draft-ietf-mile-rfc5070-bis-20.txt   draft-ietf-mile-rfc5070-bis-21.txt 
MILE Working Group R. Danyliw MILE Working Group R. Danyliw
Internet-Draft CERT Internet-Draft CERT
Obsoletes: 5070 (if approved) May 9, 2016 Obsoletes: 5070 (if approved) May 10, 2016
Intended status: Standards Track Intended status: Standards Track
Expires: November 10, 2016 Expires: November 11, 2016
The Incident Object Description Exchange Format v2 The Incident Object Description Exchange Format v2
draft-ietf-mile-rfc5070-bis-20 draft-ietf-mile-rfc5070-bis-21
Abstract Abstract
The Incident Object Description Exchange Format (IODEF) defines a The Incident Object Description Exchange Format (IODEF) defines a
data representation for security incident reports and cyber data representation for security incident reports and cyber
indicators commonly exchanged by operational security teams for indicators commonly exchanged by operational security teams for
mitigation and watch and warning. This document describes an updated mitigation and watch and warning. This document describes an updated
information model for the IODEF and provides an associated data model information model for the IODEF and provides an associated data model
specified with XML Schema. This new information and data model specified with XML Schema. This new information and data model
obsoletes [RFC5070]. obsoletes Request for Comment (RFC) 5070, "The Incident Object
Description Exchange Format".
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 10, 2016. This Internet-Draft will expire on November 11, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 22 skipping to change at page 2, line 23
modifications of such material outside the IETF Standards Process. modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6
1.2. Notations . . . . . . . . . . . . . . . . . . . . . . . . 6 1.2. Notations . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3. About the IODEF Data Model . . . . . . . . . . . . . . . 6 1.3. About the IODEF Data Model . . . . . . . . . . . . . . . 6
1.4. Changelog . . . . . . . . . . . . . . . . . . . . . . . . 7 1.4. Changelog . . . . . . . . . . . . . . . . . . . . . . . . 7
2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 8 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 8
2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 8 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 8 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 9
2.3. Characters and Strings . . . . . . . . . . . . . . . . . 8 2.3. Characters and Strings . . . . . . . . . . . . . . . . . 9
2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 9 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 9
2.5. Binary Strings . . . . . . . . . . . . . . . . . . . . . 10 2.5. Binary Strings . . . . . . . . . . . . . . . . . . . . . 10
2.5.1. Base64 Bytes . . . . . . . . . . . . . . . . . . . . 10 2.5.1. Base64 Bytes . . . . . . . . . . . . . . . . . . . . 10
2.5.2. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . 10 2.5.2. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . 10
2.6. Enumerated Types . . . . . . . . . . . . . . . . . . . . 10 2.6. Enumerated Types . . . . . . . . . . . . . . . . . . . . 10
2.7. Date-Time String . . . . . . . . . . . . . . . . . . . . 10 2.7. Date-Time String . . . . . . . . . . . . . . . . . . . . 11
2.8. Timezone String . . . . . . . . . . . . . . . . . . . . . 10 2.8. Timezone String . . . . . . . . . . . . . . . . . . . . . 11
2.9. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 11 2.9. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 11
2.10. Postal Address . . . . . . . . . . . . . . . . . . . . . 11 2.10. Postal Address . . . . . . . . . . . . . . . . . . . . . 11
2.11. Telephone Number . . . . . . . . . . . . . . . . . . . . 11 2.11. Telephone Number . . . . . . . . . . . . . . . . . . . . 11
2.12. Email String . . . . . . . . . . . . . . . . . . . . . . 11 2.12. Email String . . . . . . . . . . . . . . . . . . . . . . 12
2.13. Uniform Resource Locator strings . . . . . . . . . . . . 11 2.13. Uniform Resource Locator strings . . . . . . . . . . . . 12
2.14. Identifiers and Identifier References . . . . . . . . . . 12 2.14. Identifiers and Identifier References . . . . . . . . . . 12
2.15. Software . . . . . . . . . . . . . . . . . . . . . . . . 12 2.15. Software . . . . . . . . . . . . . . . . . . . . . . . . 12
2.15.1. SoftwareReference Class . . . . . . . . . . . . . . 13 2.15.1. SoftwareReference Class . . . . . . . . . . . . . . 13
2.16. Extension . . . . . . . . . . . . . . . . . . . . . . . . 14 2.16. Extension . . . . . . . . . . . . . . . . . . . . . . . . 14
3. The IODEF Information Model . . . . . . . . . . . . . . . . . 17 3. The IODEF Information Model . . . . . . . . . . . . . . . . . 17
3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 17 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 17
3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 18 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 18
3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 22 3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 22
3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 22 3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 22
3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 23 3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 23
skipping to change at page 4, line 45 skipping to change at page 4, line 47
9. Security Considerations . . . . . . . . . . . . . . . . . . . 157 9. Security Considerations . . . . . . . . . . . . . . . . . . . 157
9.1. Security . . . . . . . . . . . . . . . . . . . . . . . . 157 9.1. Security . . . . . . . . . . . . . . . . . . . . . . . . 157
9.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 157 9.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 157
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 158 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 158
10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 158 10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 158
10.2. Enumerated Value Registries . . . . . . . . . . . . . . 158 10.2. Enumerated Value Registries . . . . . . . . . . . . . . 158
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 161 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 161
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 161 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 161
12.1. Normative References . . . . . . . . . . . . . . . . . . 161 12.1. Normative References . . . . . . . . . . . . . . . . . . 161
12.2. Informative References . . . . . . . . . . . . . . . . . 164 12.2. Informative References . . . . . . . . . . . . . . . . . 164
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 164 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 165
1. Introduction 1. Introduction
Organizations require help from other parties to mitigate malicious Organizations require help from other parties to mitigate malicious
activity targeting their network and to gain insight into potential activity targeting their network and to gain insight into potential
threats. This coordination might entail working with an ISP to threats. This coordination might entail working with an ISP to
filter attack traffic, contacting a remote site to take down a filter attack traffic, contacting a remote site to take down a
botnet, or sharing watch-lists of known malicious indicators in a botnet, or sharing watch-lists of known malicious indicators in a
consortium. consortium.
