OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-taxii message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-taxii] TAXII Brainstorming


My thoughts on 0MQ: Yep its an option, and definitely one that should be added to the mix. 

Once we have a better understanding of the key goals as sourced and agreed from the group as a whole then we will be able to identify potential ways those goals can be achieved. I do think we need to step back a little and determine the underlying principles we want TAXII v2.0 to focus on. From there the potential architectures we can evaluate will become self-evident.

Step 1 IMHO should be identifying what doesn't work with TAXII 1.1. That should at least point us in the right direction.

Cheers

Terry MacDonald | STIX, TAXII, CybOX Consultant




Disclaimer: The opinions expressed within this email do not represent the sentiment of any other party except my own. My views do not necessarily reflect those of my employers.

On 15 July 2015 at 11:12, Jordan, Bret <bret.jordan@bluecoat.com> wrote:
The point of my question still stands....  :)  I would like to know your thoughts about 0MQ.   

We have a lot of big questions to talk about and address in the coming weeks and months.  But for now, Mark and I would like to hear your wish list and feedback on what you would like out of TAXII...   I would also like to see some thought put in to a TAXII Server Architecture that may include pieces out side of the TAXII specification.  

Another question, what is missing from TAXII 1.1 that needs to be added to the next version?  Some ideas from the lists could be things like:
1) Authentication 
2) Profile negotiation
etc etc.. 

Basically, I am trying to stoke the fire of thought and discussion. From my stand point we have taken the last 6 months off from TAXII development, if not longer, now it is time to get back to work.  


Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Jul 14, 2015, at 18:48, Terry MacDonald <terry.macdonald@threatloop.com> wrote:

Hi Bret,

This is so far down the track in the future as we have to have some discussion around the key points we wish to focus on for TAXII v2.0, but at the same time, something worth at least putting some research time into. I am very loathe to distribute this to the list as we are nowhere near the point that we can discuss solutions as we don't have a definite list of them identified by the CTI TAXII SC yet, but at the same time I think it is a useful discourse to have in preparation for those future official conversations.

From what I can tell from my limited knowledge, we will need a flexible serialization layer (e.g. Thrift, Cap'n Proto, Protobuf2, SBE, FlatBuffers, etc), and then a distribution mechanism underneath that to make sure the content is delivered (e.g. RabbitMQ, ZeroMQ, ActiveMQ, Kafka, EagleMQ, etc) . 0MQ (ZeroMQ) fits into that later part of the equation. It would deal with getting the data from point A to point B as fast as possible. 

I think once we define the key goals for the project, identify some target metrics then we can begin to experiment with some test data encoded and distributed in various ways. My belief is that we can only definitively identify the best transport mechanisms by actual experimentation - running example realistic test data through combinations of serialization/distribution mechanisms we would like to test so that we can discover the best solution experimentally e.g. 

Test_STIX_v2.0_Data -> Test_TAXII_v2.0_Data -> Capn'Proto_Serialization -> ZeroMQ and measure the amount of compression, connection bytes, encoding time, encoding CPU load, memory use and similar.

Only then will we be able to confirm which solution will be best for us to use. Even the author of protbuf2 and capnproto mentions here when comparing different serialization libraries "The fact of the matter is that the relative performance of these libraries depends deeply on the use case. To know which one will be fastest for your project, you really need to benchmark them in your project, end-to-end. No contrived benchmark will give you the answer."

This is going to be fun!

Cheers

Terry MacDonald | STIX, TAXII, CybOX Consultant




Disclaimer: The opinions expressed within this email do not represent the sentiment of any other party except my own. My views do not necessarily reflect those of my employers.

On 15 July 2015 at 09:59, Jordan, Bret <bret.jordan@bluecoat.com> wrote:
Team,

I would like you all to look at 0MQ (http://zeromq.org) and give some feedback.


Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 







[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]