Closed romanojd closed 7 years ago
romanojd
commented
8 years ago I'm not sure if GitHub or Google Docs would be the best place to document response usage patterns. Maybe we could develop them in Google Docs, allowing everyone to comment on existing and propose new patterns. Then we could transition them to GitHub at the appropriate level of maturity.
jmbrule
commented
8 years ago Based on my interpretation of the face to face, the issue was not so much 'how to use it' as how to populate it. The early implementers were treating it as a free flowing text field, which will impact interoperability.
-----Original Message----- From: Jason Romano [mailto:notifications@github.com] Sent: Monday, October 17, 2016 12:38 PM To: OpenC2-org/openc2-org openc2-org@noreply.github.com Subject: [OpenC2-org/openc2-org] RESPONSE and ALERT (#5)
PROBLEM
There were several comments that came out at the Face-to-Face Meeting, on 09/29, that said that it was unclear how one would use RESPONSE and ALERT. It was discussed at the bi-weekly meeting on 10/13 that the Language Description Document describes the definition and syntax of RESPONSE and ALERT, but not how they could be used.
POTENTIAL SOLUTION
Current response usage patterns, presented at the bi-weekly meeting on 10/13 should be documented online and used as a reference for future implementations.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/OpenC2-org/openc2-org/issues/5 , or mute the thread https://github.com/notifications/unsubscribe-auth/AQQtpyz_hSSJ8eTiEPIYP_Aaa3PTUxVKks5q06R_gaJpZM4KY1uS . https://github.com/notifications/beacon/AQQtpxjtDOVZUkJHYZUXXI4x7cyv9fpRks5q06R_gaJpZM4KY1uS.gif
romanojd
commented
8 years ago Yes, that's definitely important when looking at the different patterns. And the information that you include in the message depends on "how you're using it", i.e., the pattern.
jtcbrule
commented
8 years ago Use this issue tracker, until (if?) that becomes unwieldy, then transition over to a wiki page(s)?
I'm under the impression that RESPONSE is a synchronous response to an OpenC2 command and ALERT is an asyncrhonous message sent back up to (usually) the orchestrator.
The only fields that make sense universally as a response are a UUID and maybe a status code. Everything else is target/actuator/context-dependent. UUID seems to map onto a 'modifier' pretty well. But even status codes are iffy. Success for an HTTP request is 200, success for a posix function call is 0. It seems like a minimal amount of structure should be required for every command, and the rest be defined in 'data models' similar to how targets and actuators are done now.
sparrell
commented
8 years ago I vote we use issue tracker to (1) document that there is an issue and (2) the solution once reached (or a reference to it). I think slack should be used for all the discussion in-between (1) and (2)
jyoverma
commented
8 years ago I vote for discussion on slack and here until a solution is reached.
jyoverma
commented
8 years ago I'm looking at the current schema for RESPONSE and below are my thoughts.
Commands that need a response back should specify so using modifiers. The following modifiers could be used for this:
The "response" can be set in the response action that comes back from the actuator and "command-ref" could carry the UUID/ID of the original command. "response": { "enum": [ "acknowledge", "status", "query", "command-ref" ] }
There isn't a modifier today that the call out if a response is needed. Perhaps we can add that?
jordan2175
commented
8 years ago Do you want me to setup a Slack instance for OpenC2?
Bret
Sent from my Commodore 64
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
On Oct 19, 2016, at 11:49 AM, jyoverma notifications@github.com wrote:
I vote for discussion on slack and here until a solution is reached.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
ldsalazar3
commented
8 years ago A slack channel for OpenC2 already exists – openc2-community.
I can add you to it. What’s your email address?
From: jordan2175 [mailto:notifications@github.com] Sent: Wednesday, October 19, 2016 2:03 PM To: OpenC2-org/openc2-org Subject: Re: [OpenC2-org/openc2-org] RESPONSE and ALERT (#5)
Do you want me to setup a Slack instance for OpenC2?
Bret
Sent from my Commodore 64
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
On Oct 19, 2016, at 11:49 AM, jyoverma notifications@github.com<mailto:notifications@github.com> wrote:
I vote for discussion on slack and here until a solution is reached.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/OpenC2-org/openc2-org/issues/5#issuecomment-254892723, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ATCI8cMBh28TEQY743UlLwGI3MskyxE1ks5q1ls9gaJpZM4KY1uS.
jordan2175
commented
8 years ago Just this email address.
Thanks, Bret PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
On Oct 19, 2016, at 12:04, ldsalazar3 notifications@github.com wrote:
A slack channel for OpenC2 already exists – openc2-community.