skipping to change at page 13, line 35 skipping to change at page 14, line 4
[W3C.SCHEMA]. [W3C.SCHEMA].
The attributes of the SoftwareReference class are: The attributes of the SoftwareReference class are:
spec-name spec-name
Required. ENUM. Identifies the format and semantics of the Required. ENUM. Identifies the format and semantics of the
element body of this class. Formal standards and specifications element body of this class. Formal standards and specifications
can be referenced as well as a free-form text description with a can be referenced as well as a free-form text description with a
user-provided data type. These values are maintained in the user-provided data type. These values are maintained in the
"SoftwareReference-spec-id" IANA registry per Section 10.2 "SoftwareReference-spec-id" IANA registry per Section 10.2
1. custom. The element content is free-form and of the data type 1. custom. The element content is free-form and of the data type
specified by the dtype attribute. If this value is selected, specified by the dtype attribute. If this value is selected,
then the dtype attribute MUST be set. then the dtype attribute MUST be set.
2. cpe. The element content describes a Common Platform 2. cpe. The element content describes a Common Platform
Enumeration (CPE) entry. Enumeration (CPE) entry per [NIST.CPE].
3. swid. The element content describes a software identification 3. swid. The element content describes a software identification
(SWID) tag per [ISO19770]. (SWID) tag per [ISO19770].
4. ext-value. A value used to indicate that this attribute is 4. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-spec-name ext-spec-name
Optional. STRING. A means by which to extend the spec-name Optional. STRING. A means by which to extend the spec-name
skipping to change at page 51, line 23 skipping to change at page 51, line 23
Figure 26: Confidence Class Figure 26: Confidence Class
The content of the class is of type REAL and specifies a numerical The content of the class is of type REAL and specifies a numerical
assessment in the confidence of the data when the value of the rating assessment in the confidence of the data when the value of the rating
attribute is "numeric". Otherwise, this element MUST be empty. attribute is "numeric". Otherwise, this element MUST be empty.
The attributes of the Confidence class are: The attributes of the Confidence class are:
rating rating
Required. ENUM. A qualitative assessment of confidence. Required. ENUM. A qualitative assessment of confidence. These
values are maintained in the "Confidence-rating" IANA registry per
Section 10.2
1. low. Low confidence. 1. low. Low confidence.
2. medium. Medium confidence. 2. medium. Medium confidence.
3. high. High confidence. 3. high. High confidence.
4. numeric. The element content contains a number that conveys 4. numeric. The element content contains a number that conveys
the confidence of the data. The semantics of this number the confidence of the data. The semantics of this number
outside the scope of this specification. outside the scope of this specification.
skipping to change at page 106, line 17 skipping to change at page 106, line 17
2 [O1]: <Observable>..</Observable> 2 [O1]: <Observable>..</Observable>
3 [O2]: <Observable>..</Observable> 3 [O2]: <Observable>..</Observable>
4 : </IndicatorExpression> 4 : </IndicatorExpression>
4 : </IndicatorExpression> 4 : </IndicatorExpression>
Equivalent expression: (NOT (O1 AND O2)) Equivalent expression: (NOT (O1 AND O2))
Figure 69: A recursive IndicatorExpression with an operator attribute Figure 69: A recursive IndicatorExpression with an operator attribute
specified specified
Invalid algebraic expressions while valid XML, MUST not be specified. Invalid algebraic expressions while valid XML, MUST NOT be specified.
3.29.6. ObservableReference Class 3.29.6. ObservableReference Class
The ObservableReference describes a reference to an observable The ObservableReference describes a reference to an observable
feature or phenomenon described elsewhere in the document. feature or phenomenon described elsewhere in the document.
The ObservableReference class has no content. The ObservableReference class has no content.
