RE: [cti-taxii] TAXII Brainstorming

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

One thing I'd like to raise... (note, currently I am neither pro nor con of the idea of using an MQ for TAXII 2.0, as it is obviously way too early in the discussion for that) I'd just like to ask that, lets not throw the baby (an HTTP based protocol) out with the bath water just yet. There are various pros and cons for moving from HTTP to an MQ based solution, especially when considering the potential ramifications of large public internet-facing portals that wish to do threat sharing.

While one may run an MQ such as MQTT open on the Internet, I am not really sure if it was engineered with that use case in mind...

In any event, just food for thought. I thought I would raise it since thus far the whole brainstorming thread has been focused on MQs vs. brainstorming about improvements to HTTP.

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


"Davidson II, Mark S" ---2015/07/16 09:37:23 AM---Pat, Do you know if there is an updated version of this paper? The first paragraph notes recently as

From: "Davidson II, Mark S" <mdavidson@mitre.org>
To: Patrick Maroney <Pmaroney@Specere.org>, "Jordan, Bret" <bret.jordan@bluecoat.com>, Terry MacDonald <terry.macdonald@threatloop.com>
Cc: "cti-taxii@lists.oasis-open.org" <cti-taxii@lists.oasis-open.org>
Date: 2015/07/16 09:37 AM
Subject: RE: [cti-taxii] TAXII Brainstorming
Sent by: <cti-taxii@lists.oasis-open.org>

---

Pat,
 
Do you know if there is an updated version of this paper? The first paragraph notes recently as Q4 2011, and both AMQP and MQTT have progressed since then. AMQP 1.0 was released in late 2012 [1], and represented a significant change from AMQP 0.91.  MQTT 3.1.1 was released in October 2014 [2], though I currently have little knowledge about how much MQTT may or may not have changed since the paper was written.
 
Thank you.
-Mark
 
[1] http://www.amqp.org/node/102
[2] http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/mqtt-v3.1.1.html

From: cti-taxii@lists.oasis-open.org [mailto:cti-taxii@lists.oasis-open.org] On Behalf Of Patrick Maroney
Sent: Wednesday, July 15, 2015 7:50 PM
To: Jordan, Bret <bret.jordan@bluecoat.com>; Terry MacDonald <terry.macdonald@threatloop.com>
Cc: cti-taxii@lists.oasis-open.org
Subject: Re: [cti-taxii] TAXII Brainstorming

Perhaps my earlier comment on "bonus points" was a bit too obtuse (both represent OASIS Standards): in any case those interested in message protocols may find the following paper of interest:

https://lists.oasis-open.org/archives/amqp/201202/msg00086/StormMQ_WhitePaper_-_A_Comparison_of_AMQP_and_MQTT.pdf

You may also find joining and Observing the MQTT TC discourse of interest.

Patrick Maroney
Office: (856)983-0001
Cell: (609)841-5104
pmaroney@specere.org

---

From: cti-taxii@lists.oasis-open.org <cti-taxii@lists.oasis-open.org> on behalf of Jordan, Bret <bret.jordan@bluecoat.com>
Sent: Tuesday, July 14, 2015 9:34:32 PM
To: Terry MacDonald
Cc: cti-taxii@lists.oasis-open.org
Subject: Re: [cti-taxii] TAXII Brainstorming

Yes our number one goal is to figure out what the future of TAXII should be so we can start looking at what needs to be done. However, seeing how the list has been quite, I thought I would try and stoke some discussions.

Mark and I do not want to taint the early discussions with our ideas, we would like to hear from all of you first.

Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

On Jul 14, 2015, at 19:29, Terry MacDonald <terry.macdonald@threatloop.com> wrote:

My thoughts on 0MQ: Yep its an option, and definitely one that should be added to the mix.

Once we have a better understanding of the key goals as sourced and agreed from the group as a whole then we will be able to identify potential ways those goals can be achieved. I do think we need to step back a little and determine the underlying principles we want TAXII v2.0 to focus on. From there the potential architectures we can evaluate will become self-evident.

Step 1 IMHO should be identifying what doesn't work with TAXII 1.1. That should at least point us in the right direction.

Cheers

Terry MacDonald | STIX, TAXII, CybOX Consultant

M: +61-407-203-026
E: terry.macdonald@threatloop.com
W: www.threatloop.com



Disclaimer: The opinions expressed within this email do not represent the sentiment of any other party except my own. My views do not necessarily reflect those of my employers.

On 15 July 2015 at 11:12, Jordan, Bret <bret.jordan@bluecoat.com> wrote:
The point of my question still stands.... :) I would like to know your thoughts about 0MQ.

We have a lot of big questions to talk about and address in the coming weeks and months. But for now, Mark and I would like to hear your wish list and feedback on what you would like out of TAXII... I would also like to see some thought put in to a TAXII Server Architecture that may include pieces out side of the TAXII specification.

Another question, what is missing from TAXII 1.1 that needs to be added to the next version? Some ideas from the lists could be things like:
1) Authentication
2) Profile negotiation
etc etc..

Basically, I am trying to stoke the fire of thought and discussion. From my stand point we have taken the last 6 months off from TAXII development, if not longer, now it is time to get back to work.

Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

On Jul 14, 2015, at 18:48, Terry MacDonald <terry.macdonald@threatloop.com> wrote:

Hi Bret,

This is so far down the track in the future as we have to have some discussion around the key points we wish to focus on for TAXII v2.0, but at the same time, something worth at least putting some research time into. I am very loathe to distribute this to the list as we are nowhere near the point that we can discuss solutions as we don't have a definite list of them identified by the CTI TAXII SC yet, but at the same time I think it is a useful discourse to have in preparation for those future official conversations.

From what I can tell from my limited knowledge, we will need a flexible serialization layer (e.g. Thrift, Cap'n Proto, Protobuf2, SBE, FlatBuffers, etc), and then a distribution mechanism underneath that to make sure the content is delivered (e.g. RabbitMQ, ZeroMQ, ActiveMQ, Kafka, EagleMQ, etc) . 0MQ (ZeroMQ) fits into that later part of the equation. It would deal with getting the data from point A to point B as fast as possible.

I think once we define the key goals for the project, identify some target metrics then we can begin to experiment with some test data encoded and distributed in various ways. My belief is that we can only definitively identify the best transport mechanisms by actual experimentation - running example realistic test data through combinations of serialization/distribution mechanisms we would like to test so that we can discover the best solution experimentally e.g.

Test_STIX_v2.0_Data -> Test_TAXII_v2.0_Data -> Capn'Proto_Serialization -> ZeroMQ and measure the amount of compression, connection bytes, encoding time, encoding CPU load, memory use and similar.

Only then will we be able to confirm which solution will be best for us to use. Even the author of protbuf2 and capnproto mentions here when comparing different serialization libraries "The fact of the matter is that the relative performance of these libraries depends deeply on the use case. To know which one will be fastest for your project, you really need to benchmark them in your project, end-to-end. No contrived benchmark will give you the answer."

This is going to be fun!

Cheers

Terry MacDonald | STIX, TAXII, CybOX Consultant

M: +61-407-203-026
E: terry.macdonald@threatloop.com
W: www.threatloop.com



Disclaimer: The opinions expressed within this email do not represent the sentiment of any other party except my own. My views do not necessarily reflect those of my employers.

On 15 July 2015 at 09:59, Jordan, Bret <bret.jordan@bluecoat.com> wrote:
Team,

I would like you all to look at 0MQ (http://zeromq.org) and give some feedback.

Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."