I'll agree with Kamer and Duncan, I did like what Kamer illustrated with bullets, I think option one is most extensible.
-Alex
From: openc2-actuator@lists.oasis-open.org <openc2-actuator@lists.oasis-open.org> on behalf of Kamer Vishi <kamerv@ifi.uio.no>
Sent: Thursday, February 14, 2019 2:41 PM
To: Brule, Joseph M
Cc: openc2-actuator@lists.oasis-open.org
Subject: Re: [openc2-actuator] Proposed means to support (deny or allow) ICMP types
Sent: Thursday, February 14, 2019 2:41 PM
To: Brule, Joseph M
Cc: openc2-actuator@lists.oasis-open.org
Subject: Re: [openc2-actuator] Proposed means to support (deny or allow) ICMP types
I will start my feedback with less preferred approach/option.
Approach TWO: e.g. when we have to deny/allow traffic based on TCP or UDP the property ICMP type will be unused.
Approach THREE a.k.a. "widening the 5-tuple”; is a discussion which is mainly for NGF (Next-Generation Firewalls).
- source IP address (1)
- destination IP address (2)
- source port (3)
- destination port (4)
- protocol (5) & flags (6)
- TCP
- SYN bit
- ACK bit
- ICMP
- icmp-type
- UDP
- TCP
Approach ONE is my preference since ICMP data (type and code) are specifically used with proto=ICMP (NOT for UDP and TCP).
--
Best,
Best,
|
Kamer Vishi
Doctoral Research Fellow Research Group of Information and Cyber Security (SEC) |
|
| Contact Information | |
| a: Postboks 1080 Blindern | |
| 0316 Oslo, Norway | |
| m: +47 942 59 172 | |
| e: kamerv@uio.no | |
|
|
|
On 14 Feb 2019, at 19:41, Brule, Joseph M <jmbrule@radium.ncsc.mil> wrote:
- Proto= TCP - 5 tuple is proto=TCP, src-ip, dst-ip, src-port, dest-port