUST support user authentication. However, a given implementation MAY allow user authentication to be disabled on a Feed by Feed, or Workspace by Workspace basis.
It is recommended that servers participating in an information sharing consortium and supporting interactive user logins by members of the consortium support client authentication via a federated identity scheme.
This document does not mandate the use of any specific user authorization mechanisms. However, service implementers SHOULD support appropriate authorization checking for all resource accesses, including individual Atom Entries, Atom Feeds, and Atom Service Documents.
The "/" resource MAY be supported for compatibility with existing deployments that are using Transport of Real-time Inter-network Defense (RID) Messages over HTTP/TLS. The following requirements apply only to implementations supporting RFC 6546.
The following additional requirements only apply if a implementation is supporting the "/" resource as described above:
If RFC 6546 is unsupported, then a request for the "/" resource may be handled as deemed appropriate by the server.
Servers MAY accept request methods beyond those specified in this document.
Clients MUST be capable of recognizing and processing any standard HTTP status code, as defined in [RFC5023] Section 5.
This section describes a number of restrictions of and extensions to the Atom Syndication Format that define valid use of the format in the context of a ROLIE implementation. An understanding of the Atom Syndication Format specification [RFC4287] is helpful to understand the requirements in this section.
As described in RFC4287 section 4.1.1, an Atom Feed is an XML-based document format that describes a list of related information items. The list of Atom Feeds provided by a ROLIE service are listed in the service's Service Document through one or more app:collection elements. Each Feed document, represented using the atom:feed element, contains a listing of zero or more Entries.
When applied to the problem domain of security automation information sharing, an Atom Feed may be used to represent any meaningful collection of security automation information resources. Each Entry in an atom:feed represents an individual resource (e.g., a specific checklist, a software vulnerability record). Additional Feeds can be used to represent other collections of security automation resources.
As discussed in Section 5.1.2, ROLIE defines specialized data requirements for Feeds containing security automation related data. The difference between a ROLIE and a non-ROLIE Feed can be determined as follows:
By distinguishing between ROLIE and non-ROLIE Feeds in this way, implementations supporting ROLIE can host Feeds pertaining to security automation information alongside Feeds of other non-ROLIE information within the same AtomPub instance. This is parallel to the handling of collections ealier in this specification in Section 5.1.2.
The following Atom Feed definition represents a stricter definition of the atom:feed element defined in RFC 4287 when used as a ROLIE Feed. Any element not specified here inherits its definition and requirements from [RFC4287].
atomFeed = element atom:feed { atomCommonAttributes, (atomAuthor* & atomCategory+ & atomContributor* & atomGenerator? & atomIcon? & atomId & atomLink+ & atomLogo? & atomRights? & atomSubtitle? & atomTitle & atomUpdated & extensionElement*), atomEntry* }
The following subsections contain requirements for a ROLIE Feed.
An atom:feed can contain one or more atom:category elements. In Atom the naming scheme and the semantic meaning of the terms used to identify an Atom category are application-defined.
The following are additional requirements on the use of the atom:category element when used in a ROLIE Feed:
Link relations defined by the atom:link element are used to represent state transitions using a stateless approach. In Atom a type of link relationship can be defined using the "rel" attribute.
A ROLIE atom:feed MUST contain one or more atom:link elements with rel="service" and href attribute whose value is a URI that points to an Atom Service Document associated with the atom:feed. If a client accesses a Feed without first accessing the service's service document, a link with the "service" relationship provides a means to discover additional security automation information. The "service" link relationship is defined in the IANA Link Relations Registry.