I can add you to it. What’s your email address?
From: jordan2175 [mailto:notifications@github.com] Sent: Wednesday, October 19, 2016 2:03 PM To: OpenC2-org/openc2-org Subject: Re: [OpenC2-org/openc2-org] RESPONSE and ALERT (#5)
Do you want me to setup a Slack instance for OpenC2?
Bret
Sent from my Commodore 64
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
On Oct 19, 2016, at 11:49 AM, jyoverma notifications@github.com<mailto:notifications@github.com> wrote:
I vote for discussion on slack and here until a solution is reached.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/OpenC2-org/openc2-org/issues/5#issuecomment-254892723, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ATCI8cMBh28TEQY743UlLwGI3MskyxE1ks5q1ls9gaJpZM4KY1uS. — You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/OpenC2-org/openc2-org/issues/5#issuecomment-254893330, or mute the thread https://github.com/notifications/unsubscribe-auth/AJk2GPmdjVCfaoA8aXMe1e4p_uqsQ_Ecks5q1luygaJpZM4KY1uS.
ldsalazar3
commented
8 years ago Use notifications@github.com?
From: jordan2175 [mailto:notifications@github.com] Sent: Wednesday, October 19, 2016 2:24 PM To: OpenC2-org/openc2-org Cc: Larry Salazar; Comment Subject: Re: [OpenC2-org/openc2-org] RESPONSE and ALERT (#5)
Just this email address.
Thanks, Bret PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
On Oct 19, 2016, at 12:04, ldsalazar3 notifications@github.com<mailto:notifications@github.com> wrote:
A slack channel for OpenC2 already exists – openc2-community.
I can add you to it. What’s your email address?
From: jordan2175 [mailto:notifications@github.com] Sent: Wednesday, October 19, 2016 2:03 PM To: OpenC2-org/openc2-org Subject: Re: [OpenC2-org/openc2-org] RESPONSE and ALERT (#5)
Do you want me to setup a Slack instance for OpenC2?
Bret
Sent from my Commodore 64
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
On Oct 19, 2016, at 11:49 AM, jyoverma notifications@github.com<mailto:notifications@github.com<mailto:notifications@github.com%3cmailto:notifications@github.com>> wrote:
I vote for discussion on slack and here until a solution is reached.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/OpenC2-org/openc2-org/issues/5#issuecomment-254892723, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ATCI8cMBh28TEQY743UlLwGI3MskyxE1ks5q1ls9gaJpZM4KY1uS. — You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/OpenC2-org/openc2-org/issues/5#issuecomment-254893330, or mute the thread https://github.com/notifications/unsubscribe-auth/AJk2GPmdjVCfaoA8aXMe1e4p_uqsQ_Ecks5q1luygaJpZM4KY1uS.
— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/OpenC2-org/openc2-org/issues/5#issuecomment-254898721, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ATCI8WghddBc34lEk1tpXPIxrflI0oF7ks5q1mA5gaJpZM4KY1uS.
jordan2175
commented
8 years ago jordan2175@gmail.com mailto:jordan2175@gmail.com
From the CC line of the email.
Thanks, Bret PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
On Oct 19, 2016, at 12:29, ldsalazar3 notifications@github.com wrote:
Use notifications@github.com?
From: jordan2175 [mailto:notifications@github.com] Sent: Wednesday, October 19, 2016 2:24 PM To: OpenC2-org/openc2-org Cc: Larry Salazar; Comment Subject: Re: [OpenC2-org/openc2-org] RESPONSE and ALERT (#5)
Just this email address.
Thanks, Bret PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
On Oct 19, 2016, at 12:04, ldsalazar3 notifications@github.com<mailto:notifications@github.com> wrote:
A slack channel for OpenC2 already exists – openc2-community.
I can add you to it. What’s your email address?
From: jordan2175 [mailto:notifications@github.com] Sent: Wednesday, October 19, 2016 2:03 PM To: OpenC2-org/openc2-org Subject: Re: [OpenC2-org/openc2-org] RESPONSE and ALERT (#5)
Do you want me to setup a Slack instance for OpenC2?
