Re: [cti] Network Traffic Object External Relationships

No strong objections on either method.

Allan

From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of Bret Jordan <Bret_Jordan@symantec.com>
Date: Wednesday, April 24, 2019 at 9:46 AM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] Network Traffic Object External Relationships

All,

Sean and I have been having a disagreement on slack, so to get consensus we need the rest of the TC to weigh in on this topic.

The Mini-Group proposed that the following embedded relationships on the Network Traffic Object SCO be made external.

encapsulates_refs

encapsulated_by_refs

I disagree with this change and think they should remain embedded, now that I understand why this was proposed. A network flow between two points during a certain time elements does NOT change its encapsulation on the fly. This is not how the network works.

So say I document that HTTPs traffic between 1.1.1.1 and 2.2.2.2 on port 4242 was tunneled over SSH from Jan1 to Jan2. That tunneling is over SSH for the time frame that the network traffic object is being described. You would not then say that the same Network Traffic Object is now being tunneled over some other encapsulation (say DNS TXT records) at a different time.

In my mind, you would create a second Network Traffic Object for that event and then you would link the two network traffic objects together. This would then allow you to express confidence in your assertion that these two network traffic objects are in fact the same or similar enough to be viewed as the same thing. But reusing a Network Traffic Object is, IMO, wrong.

Sean thinks that you should have one Network Traffic Object and be able to reuse it over and over and say that it was encapsulated in X in January, and Y in February, and Z in March. But to me that does not make sense as that is not how the network works.

I would like to hear what others have to say. If I am wrong, please let me know.

Bret

cti message