An atom:feed can contain an arbitrary number of Entries. In some cases, a complete Feed may consist of a large number of Entries. Additionally, as new and updated Entries are ordered at the beginning of a Feed, a client may only be interested in retrieving the first N entries in a Feed to process only the Entries that have changed since the last retrieval of the Feed. As a practical matter, a large set of Entries will likely need to be divided into more manageable portions, or pages. Based on RFC5005 section 3, link elements SHOULD be included in all Feeds to support paging using the following link relation types:
For example:
<?xml version="1.0" encoding="UTF-8"?> <feed xmlns="http://www.w3.org/2005/Atom"> <id>b7f65304-b63b-4246-88e2-c104049c5fd7</id> <title>Paged Feed</title> <link rel="self" href="https://example.org/feedA?page=5"/> <link rel="first" href="https://example.org/feedA?page=1"/> <link rel="prev" href="https://example.org/feedA?page=4"/> <link rel="next" href="https://example.org/feedA?page=6"/> <link rel="last" href="https://example.org/feedA?page=10"/> <updated>2012-05-04T18:13:51.0Z</updated> <!-- remainder of feed elements --> </feed>
Example Paged Feed
A reference to a historical Feed may need to be stable, and/or a Feed may need to be divided into a series of defined epochs. Implementations SHOULD support the mechanisms described in RFC5005 section 4 to provide link-based state transitions for maintaining archiving of Feeds.
An atom:feed MAY include additional link relationships not specified in this document. If a client encounters an unknown link relationship type, the client MUST ignore the unrecognized link and continue processing as if the unrecognized link element did not appear. The definition of new Link relations that provide additional state transition extensions is discussed in Section 7.3.
The atom:updated element identifies the date and time that a Feed was last updated.
The atom:updated element MUST be populated with the current time at the instant the Feed was last updated by adding, updating, or deleting an Entry; or changing any metadata for the Feed.
Each Entry in an Atom Feed, represented by the atom:entry element, describes a single referenced information record, along with descriptive information about its format, media type, and other publication metadata. The following atom:entry schema definition represents a stricter representation of the atom:entry element defined in [RFC4287] for use in a ROLIE-based Atom Feed as defined in Section 6.1.1.
atomEntry = element atom:entry { atomCommonAttributes, (atomAuthor* & atomCategory* & atomContent & atomContributor* & atomId & atomLink* & atomPublished? & atomRights? & atomSource? & atomSummary? & atomTitle & atomUpdated & rolieFormat? & rolieProperty* & extensionElement*) }
The notable changes from [RFC4287] are the addition of rolieFormat and rolieProperty elements. Also the atomContent element is restricted to the atomOutOfLineContent formulation and is now REQUIRED.
The following subsections contain requirements for Entries in a ROLIE Feed.
An atom:content element associates its containing Entry with a content resource identified by the src attribute.
There MUST be exactly one atom:content element in the Entry. The content element MUST adhere to this definition, which is a stricter representation of the atom:content element defined in [RFC4287]:
atomContent = element atom:content { atomCommonAttributes, attribute type { atomMediaType }, attribute src { atomUri }, empty }
This restricts atomContent in ROLIE to the atomOutofLine formulation presented in[RFC4287].
The type attribute MUST identify the serialization type of the content, for example, application/xml or application/json. A prefixed media type MAY be used to reflect a specific model used with a given serialization approach (e.g., application/rdf+xml). The src attribute MUST be an URI that can be dereferenced to retrieve the related content data.
Link relations can be included in an atom:entry to represent state transitions for the Entry.
If there is a need to provide the same information in different data models and/or serialization formats, separate Entry instances can be included in the same or a different Feed. Such an alternate content representation can be indicated using an atom:link having a rel attribute with the value "alternate".
An atom:feed MAY include additional link relationships not specified in this document. If a client encounters an unknown link relationship type, the client MUST ignore the unrecognized link and continue processing as if the unrecognized link element did not appear. The definition of new Link relations that provide additional state transition extensions is discussed in Section 7.3.
As mentioned earlier, a key goal of this specification is to allow a consumer to review a set of published security automation information resources, and then identify and retrieve any resources of interest. The format of the data is a key criteria to consider when deciding what information to retrieve. For a given type of security automation information, it is expected that a number of different formats may be used to represent this information. To support this use case, both the serialization format and the specific data model expressed in that format must be known by the consumer.
In the Atom Syndication format, a media type can be defined using the "type" attribute on the "atom:content" element of an atom:entry. The media type can be fully descriptive of the format of the linked document, such as "application/atom+xml". In some cases, however, a format specific media type may not be defined. An example might be when "application/xml" is used because there is no defined specific media type for the content. In such a case the exact data model of the content cannot be known without first retrieving the content.
