idnits 2.17.1 draft-ietf-mile-rolie-vuln-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (October 28, 2019) is 1642 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2119' is defined on line 308, but no explicit reference was found in the text == Unused Reference: 'RFC4287' is defined on line 313, but no explicit reference was found in the text == Unused Reference: 'RFC5023' is defined on line 321, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 4949 Summary: 1 error (**), 0 flaws (~~), 5 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 MILE Working Group S. Banghart 3 Internet-Draft NIST 4 Intended status: Standards Track October 28, 2019 5 Expires: April 30, 2020 7 Definition of the ROLIE Vulnerability Extension 8 draft-ietf-mile-rolie-vuln-03 10 Abstract 12 This document extends the Resource-Oriented Lightweight Information 13 Exchange (ROLIE) core to add the information type categories and 14 related requirements needed to support Vulnerability use cases. 15 Additional categories, properties, and requirements based on content 16 type enables a higher level of interoperability between ROLIE 17 implementations, and richer metadata for ROLIE consumers. In 18 particular, usage of the Common Vulnerability Enumeration (CVE) [cve] 19 format is discussed. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at https://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on April 30, 2020. 38 Copyright Notice 40 Copyright (c) 2019 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (https://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 3. The "vulnerability" information type . . . . . . . . . . . . 3 58 4. Common Vulnerability Enumeration (CVE) Format . . . . . . . . 4 59 4.1. Description . . . . . . . . . . . . . . . . . . . . . . . 4 60 4.2. Requirements . . . . . . . . . . . . . . . . . . . . . . 5 61 5. Link relations for the 'vulnerability' 62 information-type . . . . . . . . . . . . . . . . . . . . . . 5 63 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 64 6.1. information-type registrations . . . . . . . . . . . . . 6 65 6.1.1. vulnerability information-type . . . . . . . . . . . 6 66 7. Security Considerations . . . . . . . . . . . . . . . . . . . 6 67 8. Normative References . . . . . . . . . . . . . . . . . . . . 7 68 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8 70 1. Introduction 72 As our software becomes more complex and interconnected, the number 73 of software vulnerabilities exploitable by actors with mal-intent has 74 skyrocketed. Huge amounts of resources have been poured into the 75 preemptive discovery, description, and remediation of these 76 vulnerabilities, but it is often a challenge to share and communicate 77 the results of these efforts. While bad-actors have vast 78 collaboration networks that enable widespread knowledge of any 79 vulnerability, the defensive community at large has no sharing 80 consortium as prevalent. If we are to keep up with the rising 81 difficulty of defending our systems, we must increase our ability to 82 quickly, efficiently, and automatically share information about 83 vulnerabilities. 85 The Resource-Oriented Lightweight Information Exchange (ROLIE) 86 [RFC8322] provides a means to share computer security information 87 with an eye towards automation and efficiency. By utilizing ROLIE to 88 share vulnerability data, we get one step closer to establishing 89 automated communication between each party involved in fighting 90 vulnerabilities. A security researcher can send a newly discovered 91 vulnerability to a vulnerability repository, where it is 92 automatically retrieved and consumed by enterprise systems. At this 93 final stage, the enterprise can cross-reference against their 94 enterprise wide software load to begin mitigating the issue. 96 This extension to ROLIE introduces new requirements and IANA 97 registrations to allow ROLIE repositories to share vulnerability data 98 in a standardized and compatible way. 100 This extension does not attempt to solve the vulnerability data 101 format issue, as this work is being done across standards groups and 102 industry consortiums. Instead, this extension serves to address the 103 problem of sharing these data formats to downstream consumers in a 104 automated and efficient fashion. 106 2. Terminology 108 The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," 109 "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this 110 document are to be interpreted as described in [RFC8174]. 