Re: [openc2-actuator] Specifiers for virtual actuators

At first look, the AWS example appears to be a sequence of identifiers of increasing specificity:

account / region / vpc / nacl

I'm assuming VPC = virtual private cloud, and that a given account could have more than one VPC in a particular region.

Can we define asset_id to have a form along those lines: a delimiter-separate sequence of increasingly specific identifiers for the asset in question? Seems like that would be flexible enough to address most use cases and specific enough to achieve interoperability.

Dave

David P. Lemire, CISSP
OpenC2 Technical Committee Executive Secretary
OpenC2 Implementation Considerations SC Co-chair
Contractor support to NSA
Email: dave.lemire@g2-inc.com
Office: 301-575-5190 / Mobile: 240-938-9350

On Thu, May 31, 2018 at 12:36 PM, Brule, Joseph M <jmbrule@radium.ncsc.mil> wrote:

Actuator Profile Subcommittee,

We are currently resolving comments to the stateless packet filtering profile. We defined three specifiers so that the orchestrator can direct a command to the firewall(s).
* Hostname
* Named_group
* Asset_id

The gist of a comment we received was that these specifiers are not sufficient to cover the network function virtualization use case. For example, the amazon web service requires the following in order to identify the firewall with sufficient precision:
* "aws_account_id" : "123445689",
* "aws_region" : "us-east-1",
* "aws_vpc_id": "vpc-123",
* "aws_nacl_id": "acl-123"

We need to define in a generic manner the specifiers needed to accommodate the network function virtualization use case and propose that this should be a topic for the next actuator profile subcommittee meeting.

Your thoughts?

VR

Joe Brule

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

openc2-actuator message