In cases where a specific media type does not exist, the rolie:format element is used to describe the data model used to express the information referenced in the atom:content element. The rolie:format element also allows a schema to be identified that can be used when parsing the content to verify or better understand the structure of the content.
When it appears, the "rolie:format" element MUST adhere to this definition:
rolieFormat = element rolie:format { appCommonAttributes, attribute ns { atomURI }, attribute version { text } ?, attribute schema-location { atomURI } ?, attribute schema-type { atomMediaType } ?, empty }
The rolie:format element MUST provide a "ns" attribute that identifies the data model of the resource referenced by the atom:content element. For example, the namespace used may be an XML namespace URI, or an identifier that represents a serialized JSON model. The URI used for the "ns" attribute MUST be absolute. The resource identified by the URI need not be resolvable.
The rolie:format element MAY provide a "version" attribute that identifies the version of the format used for the related atom:content.
The rolie:format element MAY provide a "schema-location" attribute that is a URI that identifies a schema resource that can be used to validate the related atom:content.
The rolie:format element MAY provide a "schema-type" attribute, which is a media type (as described in [RFC2045] identifying the format of the schema resource identified by the "schema-location" attribute.
The following nominal example shows how these attributes describe the format of the content:
<rolie:format ns="urn:ietf:params:xml:ns:iodef-2.0" version="2.0" schema-location= "https://www.iana.org/assignments/xml-registry/schema/iodef-2.0.xsd" schema-type="text/xml"/>
The previous element provides an indication that the content of the given entry is using the IODEF v2 format.
An atom:category element provides a way to associate a name/value pair of categorical information using the scheme and term attributes to represent the name, and the label attribute to represent the value. When used in this way an atom:category allows a specific label to be selected from a finite set of possible label values that can be used to further classify a given atom:entry or atom:feed. Within ROLIE, there may be a need to associate additional metadata with an atom:entry. In such a case, use of an atom:category is not practical to represent name/value data for which the allowed values are unbounded. Instead, ROLIE has introduced a new rolie:property element that can represent non-categorical metadata as name/value pairs. Examples include content-specific identifiers, naming data, and other properties that allow for unbounded values.
There MAY be zero or more rolie:property elements in an atom:entry.
The element MUST adhere to this definition:
rolieProperty = element rolie:property { app:appCommonAttributes, attribute name { atom:atomURI }, attribute value { text } empty }
The name attribute provides a URI that identifies the namespace and name of the property as a URI.
The value attribute is text that provides a value for the property identified by the name attribute.
For example, the nominal element <rolie:property name="urn:ietf:params:rolie:property:content-id" value="12345"/> would expose an IODEF ID value contained in a given entry's content. The name used in the example also demonstrates the use of a registered ROLIE property extension, which is described in Section 7.4.
Implementations MAY use locally defined and namespaced elements in an Entry in order to provide additional information. Clients that do not recognize a property with an unregistered name attribute MUST ignore the rolie:property, that is, the client MUST NOT fail parsing content that contains an unrecognized property.
If an Entry is ever shared as a standalone resource, separate from its containing Feed, then the following additional requirements apply:
This specification does not require particular information types or data formats; rather, ROLIE is intended to be extended by additional specifications that define the use of new categories and link relations. The primary point of extension is through the definition of new information type category terms. Additional specifications can register new information type category terms with IANA that serve as the main characterizing feature of a ROLIE Collection/Feed or Resource/Entry. These additional specifications defining new information type terms, can describe additional requirements for including specific categories, link relations, as well as, use of specific data formats supporting a given information type term.
The atom:category element, defined in RFC 4287 section 4.2.2, provides a mechanism to provide additional categorization information for a content resource in ROLIE. The ability to define new categories is one of the core extension points provided by Atom. A Category Document, defined in RFC 5023 section 7, provides a mechanism for an Atom implementation to make discoverable the atom:category terms and associated allowed values.