112 As an extension of [RFC8322], this document refers to many terms 113 defined in that document. In particular, the use of "Entry" and 114 "Feed" are aligned with the definitions presented there. 116 Several places in this document refer to the "information-type" of a 117 Resource (Entry or Feed). This refers to the "term" attribute of an 118 "atom:category" element whose scheme is 119 "urn:ietf:params:rolie:category:information-type". For an Entry, 120 this value can be inherited from it's containing Feed as per 121 [RFC8322]. 123 This document uses the definition of "vulnerability" given by 124 [RFC4949]. 126 3. The "vulnerability" information type 128 When an "atom:category" element has a "scheme" attribute equal to 129 "urn:ietf:params:rolie:category:information-type", the "term" 130 attribute defines the information type of the associated resource. A 131 new valid value for this attribute: "vulnerability", is described in 132 this section, and registered in Section 6.1.1. When this value is 133 used, the resource in question is considered to have an information- 134 type of "vulnerability" as per [RFC8322] Section 7.1.2. 136 The "vulnerability" information-type represents any information 137 describing or pertaining to a computer security vulnerability. This 138 document uses the definition of vulnerability provided by [RFC4949]. 139 Provided below is a non-exhaustive list of information that may be 140 considered to be of a vulnerability information type. 142 o Fundamental identifying information, such as a global ID or 143 number, that identifies a given vulnerability. 145 o Descriptive information, including but not limited to: 147 * Severity scoring - using some standardized scoring algorithm or 148 otherwise, 150 * Execution details - how the vulnerability is exploited 152 * Impact - what the consequences are of this vulnerability 154 * History and provenance data - when was the vulnerability 155 discovered, when was it reported and to whom, 157 * Plain text description of any of the above 159 o Metadata attached to a vulnerability, such as information about 160 the entity that discovered or described the vulnerability. 162 Note again that this list is not exhaustive: any information that is 163 in the abstract realm of a vulnerability should be classified under 164 this information-type. The final decision as to the information type 165 of an Entry is up to the provider and author of the Entry. 167 4. Common Vulnerability Enumeration (CVE) Format 169 4.1. Description 171 The Common Vulnerability Enumeration (CVE) provides a globally unique 172 identifier for vulnerabilities. Each CVE provides a CVE-ID, by which 173 a vulnerability can be referred to in any context, as well as 174 descriptive information about that vulnerability. 176 For more information and in-depth specifications, please see [cve]. 178 CVE provides a valuable set of information fields, but itself does 179 not provide a standardized data format. This extension provides 180 standardization around two common serializations of the CVE standard, 181 both used by the National Institute of Standards and Technology 182 (NIST) National Vulnerability Database (NVD). The NVD provides a 183 repository of "CVE Entries" available in either serialization format. 184 The first format is XML-based: the NIST NVD CVE Entry format 185 [nvdcvexml], and the second is JSON-based: NIST NVD JSON CVE Entry 186 Format [nvdcvejson]. These two representations of a CVE are 187 equivalent, and can be losslessly converted. 189 This section defines usage guidance and additional requirements above 190 and beyond those specified in [RFC8322] that apply when CVE data 191 formats are in use. 193 4.2. Requirements 195 For an Entry to be considered a "CVE Entry", it MUST fulfill the 196 following conditions: 198 o The information-type of the Entry is "vulnerability". For a 199 typical Entry, this is derived from the information type of the 200 Feed it is contained in. For a standalone Entry, this is provided 201 by an "atom:category" element. 203 o The document linked to by the "ref" attribute of the 204 "atom:content" element is a CVE Entry as defined by either 205 [nvdcvexml] or [nvdcvejson]. Other well-defined CVE 206 serializations would be valid but would not be subject to the 207 following requirements, reducing their interoperability. 209 The XML and JSON NVD formats follow different requirements. 