Re: [openc2-actuator] Resolution of Yu comments to the stateless packet filter profile

[Allan Thomson <athomson@lookingglasscyber.com>]

Dave/Joe – For OASIS specifications typically I’ve seen MUST, SHALL, MAY, SHOULD ….etc used in normative clauses.

 

Maybe I missed something in the original question Joe posed but something Dave said that caught my eye.

 

“optional features that MUST be implemented”

 

Do you mean that the feature is optional in a base/language specification but an actuator profile makes it mandatory?

 

If yes, then we have addressed this similar scenario we have in STIXPreferred by stating that the certification test is a ‘mandatory’ to perform and verify.

 

When we state what is mandatory we also include what exactly is being looked for to prove that the feature is ‘implemented’ satisfactorily which typically goes beyond data but also includes behavior on the system when acting on the data/protocol.

 

Regards

 

Allan

From: "Kemp, David P" <dpkemp@radium.ncsc.mil>
Date: Thursday, May 31, 2018 at 1:39 PM
To: "Brule, Joseph M" <jmbrule@radium.ncsc.mil>, Allan Thomson <athomson@lookingglasscyber.com>, "openc2-actuator@lists.oasis-open.org" <openc2-actuator@lists.oasis-open.org>
Cc: David Kemp <Dkemp@mobility-challenge.com>
Subject: RE: [openc2-actuator] Resolution of Yu comments to the stateless packet filter profile

 

MTI is standard IETF terminology (see e.g., rfc 7687).

 

For conformance requirements:

• Required has only one interpretation – it applies to both static and dynamic conformance.  If the feature is required to be used then the implementation must use it.
• Optional has two interpretations, so Mandatory is used in the IETF to distinguish between static and dynamic conformance requirements.   If a feature is optionally used by an implementation (dynamic conformance) then it may or may not be Mandatory (the feature is either supported or not supported by the implementation).

 

OASIS usage conflicts with that of the IETF – they use mandatory as a substitute for required.  http://docs.oasis-open.org/templates/TCHandbook/ConformanceGuidelines.html:

 

“If an extension is mandatory and it is not supported by the implementation, then the implementation MUST reject the process definition. If the extension is optional and it is not supported, then the implementation MUST ignore the extension. These two statements provide clear, unambiguous, testable directions to implementers of the specification.”

 

“For example a document that claims conformance to a schema does not have to use any optional features. However, in another scenario, a protocol implementation target should implement optional features in case another party using the protocol makes use of the optional features. In deciding how to dispose of optional features, issues that affect interoperability and portability need to be considered.”

 

I can’t find any clear-cut guidance for what terminology OASIS uses to designate optional features that MUST be implemented.   “Mandatory” is not it, since OASIS chooses to use it as a synonym of Required.   “MTI” is therefore an unambiguous alternative to “Mandatory to Send”, and unless OASIS can provide clearer guidance, we need to keep MTI to address static conformance issues that affect interoperability.

 

Dave

 

 

From: openc2-actuator@lists.oasis-open.org <openc2-actuator@lists.oasis-open.org> On Behalf Of Brule, Joseph M
Sent: Thursday, May 31, 2018 12:13 PM
To: 'Allan Thomson' <athomson@lookingglasscyber.com>; openc2-actuator@lists.oasis-open.org
Subject: [Non-DoD Source] RE: [openc2-actuator] Resolution of Yu comments to the stateless packet filter profile

 

Required can be interpreted as required for every command (vice required to implement).    Stating ‘mandatory’ (without the implement part) doesn’t address the issue. 

 

BTW, agree that mandatory would be a good term to use to indicate that it must pass a test. 

 

From: openc2-actuator@lists.oasis-open.org <openc2-actuator@lists.oasis-open.org> On Behalf Of Allan Thomson
Sent: Thursday, May 31, 2018 11:31 AM
To: Brule, Joseph M <jmbrule@radium.ncsc.mil>; openc2-actuator@lists.oasis-open.org
Subject: [Non-DoD Source] Re: [openc2-actuator] Resolution of Yu comments to the stateless packet filter profile

 

Joe – Why not just state ‘mandatory’ without the TI part.

 

Mandatory is used in STIX/TAXII Interop Tests to indicate a mandatory test that must be passed to received STIXPreferred certification.

 

Requiring features to be implemented is a common thing across OASIS groups and I’m not sure why we need 2 different ways of saying it (or verifying it).