ROLIE further defines the use of the existing Atom extension category mechanism by allowing ROLIE specific category extensions to be registered with IANA, and additionally has assigned the "urn:ietf:params:rolie:category:information-type" category scheme that has special meaning for implementations of ROLIE. This allows category scheme namespaces to be managed in a more consistent way, allowing for greater interoperability between content producers and consumers.
Any category whose "scheme" attribute uses an unregistered scheme MUST be considered private use. Implementations encountering such a category MUST parse the content without error, but MAY otherwise ignore the element.
Use of the "atom:category" element is discussed in the following subsections.
The atom:category element can be used for characterizing a ROLIE Resource. As discussed earlier in this document, an atom:category element has a "term" attribute that indicates the assigned category value, and a "scheme" attribute that provides an identifier for the category type. The "scheme" provides a means to describe how a set of category terms should be used and provides a namespace that can be used to differentiate terms provided by multiple organizations with different semantic meaning.
To further differentiate category types used in ROLIE, an IANA sub-registry has been established for ROLIE protocol parameters to support the registration of new category "scheme" attribute values by ROLIE extension specifications. Use of this extension point is discussed in Section 8.3 using the name field with a type parameter of "category" to indicate a category extension.
A ROLIE specific extension point is provided through the atom:category "scheme" value "urn:ietf:params:rolie:category:information-type". This value is a Uniform Resource Name (URN) [RFC8141] that is registered with IANA as described in Section 8.3. When used as the "scheme" attribute in this way, the "term" attribute is expected to be a registered value as defined in Section 8.4. Through this mechanism a given security automation information type can be used to:
For example, the notional security automation information type "incident" would be identified as follows:
<atom:category scheme="urn:ietf:params:rolie:category:information-type" term="incident"/>
A security automation information type represents a class of information that represents the same or similar information model [RFC3444]. Note that this document does not register any information types, but offers the following as examples of potential information types:
This is a short list to inspire new engineering of information type extensions that support the automation of security processes.
This document does not specify any information types. Instead, information types in ROLIE are expected to be registered in extension documents that describe one or more new information types. This allows the information types used by ROLIE implementations to grow over time to support new security automation use cases. These extension documents may also enhance ROLIE Service, Category, Feed, and Entry documents by defining link relations, other categories, and Format data model extensions to address the representational needs of these specific information types. New information types are added to ROLIE through registrations to the IANA ROLIE Security Resource Information Type registry defined in Section 8.4.
Security automation data pertaining to a given information type may be expressed using a number of supported formats. As described in Section 6.2.3, the rolie:format element is used to describe the specific data model used to represent the resource referenced by a given "atom:entry". The structure provided by the rolie:format element, provides a mechanism for extension within the atom:entry model. ROLIE extensions MAY further restrict which data models are allowed to be used for a given information type.
By declaring the data model used for a given Resource, a consumer can choose to download or ignore the Resource, or look for alternate formats. This saves the consumer from downloading and parsing resources that the consumer is not interested in or resources expressed in formats that are not supported by the consumer.
This document uses several link relations defined in the IANA Link Relation Types registry. Additional link relations can be registered in this registry to allow new relationships to be represented in ROLIE according to RFC 4287 section 4.2.7.2. Based on the preceding reference, if the link relation is too specific or limited in the intended use, an absolute URI can be used in lieu of registering a new simple name with IANA.
As discussed previously in Section 6.2.4, many formats contain unique identifying and characterizing properties that are vital for sharing information. In order to provide a global reference for these properties, this document establishes an IANA registry in Section 8.3 that allows ROLIE extensions to register named properties using the name field with a type parameter of "property" to indicate a property extension. Implementations SHOULD prefer the use of registered properties over implementation specific properties when possible.
ROLIE extensions are expected to register new and use existing properties to provide valuable identifying and characterizing information for a given information type and/or format.
The namespace "urn:ietf:params:rolie:property:local" has been reserved in the IANA ROLIE Parameters table for private use as defined in [RFC8126]. Any property whose "name" attribute uses this as a prefix MUST be considered private use. Implementations encountering such a property MUST parse the content without error, but MAY otherwise ignore the element.
