Re: [cti-taxii] TAXII Protocol Shortlist

["Wunder, John A." <jwunder@mitre.org>]

So in the interest of spurring discussion, here are my thoughts:

HTTP 1.1 would be my preferred option:

• Easy to implement against
• Well understood
• Very extensive library support
• Will go through a firewall
• Will not freak out security teams

HTTP 2 is intriguing, I can see how it would be nice. It seems like a trade-off: it’s not as well supported as HTTP 1.1 right now but that should be changing in the (near??) future. So given that it might be worth exploring it, and if nothing else adding support or switching over in a future version of TAXII?

The various messaging protocols:

• I was under the impression that ZeroMQ is specific to a single software platform, which probably means it should not be used?
• MQTT seems to be optimized for devices and small sensors, not sure that’s the biggest target now?
• In general, the big cons of these seem to me to be:
  • Probably will not go through a corporate firewall without a lot of justification, so bad on the open internet
  • Not an awesome fit for the query model, though it’s doable
• Pros:
  • Probably a better fit for lots of small messages (sightings) and publish/subscribe type models
  • Might be worth trying?
• No opinion on AMQP 1.0 vs. 0.9.

I’m not sure of the reasoning behind SMTP so I can’t really evaluate it.

John

From: <cti-taxii@lists.oasis-open.org> on behalf of "Jordan, Bret"
Date: Thursday, August 27, 2015 at 12:14 PM
To: "cti-taxii@lists.oasis-open.org"
Subject: Re: [cti-taxii] TAXII Protocol Shortlist

Updated....

HTTP/1.1

HTTP/2

ZMTP

AMQP 0.9

AMQP 1.0

MQTT

SMTP

Please submit pros and cons for each of these and any others you think we should look at over the next 2 weeks.  Also, if there is no discussion of pros/cons for a given item, then it will be dropped from the list.  No reason for having it on the list if there is no supporting data one way or another for it.  So if you feel strongly about one of the above, or another yet to be added item, please do the research and identify why you think it would be a good option for us to go with and how it would solve the TAXII problems we have identified and further, how it will meet the protocol requirements we have identified on the wiki.  

https://github.com/TAXIIProject/TAXII-Specifications/wiki/TAXII-2.0-Requirements

Thanks,

Bret

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."