+-------------------------+ +-------------------------+
| ObservableReference | | ObservableReference |
skipping to change at page 159, line 46 skipping to change at page 159, line 46
| | | | | | | |
| Incident-status | incident-status-type | Section 3.2 | | Incident-status | incident-status-type | Section 3.2 |
| | | | | | | |
| Contact-role | contact-role-type | Section 3.9 | | Contact-role | contact-role-type | Section 3.9 |
| | | | | | | |
| Contact-type | contact-type-type | Section 3.9 | | Contact-type | contact-type-type | Section 3.9 |
| | | | | | | |
| RegistryHandle- | registryhandle-registry- | Section 3.9.1 | | RegistryHandle- | registryhandle-registry- | Section 3.9.1 |
| registry | type | | | registry | type | |
| | | | | | | |
| PostalAddress-type | postaladdress-type-type | Section 3.9.2 |
| | | |
| Telephone-type | telephone-type-type | Section 3.9.4 | | Telephone-type | telephone-type-type | Section 3.9.4 |
| | | | | | | |
| Email-type | email-type-type | Section 3.9.3 | | Email-type | email-type-type | Section 3.9.3 |
| | | | | | | |
| Expectation-action | action-type | Section 3.15 | | Expectation-action | action-type | Section 3.15 |
| | | | | | | |
| Discovery-source | discovery-source-type | Section 3.10 | | Discovery-source | discovery-source-type | Section 3.10 |
| | | | | | | |
| SystemImpact-type | systemimpact-type-type | Section | | SystemImpact-type | systemimpact-type-type | Section |
| | | 3.12.1 | | | | 3.12.1 |
| | | | | | | |
| BusinessImpact- | businessimpact-severity- | Section | | BusinessImpact- | businessimpact-severity- | Section |
| severity | type | 3.12.2 | | severity | type | 3.12.2 |
| | | | | | | |
| BusinessImpact-type | businessimpact-type-type | Section | | BusinessImpact-type | businessimpact-type-type | Section |
| | | 3.12.2 | | | | 3.12.2 |
| | | | | | | |
| TimeImpact-metrics | timeimpact-metric-type | Section | | TimeImpact-metric | timeimpact-metric-type | Section |
| | | 3.12.3 | | | | 3.12.3 |
| | | | | | | |
| TimeImpact-duration | duration-type | Section | | TimeImpact-duration | duration-type | Section |
| | | 3.12.3 | | | | 3.12.3 |
| | | | | | | |
| Confidence-rating | confidence-rating-type | Section | | Confidence-rating | confidence-rating-type | Section |
| | | 3.12.5 | | | | 3.12.5 |
| | | | | | | |
| NodeRole-category | noderole-category-type | Section | | NodeRole-category | noderole-category-type | Section |
| | | 3.18.2 | | | | 3.18.2 |
skipping to change at page 163, line 48 skipping to change at page 163, line 48
10646", RFC 3629, November 2003. 10646", RFC 3629, November 2003.
[RFC2781] Hoffman, P. and F. Yergeau, "UTF-16, an encoding of ISO [RFC2781] Hoffman, P. and F. Yergeau, "UTF-16, an encoding of ISO
10646", RFC 2781, February 2000. 10646", RFC 2781, February 2000.
[IANA.Media] [IANA.Media]
Internet Assigned Numbers Authority, "Media Types", March Internet Assigned Numbers Authority, "Media Types", March
2015, <http://www.iana.org/assignments/media-types/ 2015, <http://www.iana.org/assignments/media-types/
media-types.xhtml>. media-types.xhtml>.
[NIST.CPE]
The National Institute of Standards and Technology,
"Common Platform Enumeration", 2014,
<http://scap.nist.gov/specifications/cpe/>.
[ISO19770] [ISO19770]
International Organization for Standardization, International Organization for Standardization,
"Information technology -- Software asset management -- "Information technology -- Software asset management --
Part 2: Software identification tag, ISO/IEC Part 2: Software identification tag, ISO/IEC
19770-2:2015", ISO 19770-2:2015, October 2015. 19770-2:2015", ISO 19770-2:2015, October 2015.
12.2. Informative References 12.2. Informative References
[RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "Incident [RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "Incident
Object Description Exchange Format", RFC 5070, December Object Description Exchange Format", RFC 5070, December
skipping to change at page 165, line 4 skipping to change at page 165, line 6
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", RFC 5226, May 2008. IANA Considerations Section in RFCs", RFC 5226, May 2008.
[W3C.XMLENC] [W3C.XMLENC]
World Wide Web Consortium, "XML Encryption Syntax and World Wide Web Consortium, "XML Encryption Syntax and
Processing Version 1.1", W3C Recommendation , April 2013, Processing Version 1.1", W3C Recommendation , April 2013,
<https://www.w3.org/TR/xmlenc-core1/>. <https://www.w3.org/TR/xmlenc-core1/>.
Author's Address Author's Address
Roman Danyliw Roman Danyliw
CERT - Carnegie Mellon University CERT - Carnegie Mellon University
4500 Fifth Avenue
Pittsburgh, PA Pittsburgh, PA
USA USA
EMail: rdd@cert.org EMail: rdd@cert.org
 End of changes. 19 change blocks. 
18 lines changed or deleted 29 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/