This document also registers a number of general use properties that can be used to expose content information in any ROLIE use case. The following are descriptions of how to use these registered properties:
This document has a number of IANA considerations described in the following subsections.
This document uses URNs to describe XML namespaces and XML schemas conforming to a registry mechanism described in [RFC3688].
IANA has added an entry to the "IETF URN Sub-namespace for Registered Protocol Parameter Identifiers" registry located at <http://www.iana.org/assignments/params/params.xml#params-1> as per RFC3553.
The entry is as follows:
A new top-level registry has been created, entitled "Resource Oriented Lightweight Information Exchange (ROLIE) URN Parameters". [TO BE REMOVED: This registration should take place at the following location: https://www.iana.org/assignments/rolie]
Registration in the ROLIE URN Parameters registry is via the Specification Required policy [RFC8126]. Registration requests must be sent to both the MILE WG mailing list (mile@ietf.org) and IANA. IANA will forward registration requests to the Designated Expert.
Each entry in this sub-registry must record the following fields:
This repository has the following initial values:
Name | Extension URI | Reference | Sub-Registry |
---|---|---|---|
category:information-type | urn:ietf:params:rolie:category:information-type | This document, Section 8.4 | [TO BE REMOVED: This registration should take place at the following location: https://www.iana.org/assignments/rolie/category/information-type] |
property:content-author-name | urn:ietf:params:rolie:property:content-author-name | This document, Section 7.4 | None |
property:content-id | urn:ietf:params:rolie:property:content-id | This document, Section 7.4 | None |
property:content-published-date | urn:ietf:params:rolie:property:content-published-date | This document, Section 7.4 | None |
property:content-updated-date | urn:ietf:params:rolie:property:content-updated-date | This document, Section 7.4 | None |
A new sub-registry has been created to store ROLIE information type values.
This document defines a resource-oriented approach for lightweight information exchange using HTTP over TLS, the Atom Syndication Format, and the Atom Publishing Protocol. As such, implementers must understand the security considerations described in those specifications. All that follows is guidance, more specific instruction is out of scope for this document.
To protect the confidentiality of a given resource provided by a ROLIE implementation, requests for retrieval of the resource need to be authenticated to prevent unauthorized users from accessing the resource (see Section 5.4). It can also be useful to log and audit access to sensitive resources to verify that proper access controls remain in place over time.
Access control to information published using ROLIE should use mechanisms that are appropriate to the sensitivity of the information. Primitive authentication mechanisms like HTTP Basic Authentication [RFC7617] are rarely appropriate for sensitive information. A number of authentication schemes are defined in the HTTP Authentication Schemes Registry. Of these, HOBA and SCRAM-SHA-256 provide improved security properties over HTTP Basic [RFC7617]and Digest [RFC7616] Authentication Schemes. However, sharing communities that are engaged in sensitive collaborative analysis and/or operational response for indicators and incidents targeting high value information systems should adopt a suitably stronger user authentication solution, such as a risk-based or multi-factor approach.
Collaborating consortiums may benefit from the adoption of a federated identity solution, such as those based upon OAuth with JWT, or SAML-core, SAML-bind, and SAML-prof for Web-based authentication and cross-organizational single sign-on. Dependency on a trusted third party identity provider implies that appropriate care must be exercised to sufficiently secure the Identity provider. Any attacks on the federated identity system would present a risk to the consortium, as a relying party. Potential mitigations include deployment of a federation-aware identity provider that is under the control of the information sharing consortium, with suitably stringent technical and management controls.
Authorization of resource representations is the responsibility of the source system, i.e. based on the authenticated user identity associated with an HTTP(S) request. The required authorization policies that are to be enforced must therefore be managed by the security administrators of the source system. Various authorization architectures would be suitable for this purpose, such as RBAC and/or ABAC, as embodied in XACML. In particular, implementers adopting XACML may benefit from the capability to represent their authorization policies in a standardized, interoperable format. Note that implementers are free to choose any suitable authorization mechanism that is capable of fulfilling the policy enforcement requirements relevant to their consortium and/or organization.
