]> Fraunhofer SIT

Rheinstrasse 75 Darmstadt 64295 Germany henk.birkholz@sit.fraunhofer.de

Cisco Systems

3550 Cisco Way San Jose CA 95134 USA ncamwing@cisco.com

security SACM Working Group Internet-Draft This document summarizes the data model designed at the IETF 99 Hackathon and is intended to grow in to a definition of general XML SACM statements (and later JSON and CBOR, respectively) for virtually every kind of Content Element (e.g. software identifiers, assessment guidance/results, ECA Policy rules, VDD, etc.). The SACM Statement data structure is based on the Information Element (IE) definitions provided by the SACM Information Model. The initial Content Element type transferred are YANG Subscribed Notification acquired via YANG push. In combination with the Origin Metadata Annotation defined in draft-ietf-netmod-revised-datastores the data model defined in this document will ultimately be able to express collected endpoint characteristics, imperative guidance that define and orchestrate assessment instructions, and also the declarative guidance for endpoint attributes.

YANG modules are a powerful established tool to provide endpoint attributes (IE) with well-defined semantics. YANG push and the corresponding YANG subscribed notification drafts make use of these modules to create streams of notifications (telemetry) providing SACM content on the data plane. Correspondingly, filter expressions used in the context of YANG subscriptions constitute SACM content that is imperative guidance consumed by SACM components on the management plane. The SACM component illustrated in this draft incorporates a YANG Push client function and an xmpp-grid publisher function. The output of the YANG Push client function is encapsulated in a SACM Content Element envelope, which is again encapsulated in a SACM statement envelope. The corresponding SACM statements are published via the xmpp-grid publisher function into a SACM Domain.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119, BCP 14 .

Every SACM content is published into a SACM domain using a statement envelope/encapsulation. The general structure of a Statement is based in the Information Element defintion in and can be summarized as follows: a statement encapsulates statement-metadata and content-elements a content-element encapsulates content-metadata and SACM content In the scope of this document, only one type of SACM content is covered: YANG output. Correspondingly, only the minimal required structure of statements, statement-metadata, content-elements, and content-metadata are defined. A complete XML schema definition of this minimal statement can be found in Appendix A.

A YANG notification is associated with a set of YANG specific metadata. Hence, a YANG notification published to a SACM Domain MUST be encapsulated with its corresponding metadata in a Content Element as defined below. YANG output that is SACM content is represented as an element defintion included in the content choice of the content-element.

]]>

One occurrence of the yang-output element MUST be instantiated in the content-metadata element if YANG push output is to be transferred. Also, the content-type must be set to the enumeration value "yang-output", respectively. In general, the list of content-type enumerations is including every subject as defined in the SACM Information Model. For the scope of this document, the list of potential content is reduced to "yang-output" only.

]]>

The list of optional elements included in content-metadata will incorporate any every potential metadata type. For the scope of this document, the list of elements is also limited to the minimal required set of metadata elements and the yang-output metadata element to support the encapsulation of NETCONF subscribed notifications and YANG query result. As defined above, one occurrence of the yang-output element has to be included in the content-metadata element. The general content-metadata elements are illustrated in the Appendix A.

]]>

The composition of metadata that can be associated with a XML NETCONF result depends on multiple factors: acquisition method: query / subscription encoding: XML / JSON / CBOR subscription interval: periodic / on-change filter-type: xpath / subtree Additionally, the actual filter expression (or in future iterations of this work a referencing label, such as a URI, UUID or other composed identifier) has to be included in the content-metadata.

]]>

A SACM Component able to process YANG subscribed notifications requires at least two functions: a YANG push client function , an xmpp-grid provider function Orchestattion of functions inside a component, their discovery as capabiliites and the internal communication of SACM content inside a SACM component is out of scope of this document for now.

This document includes requests to IANA.

TBD

Christoph Vigano, Guangying Zheng, Eric Voit, Alexander Clemm

First version -00

&RFC2119; &I-D.ietf-netconf-subscribed-notifications; &I-D.ietf-netconf-yang-push; &I-D.ietf-sacm-information-model; &I-D.ietf-mile-xmpp-grid;

The definitions of statements, statement-metadata, content-element, and content-metadata are provided by the SACM Information Model . Due to the stripping down of content-elements to YANG output, the enumerations still included in the relationship type are not able to point to other content actually.

]]>