[Last-Call] Intdir telechat review of draft-ietf-opsec-indicators-of-compromise-03

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Reviewer: Dave Thaler
Review result: Ready with Issues

In my view the following issues should be addressed before publication.

Section 3.1, page 7:
> Domain names are more specific than IP
> addresses (as multiple domain names may be associated with a single
> IP address) 

But the converse is also true... multiple IP addresses may be associated
with a single domain name, so the conclusion that domain names are more
specific than IP addresses is not true in general.  Indeed, the pyramid
(figure 1) shows IP addresses as more precise than domain names, which
to me is synonymous with more specific, just as hashes are more specific
than IP addresses.  This seems a contradiction in the text quoted above.

Section 3.2:
> To be of use to defenders, IoCs must first be discovered, assessed,
> shared, and deployed.  

I don't understand what it means for IoCs to be "deployed".  Section 3.1
gave examples of IoCs such as "IPv4 and IPv6 addresses in network traffic",
but I don't know what it means to say "IPv4 and IPv6 addresses in network
traffic must be deployed".  I suspect this is using some other definition
of IoC than what the text prior to here presented.  You deploy some detector
or some other type of defense.  The draft does not define IoC as a detector or
any other type of defense, it's defined as the thing you look at.  So you have
to _deploy_ something that looks at an IoC, not an IoC itself.  Either fix
the text here or redefine IoC earlier in the document.

Section 4.1.4
> There is significant benefit to be had from the sharing of IoCs and
> they can be easily shared for two main reasons: firstly, indicators 
> are easy to distribute

Should "indicators" instead be "IoCs"?  (But see previous comment which
applies here too.)

> indicators are easy to distribute as they are textual

This statement seems imprecise.  For example, an IP address is not textual.
It has a textual representation, but an IPv4 address itself is a 32-bit
binary value and an IPv6 address is a 128-bit binary value.

Section 5.1.1:
> IPv4 addresses are
> becoming increasingly fragile due to addresses growing scarce 

Explain. The fact that they're growing scarce means they should be
more painful for an attacker to change, which means they should be 
increasingly LESS fragile per the arguments earlier in the document.

Separately, you can also argue that IPv4 address are becoming increasingly
less _precise_ due to introduction of carrier grade NATs.



-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux