From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc7495.txt | 563 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 563 insertions(+) create mode 100644 doc/rfc/rfc7495.txt (limited to 'doc/rfc/rfc7495.txt') diff --git a/doc/rfc/rfc7495.txt b/doc/rfc/rfc7495.txt new file mode 100644 index 0000000..568c004 --- /dev/null +++ b/doc/rfc/rfc7495.txt @@ -0,0 +1,563 @@ + + + + + + +Internet Engineering Task Force (IETF) A. Montville +Request for Comments: 7495 CIS +Category: Standards Track D. Black +ISSN: 2070-1721 EMC + March 2015 + + + Enumeration Reference Format + for the Incident Object Description Exchange Format (IODEF) + +Abstract + + The Incident Object Description Exchange Format (IODEF) is an XML + data representation framework for sharing information about computer + security incidents. In IODEF, the Reference class provides + references to externally specified information such as a + vulnerability, Intrusion Detection System (IDS) alert, malware + sample, advisory, or attack technique. In practice, these references + are based on external enumeration specifications that define both the + enumeration format and the specific enumeration values, but the IODEF + Reference class (as specified in IODEF v1 in RFC 5070) does not + indicate how to include both of these important pieces of + information. + + This document establishes a stand-alone data format to include both + the external specification and specific enumeration identification + value, and establishes an IANA registry to manage external + enumeration specifications. While this document does not update + IODEF v1, this enumeration reference format is used in IODEF v2 and + is applicable to other formats that support this class of enumeration + references. + +Status of This Memo + + This is an Internet Standards Track document. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Further information on + Internet Standards is available in Section 2 of RFC 5741. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc7495. + + + + + + +Montville & Black Standards Track [Page 1] + +RFC 7495 IODEF Enumeration Reference Format March 2015 + + +Copyright Notice + + Copyright (c) 2015 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + +Table of Contents + + 1. Introduction ....................................................3 + 1.1. Terminology ................................................3 + 2. Referencing External Enumerations ...............................3 + 2.1. Reference Name Format ......................................4 + 2.2. Reference Method Applicability .............................5 + 3. Security Considerations .........................................5 + 4. IANA Considerations .............................................6 + 5. The ReferenceName Schema ........................................8 + 6. References ......................................................9 + 6.1. Normative References .......................................9 + 6.2. Informative References .....................................9 + Acknowledgements ..................................................10 + Authors' Addresses ................................................10 + + + + + + + + + + + + + + + + + + + + + +Montville & Black Standards Track [Page 2] + +RFC 7495 IODEF Enumeration Reference Format March 2015 + + +1. Introduction + + There is an identified need to specify a format to include relevant + enumeration values from other data representation formats in an IODEF + document. It is anticipated that this requirement will exist in + other standardization efforts within several IETF Working Groups, but + the scope of this document pertains solely to IODEF. This format is + used in IODEF v2 [IODEFv2], which will replace the original IODEF v1 + [IODEF] specification; this document does not specify use of this + format in IODEF v1 [IODEF]. + +1.1. Terminology + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in RFC 2119 [RFC2119]. + +2. Referencing External Enumerations + + The need is to place enumeration identifiers and their enumeration + format references in IODEF's Reference class. There are several ways + to accomplish this goal, but the most appropriate at this point is to + require a specific structure for the ReferenceName string of the + IODEF Reference class, and use an IANA registry to manage references + to specific enumeration reference formats. + + Per IODEF [IODEF], the ReferenceName is of type ML_STRING. This + becomes problematic when specific references, especially enumeration + formats such as Common Vulnerability Enumeration [CVE], Common + Configuration Enumeration [CCE], Common Platform Enumeration [CPE], + and so on, are referenced -- how is an implementer to know which type + of reference this is, and thus how to parse it? One solution, + presented here, is to require that ReferenceName follow a particular + format. + + Inclusion of such enumeration values, especially those related to + security automation, is important to incident communication and + investigation. Typically, an enumeration identifier is simply an + identifier with a specific format as defined by an external party. + Further, that enumeration identifier is itself a reference to + specific information associated with the identifier. Thus, the + ReferenceName is an identifier that is formatted in a specific manner + and that identifies some set of associated