SLPF Profile; Review prior to July 11 ballot

["Brule, Joseph M" <jmbrule@radium.ncsc.mil>]

Actuator Profile SC,

 

Many thanks to the reviewers who provided comments.  I resolved and accepted as many changes as I could.  There are some suggested changes and unresolved comments that we can address on the July 11 AP SC meeting (summarized at the end of this email).  Any unresolved comments will be identified in an editorial note and we will post the ballot at the end of the day on July 11.  July 11 is going to be busy!   

 

At your next opportunity, please review the SLPF and ideally dial into the APSC on Wednesday at 13:00 eastern.  The googledoc version is located at https://docs.google.com/document/d/1_kMVkkNjtwNjRPN4MeLfQF8Envp_O_TrhII45vNkb-Y/edit  

 

Thank you

 

VR

 

Joe Brule

 

====== UNRESOLVED CHANGES/ COMMENTS ======

ORIGINAL:  A firewall is a policy enforcement mechanism that restricts or permits traffic based on some combination of attributes such as connection state, ports, protocols, patterns, flows etc.  A ‘Stateless-Packet-Filter’ (SLPF) bases its [rules] on static values such as…

PROPOSED: A ‘Stateless-Packet-Filter’ (SLPF) is a policy enforcement mechanism that restricts or permits traffic based on packet header information its policy on static values such as…

 

ORIGINAL: All components, devices and systems that provide SLPF functionality implement the ACTIONS, TARGETS, SPECIFIERS and ARGUMENTS identified as required in this document. Actions that are applicable, but not necessarily required, for SLPF firewalls will be identified as optional

COMMENT:  are we specifying an interface or specifying how to build devices? I thought we were specifying an interface. Ie we should word it relative to commands accepted instead of 'implementing functionality'.

 

ORIGINAL: deceive

PROPOSED: remove the deceive command argument as an option

 

ORIGINAL:  (required to implement both deny and allow)

COMMENT: I disagree it must do both accept and deny. I'm ok with it must do at least one of them (ie both can't be optional). AWS NACL's only do allows. I think AWS NACL's should be a viable SPLF

 

ORIGINAL:  n/a

NEW MATERIAL: 'insert_rule' was added as a command argument so that the orchestrator can explicitly assign a rule number to be inserted at any part of the rule set

NEW MATERIAL: [added this text to explain the insert_rule in the context of a deny or allow]

• [producers] MAY populate the command arguments field with the ‘insert_rule=INT’ option where INT is an integer.
• [producers]MUST populate the command options field with ‘response_type=complete’ if the insert_rule argument is populated.

• [consumers] MUST assign the rule number provided if the ‘insert_rule=INT’ option is populated.
• [consumers] If the rule number is currently in use, then MUST respond with the 501 error code and SHOULD respond with ‘Rule number currently in use’ in the error description

 

ORIGINAL:  [look at table 2.3-1orchestrators must support ip_connection AND ip_addr.  Actuators must support one or the other.  The comment was that only ip_connection is to be required]

 

NEW MATERIAL:  [update file command was added back in]

NEW MATERIAL: [conformance section added]

COMMENT: " I think we need a better way to say what is intended" [this was in the new conformance section, no alternative text was provided]