Hi Med, Thanks for your comments. To your general comments, I want to say that this draft main proposal is to: 1) give a clear definition about network device’s threat surface, then its information model; 2) based on this IM, how to collect all of this information via Netconf/yang interface, given most of them are already defined in existing yang DMs for modules (i.e., interface yang DM, IP management yang DM, etc).
The description about “application and technology agnostic" is indeed a problem, we will fix it. To your detailed comments in pdf and word, I have reviewed them all and will answer them in my presentation slides, with more background. Thanks again! B.R. Frank 发件人: mohamed.boucad...@orange.com <mohamed.boucad...@orange.com> 发送时间: 2024年10月16日 21:56 收件人: Xialiang(Frank, IP Security Standard) <frank.xiali...@huawei.com>; opsawg@ietf.org 抄送: draft-hu-opsawg-network-element-tsm-y...@ietf.org 主题: RE: Hi, introduce a new draft (draft-hu-opsawg-network-element-tsm-yang-00) and walmly welcome your comments: Hi Franck, Thank you for sharing this draft. The teaser below is appealing :-) I understand this is a -00 and some more work is needed to better articulate the need and the actual contributions from the draft. The current version fails (at least to me) convey those. I also have some troubles to digest what is actually meant by “application and technology agnostic” given the technology details in the main document. I think my questions will be clarified if a model was included. Some few comments can be found at: * pdf: https://github.com/boucadair/IETF-Drafts-Reviews/blob/master/2024/draft-hu-opsawg-network-element-tsm-yang-00-rev%20Med.pdf * doc: https://github.com/boucadair/IETF-Drafts-Reviews/raw/refs/heads/master/2024/draft-hu-opsawg-network-element-tsm-yang-00-rev%20Med.docx OPSEC would be a good home for this discussion, but that WG is closed now. Hope this helps. Cheers, Med De : Xialiang(Frank, IP Security Standard) <frank.xialiang=40huawei....@dmarc.ietf.org<mailto:frank.xialiang=40huawei....@dmarc.ietf.org>> Envoyé : mardi 15 octobre 2024 04:27 À : opsawg@ietf.org<mailto:opsawg@ietf.org> Cc : draft-hu-opsawg-network-element-tsm-y...@ietf.org<mailto:draft-hu-opsawg-network-element-tsm-y...@ietf.org> Objet : [OPSAWG]Hi, introduce a new draft (draft-hu-opsawg-network-element-tsm-yang-00) and walmly welcome your comments: Hi OPSAWG experts, We have a new draft (draft-hu-opsawg-network-element-tsm-yang-00) that focuses on threat surface management for network devices. It comes from real problems and requirements on the live network. When a device is visible to the outside world, that is, open ports, services, and accounts, if these exposed surfaces have weak configurations and vulnerabilities, they may be targeted by attackers and maliciously exploited, then become attack surfaces. Therefore, network administrators need to have comprehensive, accurate, and timely visibility of the information. The corresponding technical requirements are to clearly define the management objects of the threat surface of the device and the corresponding model, and then implement the management, control, and mitigation solutions. This draft is an attempt to define the model of the device threat surface (Currently, information about interfaces, services, accounts, versions and vulnerabilities is included.) and how to obtain them through the NETCONF/Yang mechanism. Previously, the closed Network Endpoint Assessment (NEA) and Security Automation and Continuous Monitoring (SACM) working groups of the IETF had similar work. There have been some recent MUD extensions (RFC9472 -- MUD YANG extension for SBOMs and Vulnerability Information, ietf-opsawg-mud-tls -- MUD YANG extension for TLS security posture of IoT devices) with similar goals and proposals. This draft is essentially a specific requirement and solution for security O&M. Because it is relatively unique, we submit it to the OPSAWG WG and hope to get the helps and comments from experts here. Thank a lot! B.R. Frank ____________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
_______________________________________________ OPSAWG mailing list -- opsawg@ietf.org To unsubscribe send an email to opsawg-le...@ietf.org