information. + + + + + + + + +Montville & Black Standards Track [Page 3] + +RFC 7495 IODEF Enumeration Reference Format March 2015 + + + For example, a vulnerability identifier following the CVE [CVE] + formatting specification may be CVE-2014-0001. That identifier is + formatted in a specific manner and relates to information about a + specific vulnerability. Communicating the format for the identifier + is the subject of this document. + +2.1. Reference Name Format + + The ReferenceName class provides the XML representation for + identifying an enumeration and specifying a value from it. A given + enumeration is uniquely identified by the specIndex attribute. Each + specIndex value corresponds to an entry in the "Enumeration Reference + Type Identifiers" IANA registry (see Section 4). The child ID + element represents a particular value from the corresponding + enumeration identified by the specIndex attribute. The format of the + ID element is described in the IANA registry entry of the + enumeration. + + +-------------------------+ + | ReferenceName | + +-------------------------+ + | INTEGER specIndex |<>----------[ ID ] + +-------------------------+ + + Figure 1: The ReferenceName Class + + The aggregate class that constitutes ReferenceName is: + + ID + One. The identifier assigned to represent the particular + enumeration object being referenced. + + The ReferenceName class has one attribute. + + specIndex + Required. INTEGER. Enumeration identifier. This value + corresponds to an entry in the "Enumeration Reference Type + Identifiers" IANA registry with an identical SpecIndex value. + + An example of such a reference is as follows: + + + + CXI-1234-XYZ + + http://cxi.example.com + Foo + + + + +Montville & Black Standards Track [Page 4] + +RFC 7495 IODEF Enumeration Reference Format March 2015 + + + Information in the IANA table (see Section 4) would include: + + Full Name: Concept X Identifier + SpecIndex: 1 + Version: any + Specification URI: http://cxi.example.com/spec_url + +2.2. Reference Method Applicability + + While the scope of this document pertains to IODEF, any standard + needing to reference an enumeration identified by a specially + formatted string can use this method of providing structure after the + standard has been published. In effect, this method provides a + standardized interface for enumeration formats, thus allowing a loose + coupling between a given standard and the enumeration identifiers it + needs to reference now and in the future. + +3. Security Considerations + + Ensuring a proper mapping of enumeration reference ID elements to the + correct SpecIndex is important. Potential consequences of not + mapping correctly include inaccurate information in references and + similar distribution of misinformation. + + Use of enumeration reference IDs from trusted sources is preferred to + mitigate the risk of receiving and/or providing misinformation. + Trust decisions with respect to enumeration reference providers are + beyond the scope of this document. However, receiving an IODEF + [IODEF] document containing an unknown ReferenceName (i.e., the + SpecIndex does not exist in the IANA table) may indicate a misled or + malicious source. + + This document establishes a container for publicly available + enumeration values to be included in an IODEF [IODEF] document, and + it is important to note the distinction between the enumeration + value's format and the information conveyed by the value itself. + While the enumeration value may hold information deemed to be private + by relying parties, the enumeration format is likely not subject to + privacy concerns. + + However, if the Reference class includes an enumeration value in + combination with other data in an IODEF [IODEF] document, the + resulting combination could expose information. An example might + include attack vectors or system descriptions used in a privacy- + related incident. As such, the reader is referred to the IODEF + [IODEF] Security Considerations section, which explicitly covers + protecting IODEF [IODEF] documents in transit and at rest, ensuring + + + + +Montville & Black Standards Track [Page 5] + +RFC 7495 IODEF Enumeration Reference Format March 2015 + + + proper recipient authentication, data confidence levels, underlying + transport security characteristics, and proper use of IODEF's + restriction attribute. + +4. IANA Considerations + + This document specifies an enumeration reference identifier format. + All fields, including abbreviation, are mandatory. + + Per this document, IANA has created and maintains the following + registry: + + Name of the Registry: "Security External Enumeration Registry" + + Location of Registry: http://www.iana.org/assignments/sec-ext-enum + + Fields to record in the registry: + + Full Name: The full name of the enumeration (i.e., the + referenced specification) as a string from the printable ASCII + character set [RFC20] with individual embedded spaces allowed. + The ABNF [RFC5234] syntax for this field is: + + FULL-NAME = 1*VCHAR *(SP 1*VCHAR) + + Abbreviation: An abbreviation may be an acronym -- it consists + of uppercase characters (at least two). Uppercase is used to + avoid mismatches due to case differences. It is specified by + this ABNF [RFC5234] syntax: + + ABBREVIATION = 2*UC-ALPHA ; At least two + UC-ALPHA = %x41-5A ; A-Z + + Multiple registrations MAY use