 

Allan Thomson

CTO (+1-408-331-6646)

LookingGlass Cyber Solutions

 

From: <openc2-actuator@lists.oasis-open.org> on behalf of "Brule, Joseph M" <jmbrule@radium.ncsc.mil>
Date: Thursday, May 31, 2018 at 6:09 AM
To: "openc2-actuator@lists.oasis-open.org" <openc2-actuator@lists.oasis-open.org>
Subject: [openc2-actuator] Resolution of Yu comments to the stateless packet filter profile

 

All,

 

Recall that we received sufficient votes on the firewall profile to be accepted as a CSD.   BTW, this is a bit of a milestone.  Many thanks to all of the contributors and to our firewall profile editors (Alex Everett and Duncan Sparrell).  

 

I am in the process of resolving the comments that were provided during the voting period.   The way I am going to proceed is:

·         Attempt to resolve the comment,

·         Contact the reviewer out of band to make sure I captured the comment correctly

·         Get an OK from them before forwarding it to the whole sub-committee. 

 

I gave you all of that boring information so that you would know why there is a lag between the comments and the proposed resolution to you. 

 

At the end of this email, I pasted in an exchange with Sounil.  For now, I will change the 'running' option to 'temporary'.  If there is a better term, then please provide.

 

The term 'Required' vs 'optional' has been a recurring issue.  In the context of the profile, the term 'required' means that it must be implemented, however required could be taken to mean 'required' for each command.   

 

I would like to use the phrase 'Mandatory to Implement' (MTI) so that it is obvious we mean required to implement vs required in each command.  I have been advised that MTI is not acceptable to OASIS.  If that is in fact the case, I would like to draft a proposal to allow the phrase and see if Chet and Robin are on board with it. 

 

VR

 

Joe B

 

======= tear line email exchange between Yu and Brule =====

Thanks for the update. I’m good with all the proposed changes. As for an alternative to “running”, I will generally defer to the router/switch guys, but if I had an option, permanent (survives reboot) or temporary (doesn’t survive reboot) would be a good alternative. 

 

Thanks

Sounil

 

From: Brule, Joseph M <jmbrule@radium.ncsc.mil>

Date: Wednesday, May 30, 2018, 3:54 PM

To: Yu, Sounil <sounil.yu@bankofamerica.com>

Subject: Resolution of your comments to the Stateless Packet Filter Profile

 

Sounil,

Here are your comments from the stateless packet filter profile: 

YU COMMENT:  Per comment provided by Sounil Yu. He advised the cross reference was incorrect and suggested 2.6.8.
PROPOSED RESOLUTION: I suggest removing the cross reference altogether as it is out of scope for this subsection

YU COMMENT:  Questions about the ap- prefix in the targets
PROPOSED RESOLUTION:  I removed all the ap- prefixes

YU COMMENT:  Comment per Sounil: " Based on the semantics specified, it appears that start-time, end-time, and duration are all optional, not required" PROPOSED RESOLUTION:  This is an artifact of the OASIS language. Required could be interpreted as 'required for each command', but in the context of OASIS, means 'Mandatory to Implement'.  I think we should adopt the phrases 'Mandatory to Implement (MTI)' and 'Optional to Implement'

YU COMMENT:  Comment per Sounil Yu: " Need a header for the commands. Is "file" a command?"
PROPOSED RESOLUTION:  The y axis are targets, the x axis are actions.  The intersection is a command (labeled as either Required or Optional)  I will add explanatory text.  I removed 'file' as a target.  File was a valid target for the update command, but removed per suggestion by Duncan Sparrell

YU COMMENT:  Comment per Sounil Yu: "If the "response" option has a default of "None", then it should be considered "Optional", not "Required". For start-time, end-time, and duration, if the same semantic apply as in Table 3, then these should all be "Optional" too"
PROPOSED RESOLUTION:   'Required' in this context means 'mandatory to implement', again, I think we should adopt MTI and OPT

YU COMMENT:  Change 'complete' to 'deceive'
PROPOSED RESOLUTION:  Made the change

YU COMMENT:  Comment per Sounil Yu: 'running' seems to0 vendor specific. Suggest changing
PROPOSED RESOLUTION:  Nothing yet, do you have a suggested new name? 

YU COMMENT:  Comment per Sounil Yu "General comments: Make sure that we use straight quotes and not curly quotes: (e.g., "response":"Ack"). Make sure that naming conventions for specifiers are consistent with lower case and no spaces (e.g., Named Group)."
PROPOSED RESOLUTION:  I will make it a point ot do an end to end scrub, but have not done so yet.