Additional security requirements such as enforcing message-level security at the destination system could supplement the security enforcements performed at the source system, however these destination-provided policy enforcements are out of scope for this specification. Implementers requiring this capability should consider leveraging, e.g. the <RIDPolicy> element in the RID schema. Refer to RFC6545 section 9 for more information. Additionally, the underlying serialization approach used in the representation (e.g., XML, JSON) can offer encryption and message authentication capabilities. For example, XMLDSig [RFC3275] for XML, and JSON Web Encryption [RFC7516] and JSON Web Signature[RFC7515] for JSON can provide such mechanisms.
When security policies relevant to the source system are to be enforced at both the source and destination systems, implementers must take care to avoid unintended interactions of the separately enforced policies. Potential risks will include unintended denial of service and/or unintended information leakage. These problems may be mitigated by avoiding any dependence upon enforcements performed at the destination system. When distributed enforcement is unavoidable, the usage of a standard language (e.g. XACML) for the expression of authorization policies will enable the source and destination systems to better coordinate and align their respective policy expressions.
A service discovery mechanism is not explicitly specified in this document, and there are several approaches available for implementers. When selecting this mechanism, implementations need to ensure that their choice provides a means for authenticating the server. As described in the discovery section, DNS SRV Records are a possible solution to discovery.
The optional author field may provide an identification privacy issue if populated without the author's consent. This information may become public if posted to a public feed. Special care should be taken when aggregating or sharing entries from other feeds, or when programmatically generating ROLIE entries from some data source that the author's personal info is not shared without their consent.
When using the Atom Publishing Protocol to POST entries to a feed, attackers may use correlating techniques to profile the user. The request time can be compared to the generated "updated" field of the entry in order to build out information about a given user. This correlation attempt can be mitigated by not using HTTP requests to POST entries when profiling is a risk, and rather use backend control of the Feeds.
Adoption of the information sharing approach described in this document will enable users to more easily perform correlations across separate, and potentially unrelated, cyber security information providers. A client may succeed in assembling a data set that would not have been permitted within the context of the authorization policies of either provider when considered individually. Thus, providers may face a risk of an attacker obtaining an access that constitutes an undetected separation of duties (SOD) violation. It is important to note that this risk is not unique to this specification, and a similar potential for abuse exists with any other cyber security information sharing protocol. However, the wide availability of tools for HTTP clients and Atom Feed handling implies that the resources and technical skills required for a successful exploit may be less than it was previously. This risk can be best mitigated through appropriate vetting of the client at account provisioning time. In addition, any increase in the risk of this type of abuse should be offset by the corresponding increase in effectiveness that this specification affords to the defenders.
Overall, privacy concerns in ROLIE can be mitigated by following security considerations and careful use of the optional personally identifying elements (e.g., author) provided by Atom Syndication and ROLIE.
The authors gratefully acknowledge the valuable contributions of Tom Maguire, Kathleen Moriarty, and Vijayanand Bharadwaj. These individuals provided detailed review comments on earlier drafts, and made many suggestions that have helped to improve this document.
The authors would also like to thank the MILE Working Group, the SACM Working Group, and countless other people from both within the IETF community and outside of it for their excellent review and effort towards constructing this draft.
This appendix is informative.
The Relax NG schema below defines the rolie:format element.
# -*- rnc -*- # RELAX NG Compact Syntax Grammar for the rolie ns namespace rolie = "urn:ietf:params:xml:ns:rolie-1.0" # import the ATOM Syndication RELAX NG Compact Syntax Grammar include "atomsynd.rnc" # rolie:format rolieFormat = element rolie:format { atomCommonAttributes, attribute ns { atomUri }, attribute version { text } ?, attribute schema-location { atomUri } ?, attribute schema-type { atomMediaType } ?, empty } # rolie:property rolieProperty = element rolie:property { atomCommonAttributes, attribute name { atomUri }, attribute value { text }, empty } }
This section provides a non-normative example of a client doing service discovery.
An Atom Service Document enables a client to dynamically discover what Feeds a particular publisher makes available. Thus, a provider uses an Atom Service Document to enable authorized clients to determine what specific information the provider makes available to the community. The Service Document should be made accessible from a easily found location, such as a link from the producer's home page.
