OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

openc2 message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: Request-response over pub/sub for openC2

More as a spec than an example, here is the McAfee opendxl messaging constructs for pub-sub and req-res



If you look at the request message structure, it includes a field for the response topic.



From: "duncan sfractal.com" <duncan@sfractal.com>
Date: Saturday, July 4, 2020 at 6:02 AM
To: "Das, Sudeep" <Sudeep_Das@McAfee.com>, "openc2@lists.oasis-open.org" <openc2@lists.oasis-open.org>
Subject: Re: Request-response over pub/sub for openC2


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


Could you give an example? It would be particularly useful for a command (eg add a firewall rule, block an ip, etc) as the emphasis is on the C2 in openc2


iPhone, iTypo, iApologize

From: openc2@lists.oasis-open.org <openc2@lists.oasis-open.org> on behalf of Das, Sudeep <Sudeep_Das@McAfee.com>
Sent: Friday, July 3, 2020 6:39:16 PM
To: openc2@lists.oasis-open.org <openc2@lists.oasis-open.org>
Subject: [openc2] Request-response over pub/sub for openC2


Openc2 members,

                I received a request for technical assistance on openc2 over mqtt spec from Mr Brule earlier today. I am responding to oasis relay as recommended by Mr Brule.


The discussion is around setting up topics.


> Would you set up a topic that is 'action' so an orchestrator would

> post a 'deny evil_domain' then would you set up another topic 'response_action'

> so any actuator that could act on the deny evil domain would post

> its ack on the 'response_deny' channel?    Or would you guys make the

>topics more device centric, so there would be a topic that is 'gateway_routers'

> and the orchestrator posts the commands there then each

> router would have its own topic 'router_one', 'router_two' etc. to post its response.  


There are a few challenges to the openc2 spec in terms of pub sub. Openc2 messaging specifies request-response semantics, which is a different message pattern vis-Ã-vis pub-sub. The way we may manage req-res over pub-sub is as below (as implemented in McAfee opendxl )


  1. An orchestrator / publisher who intends to receive a response shall subscribe to a an arbitrary topic of its choice. We simply call this the response topic, and it is like the publishers callback phone number. Normally you want this callback topic to be statistically unique, and a guid works well.
  2. The publisher embeds this response topic in the message so that the subscriber / actuator can publish the response back to the callback topic.
  3. The actuator / subscriber topics are better named after the actions rather than the device.  Device characteristics are generally unbounded, and you see a topic sprawl with a device centric topic naming as compared to a capability centric topic naming. Also, capabilities centric naming has other benefits like creating a topic hierarchy that automatically describes a hierarchy of actions.


Happy to discuss further on the thread


Sudeep Das

Principal Engineer

McAfee LLC


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]