211 A "XML CVE Entry" MUST conform to the following requirements: 213 o The value of the "type" attribute of the "atom:content" element 214 MUST be "application/xml". 216 o There MUST be one "rolie:property" with the "name" attribute equal 217 to "urn:ietf:params:rolie:property:content-id" and the "value" 218 attribute exactly equal to the "" element in the attached 219 CVE Entry. This allows for ROLIE consumers to more easily search 220 for CVE Entries without needing to download the entry itself. 222 A "JSON CVE Entry" MUST conform to the following requirements: 224 o The value of the "type" attribute of the "atom:content" element 225 MUST be "application/json". 227 o There MUST be one "rolie:property" with the "name" attribute equal 228 to "urn:ietf:params:rolie:property:content-id" and the "value" 229 attribute exactly equal to the "cve:{cve_data_meta":{ID}}" element 230 in the attached CVE Entry. This allows for ROLIE consumers to 231 more easily search for CVE Entries without needing to download the 232 entry itself. 234 5. Link relations for the 'vulnerability' information-type 236 The atom:link element contains a "rel" attribute that describes the 237 semantic meaning of the given link. 239 If the category of an Entry is the vulnerability information type, 240 then the following link relations MUST be respected, that is, not 241 removed, by the server. Implementations can provide extra 242 functionality by understanding the semantic meaning of these 243 relations. 245 +----------+--------------------------------------------------------+ 246 | Name | Description | 247 +----------+--------------------------------------------------------+ 248 | severity | Links to a document describing or scoring the severity | 249 | | of this vulnerability. | 250 +----------+--------------------------------------------------------+ 252 Table 1: Link Relations for Resource-Oriented Lightweight Indicator 253 Exchange 255 6. IANA Considerations 257 6.1. information-type registrations 259 IANA has added the following entries to the "ROLIE Security Resource 260 Information Type Sub-Registry" registry located at 261 . 263 6.1.1. vulnerability information-type 265 The entry is as follows: 267 name: vulnerability 269 index: TBD 271 reference: This document, Section 3 273 7. Security Considerations 275 All security considerations of the core ROLIE document apply to use 276 of this extension. 278 The use of this particular extension implies the use of ROLIE in 279 sharing vulnerability information. In automated use cases, 280 downstream consumers may be dynamically acquiring and acting on 281 vulnerabilities posted to a ROLIE repository. In this case, a 282 compromised server could serve up false vulnerability information to 283 trigger dangerous activity in automated consumers. Automatic 284 remediation solutions that consume shared vulnerability information 285 in high risk use cases should take care to verify data before taking 286 action. If some global ID, such as a CVE-ID, is included, this 287 verification should be trivial. 289 8. Normative References 291 [cve] "Common Vulnerability Enumeration", 292 . 294 [cvexml] The MITRE Corporation, , 295 . 297 [nvdcvejson] 298 National Institute of Standards and Technology, "NVD CVE 299 Entry JSON Schema", 300 . 303 [nvdcvexml] 304 National Institute of Standards and Technology, "NVD CVE 305 Entry XML Schema", 306 . 308 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 309 Requirement Levels", BCP 14, RFC 2119, 310 DOI 10.17487/RFC2119, March 1997, 311 . 313 [RFC4287] Nottingham, M., Ed. and R. Sayre, Ed., "The Atom 314 Syndication Format", RFC 4287, DOI 10.17487/RFC4287, 315 December 2005, . 317 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", 318 FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, 319 . 321 [RFC5023] Gregorio, J., Ed. and B. de hOra, Ed., "The Atom 322 Publishing Protocol", RFC 5023, DOI 10.17487/RFC5023, 323 October 2007, . 325 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 326 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 327 May 2017, . 329 [RFC8322] Field, J., Banghart, S., and D. Waltermire, "Resource- 330 Oriented Lightweight Information Exchange (ROLIE)", 331 RFC 8322, DOI 10.17487/RFC8322, February 2018, 332 . 334 Author's Address 336 Stephen A. Banghart 337 National Institute of Standards and Technology 338 100 Bureau Drive 339 Gaithersburg, Maryland 340 USA 342 Phone: (301)975-4288 343 Email: stephen.banghart@nist.gov