A client may format an HTTP GET request to retrieve the service document from the specified location:
GET /rolie/servicedocument Host: www.example.org Accept: application/atomsvc+xml
Notice the use of the HTTP Accept: request header, indicating the MIME type for Atom service discovery. The response to this GET request will be an XML document that contains information on the specific Collections that are provided.
Example HTTP GET response:
HTTP/1.1 200 OK Date: Fri, 24 Aug 2016 17:09:11 GMT Content-Length: 570 Content-Type: application/atomsvc+xml;charset="utf-8" <?xml version="1.0" encoding="UTF-8"?> <service xmlns="http://www.w3.org/2007/app" xmlns:atom="http://www.w3.org/2005/Atom"> <workspace> <atom:title type="text">Vulnerabilities</atom:title> <collection href="https://example.org/provider/vulns"> <atom:title type="text">Vulnerabilities Feed</atom:title> <categories fixed="yes"> <atom:category scheme="urn:ietf:params:rolie:category:information-type" term="vulnerability"/> </categories> </collection> </workspace> </service>
This simple Service Document example shows that the server provides one workspace, named "Vunerabilities". Within that workspace, the server makes one Collection available.
A server may also offer a number of different Collections, each containing different types of security automation information. In the following example, a number of different Collections are provided, each with its own category and authorization scope. This categorization will help the clients to decide which Collections will meet their needs.
HTTP/1.1 200 OK Date: Fri, 24 Aug 2016 17:10:11 GMT Content-Length: 1912 Content-Type: application/atomsvc+xml;charset="utf-8" <?xml version="1.0" encoding='utf-8'?> <service xmlns="http://www.w3.org/2007/app" xmlns:atom="http://www.w3.org/2005/Atom"> <workspace> <atom:title>Public Security Information Sharing</atom:title> <collection href="https://example.org/provider/public/vulns"> <atom:title>Public Vulnerabilities</atom:title> <atom:link rel="service" href="https://example.org/rolie/servicedocument"/> <categories fixed="yes"> <atom:category scheme="urn:ietf:params:rolie:category:information-type" term="vulnerability"/> </categories> </collection> </workspace> <workspace> <atom:title>Private Consortium Sharing</atom:title> <collection href="https://example.org/provider/private/incidents"> <atom:title>Incidents</atom:title> <atom:link rel="service" href="https://example.org/rolie/servicedocument"/> <categories fixed="yes"> <atom:category scheme="urn:ietf:params:rolie:category:information-type" term="incident"/> </categories> </collection> </workspace> </service>
In this example, the provider is making available a total of two Collections, organized into two different workspaces. The first workspace contains a Collection consisting of publicly available software vulnerabilities. The second workspace provides an incident Collection for use by a private sharing consortium. An appropriately authenticated and authorized client may then proceed to make HTTP requests for these Collections. The publicly provided vulnerability information may be accessible with or without authentication. However, users accessing the Collection restricted to authorized members of a private sharing consortium are expected to authenticate before access is allowed.
This section provides a non-normative example of a client retrieving an vulnerability Feed.
Having discovered the available security information sharing Collections, a client who is a member of the general public may be interested in receiving the Collection of public vulnerabilities. The client may retrieve the Feed for this Collection by performing an HTTP GET operation on the URL indicated by the Collection's "href" attribute.