the same Abbreviation but + MUST have different Versions. + + SpecIndex: This is an IANA-assigned positive integer that + identifies the registration. The first entry added to this + registry uses the value 1, and this value is incremented for + each subsequent entry added to the registry. + + Version: The version of the enumeration (i.e., the referenced + specification) as a free-form string from the printable ASCII + character set [RFC20] excepting white space, i.e., from VCHAR + as defined in [RFC5234]. Some of the characters allowed in the + version string are escaped when that string is used in XML + + + + + +Montville & Black Standards Track [Page 6] + +RFC 7495 IODEF Enumeration Reference Format March 2015 + + + documents (e.g., '<' is represented as <); the registered + version string contains the unescaped ASCII character in all + such cases. + + Specification URI/Reference: A list of one or more URIs + [RFC3986] from which the registered specification can be + obtained. The registered specification MUST be readily and + publicly available from that URI. The URI SHOULD be a stable + reference to a specific version of the specification. URIs + that designate the latest version of a specification (which + changes when a new version appears) SHOULD NOT be used. + + Initial registry contents: + + Full Name: Common Vulnerabilities and Exposures + + Abbreviation: CVE + + SpecIndex: 1 + + Version: 1.0 + + Specification URI/Reference: + https://nvd.nist.gov/download.cfm#CVE_FEED + + Allocation Policy: Specification Required [RFC5226] (which implies + Expert Review [RFC5226]). + + The Designated Expert is expected to consult with the MILE (Managed + Incident Lightweight Exchange) working group or its successor if any + such WG exists (e.g., via email to the working group's mailing list). + The Designated Expert is expected to review the request and validate + the appropriateness of the enumeration for the attribute. This + review includes review of the specification associated with the + request. + + The Designated Expert is expected to ensure that the Full Name, + Abbreviation, and Version are appropriate and that the information at + the Specification URI is sufficient to unambiguously parse + identifiers based on that specification. Additionally, the + Designated Expert should prefer short Abbreviations over long ones. + + This document uses URNs to describe XML namespaces and XML schemas + conforming to a registry mechanism described in [RFC3688]. + + + + + + + +Montville & Black Standards Track [Page 7] + +RFC 7495 IODEF Enumeration Reference Format March 2015 + + + Registration for the IODEF enumeration reference format namespace: + + URI: urn:ietf:params:xml:ns:iodef-enum-1.0 + + Registrant Contact: See the "Authors' Addresses" section of this + document. + + XML: None. + + Registration for the IODEF enumeration reference format XML schema: + + URI: urn:ietf:params:xml:schema:iodef-enum-1.0 + + Registrant Contact: See the "Authors' Addresses" section of this + document. + + XML: See Section 5, "The ReferenceName Schema", of this document. + +5. The ReferenceName Schema + + + + + + + + + + + + + + + + + + + + + + + +Montville & Black Standards Track [Page 8] + +RFC 7495 IODEF Enumeration Reference Format March 2015 + + +6. References + +6.1. Normative References + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997, + . + + [IODEF] Danyliw, R., Meijer, J., and Y. Demchenko, "The Incident + Object Description Exchange Format", RFC 5070, December + 2007, . + + [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an + IANA Considerations Section in RFCs", BCP 26, RFC 5226, + May 2008, . + + [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform + Resource Identifier (URI): Generic Syntax", STD 66, RFC + 3986, January 2005, + . + + [RFC5234] Crocker, D., Ed., and P. Overell, "Augmented BNF for + Syntax Specifications: ABNF", STD 68, RFC 5234, January + 2008, . + + [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, + January 2004, . + +6.2. Informative References + + [RFC20] Cerf, V., "ASCII format for network interchange", STD 80, + RFC 20, October 1969, + . + + [IODEFv2] Danyliw, R. and P. Stoecker, "The Incident Object + Description Exchange Format v2", Work in Progress, + draft-ietf-mile-rfc5070-bis-11, March 2015. + + [CCE] The MITRE Corporation, "Common Configuration Enumeration + (CCE): Unique Identifiers for Common System Configuration + Issues", website in "Archive" status, + . + + [CPE] The MITRE Corporation, "CPE - Common Platform + Enumeration", website in "Archive" status, + . + + + + + +Montville & Black Standards Track [Page 9] + +RFC 7495 IODEF Enumeration Reference Format March 2015 + + + [CVE] The MITRE Corporation, "CVE - Common Vulnerabilities and + Exposures", . + +Acknowledgements + + The authors would like to thank Eric Burger for the recommendation to + rely on XML, Roman D. Danyliw for his schema contribution and + insight, and Tim Bray, Panos Kampanakis, Barry Leiba, Ted Lemon, + Alexey Melnikov, Kathleen Moriarty, Takeshi Takahashi, Henry S. + Thompson, and David Waltermire for their contributions and reviews. + +Authors' Addresses + + Adam W. Montville + + EMail: adam.w.montville@gmail.com + + + David Black + EMC Corporation + + EMail: david.black@emc.com + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Montville & Black Standards Track [Page 10] + -- cgit v1.2.3