Bret
Sent from my Commodore 64
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
On Oct 19, 2016, at 11:49 AM, jyoverma notifications@github.com<mailto:notifications@github.com<mailto:notifications@github.com%3cmailto:notifications@github.com>> wrote:
I vote for discussion on slack and here until a solution is reached.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/OpenC2-org/openc2-org/issues/5#issuecomment-254892723, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ATCI8cMBh28TEQY743UlLwGI3MskyxE1ks5q1ls9gaJpZM4KY1uS. — You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/OpenC2-org/openc2-org/issues/5#issuecomment-254893330, or mute the thread https://github.com/notifications/unsubscribe-auth/AJk2GPmdjVCfaoA8aXMe1e4p_uqsQ_Ecks5q1luygaJpZM4KY1uS.
— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/OpenC2-org/openc2-org/issues/5#issuecomment-254898721, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ATCI8WghddBc34lEk1tpXPIxrflI0oF7ks5q1mA5gaJpZM4KY1uS. — You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/OpenC2-org/openc2-org/issues/5#issuecomment-254900363, or mute the thread https://github.com/notifications/unsubscribe-auth/AJk2GL-ZQJe99NI168ltTu4fbXVh5qPfks5q1mGRgaJpZM4KY1uS.
romanojd
commented
8 years ago The "origin" modifier needs to be separate from "command-ref" because the same command could have been issued to multiple actuators. In the corresponding response, the "command-ref" identifies which command it is a response to and the "origin" tells where it's coming from.
BTW, would it be easier to have this discussion on Slack? Would we have it on the #issues channel or create a temporary, specific channel just for this particular issue?
sparrell
commented
8 years ago I vote github just be used for stating the problem, and once resolved stating the resolution. But I vote all the discussions take place on slack
jmbrule
commented
8 years ago Move the discussion to slack because Jyoti thinks it will give us a 'cool' factor...
Your point on command reference is taken, given that I would 'vote' for option A Define an origin field in the frame rather than reuse the actuator field
-----Original Message----- From: Jason Romano [mailto:notifications@github.com] Sent: Thursday, October 20, 2016 12:11 AM To: OpenC2-org/openc2-org openc2-org@noreply.github.com Cc: Brule, Joseph M jmbrule@radium.ncsc.mil; Comment comment@noreply.github.com Subject: Re: [OpenC2-org/openc2-org] RESPONSE and ALERT (#5)
The "origin" modifier needs to be separate from "command-ref" because the same command could have been issued to multiple actuators. In the corresponding response, the "command-ref" identifies which command it is a response to and the "origin" tells where it's coming from.
BTW, would it be easier to have this discussion on Slack? Would we have it on the #issues channel or create a temporary, specific channel just for this particular issue?
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/OpenC2-org/openc2-org/issues/5#issuecomment-255004504 , or mute the thread https://github.com/notifications/unsubscribe-auth/AQQtp5deGh7rfQldw8io2ILl-B4Ooz25ks5q1um7gaJpZM4KY1uS . https://github.com/notifications/beacon/AQQtp6a7jW-sprvi9hBF6eEkKP43MkdKks5q1um7gaJpZM4KY1uS.gif
romanojd
commented
8 years ago I created the following slack channel to discuss this issue further:
https://openc2-community.slack.com/messages/issue_response/
We'll write the final resolution here.
romanojd
commented
8 years ago @jtcb, Josh, are you going to continue in this discussion? Would you like an invitation to the Slack group?
jtcbrule
commented
8 years ago I don't have much to say on this issue, but it a slack invitation could be useful for future issues.
(What happened to people just using IRC?)
davaya
commented
8 years ago Discussion is now on slack. But to synopsize here, I suggest that a new structure(s) be defined for Response and Alert rather than abusing the syntax of OpenC2 commands:
OpenC2Command ::= RECORD {
action Action,
target Target,
actuator Actuator OPTIONAL,
modifiers Modifiers OPTIONAL
}
OpenC2Response ::= RECORD {
cmdref UTF8String, -- or UUID?
results UTF8String
}
OpenC2Alert ::= RECORD {
message UTF8String
}
OpenC2Object ::= CHOICE {
command OpenC2Command,
response OpenC2Response,
alert OpenC2Alert
}I believe we can close this issue;
romanojd
commented
7 years ago RESPONSE and ALERT have been defined in more detail. We will continue to refine the response design as we develop actuator profiles.
PROBLEM
There were several comments that came out at the Face-to-Face Meeting, on 09/29, that said that it was unclear how one would use RESPONSE and ALERT. It was discussed at the bi-weekly meeting on 10/13 that the Language Description Document describes the definition and syntax of RESPONSE and ALERT, but not how they could be used.
POTENTIAL SOLUTION
Current response usage patterns, presented at the bi-weekly meeting on 10/13 should be documented online and used as a reference for future implementations.