Example HTTP GET request for a Feed:
GET /provider/public/vulns Host: www.example.org Accept: application/atom+xml
The corresponding HTTP response would be an XML document containing the vulnerability Feed:
Example HTTP GET response for a Feed:
HTTP/1.1 200 OK Date: Fri, 24 Aug 2016 17:20:11 GMT Content-Length: 2882 Content-Type: application/atom+xml;charset="utf-8" <?xml version="1.0" encoding="UTF-8"?> <feed xmlns="http://www.w3.org/2005/Atom" xmlns:rolie="urn:ietf:params:xml:ns:rolie-1.0" xml:lang="en-US"> <id>2a7e265a-39bc-43f2-b711-b8fd9264b5c9</id> <title type="text"> Atom formatted representation of a feed of XML vulnerability documents </title> <category scheme="urn:ietf:params:rolie:category:information-type" term="vulnerability"/> <updated>2016-05-04T18:13:51.0Z</updated> <link rel="self" href="https://example.org/provider/public/vulns" /> <link rel="service" href="https://example.org/rolie/servicedocument"/> <entry> <rolie:format ns="urn:ietf:params:xml:ns:exampleformat"/> <id>dd786dba-88e6-440b-9158-b8fae67ef67c</id> <title>Sample Vulnerability</title> <published>2015-08-04T18:13:51.0Z</published> <updated>2015-08-05T18:13:51.0Z</updated> <summary>A vulnerability issue identified by CVE-...</summary> <content type="application/xml" src="https://example.org/provider/vulns/123456/data"/> </entry> <entry> <!-- ...another entry... --> </entry> </feed>
This Feed document has two Atom Entries, one of which has been elided. The first Entry illustrates an atom:entry element that provides a summary of essential details about one particular vulnerability. Based upon this summary information and the provided category information, a client may choose to do an HTTP GET request, on the content "src" attribute, to retrieve the full details of the vulnerability.
This section provides a non-normative example of a client retrieving an vulnerability as an Atom Entry.
Having retrieved the Feed of interest, the client may then decide, based on the description and/or category information, that one of the entries in the Feed is of further interest. The client may retrieve this vulnerability Entry by performing an HTTP GET operation on the URL indicated by the "src" attribute of the atom:content element.
Example HTTP GET request for an Entry:
GET /provider/public/vulns/123456 Host: www.example.org Accept: application/atom+xml;type=entry
The corresponding HTTP response would be an XML document containing the Atom Entry for the vulnerability record:
Example HTTP GET response for an Entry:
HTTP/1.1 200 OK Date: Fri, 24 Aug 2016 17:30:11 GMT Content-Length: 713 Content-Type: application/atom+xml;type=entry;charset="utf-8" <?xml version="1.0" encoding="UTF-8"?> <entry xmlns="http://www.w3.org/2005/Atom" xmlns:rolie="urn:ietf:params:xml:ns:rolie-1.0" xml:lang="en-US"> <id>f63aafa9-4082-48a3-9ce6-97a2d69d4a9b</id> <title>Sample Vulnerability</title> <published>2015-08-04T18:13:51.0Z</published> <updated>2015-08-05T18:13:51.0Z</updated> <category scheme="urn:ietf:params:rolie:category:information-type" term="vulnerability"/> <summary>A vulnerability issue identified by CVE-...</summary> <rolie:format ns="urn:ietf:params:xml:ns:exampleformat"/> <content type="application/xml" src="https://example.org/provider/vulns/123456/data"> </content> </entry>
The example response above shows an XML document referenced by the "src" attribute of the atom:content element. The client may retrieve the document using this URL.
Changes in draft-ietf-mile-rolie-14 since draft-ietf-mile-rolie-13 revision:
Changes in draft-ietf-mile-rolie-13 since draft-ietf-mile-rolie-12 revision:
Changes in draft-ietf-mile-rolie-11 since draft-ietf-mile-rolie-09 revision:
Changes in draft-ietf-mile-rolie-09 since draft-ietf-mile-rolie-08 revision:
Changes in draft-ietf-mile-rolie-08 since draft-ietf-mile-rolie-07 revision:
Changes in draft-ietf-mile-rolie-07 since draft-ietf-mile-rolie-06 revision:
Changes in draft-ietf-mile-rolie-06 since draft-ietf-mile-rolie-05 revision:
Changes in draft-ietf-mile-rolie-05 since draft-ietf-mile-rolie-04 revision:
Changes in draft-ietf-mile-rolie-04 since draft-ietf-mile-rolie-03 revision:
Changes made in draft-ietf-mile-rolie-03 since draft-ietf-mile-rolie-02 revision:
Changes made in draft-ietf-mile-rolie-02 since draft-field-mile-rolie-01 revision:
Changes made in draft-ietf-mile-rolie-01 since draft-field-mile-rolie-02 revision: