search

oasis-tcs / openc2-ap-pf

OASIS OpenC2 TC: This repository will focus on the use of OpenC2 to issue commands and parse responses to hardware or software that can control administrative policies regarding network packets. https://github.com/oasis-tcs/openc2-ap-pf
Other
4 stars 4 forks source link

Refine Command Argument: direction #15

Open Vasileios-Mavroeidis opened 2 years ago

Vasileios-Mavroeidis commented 2 years ago

In section 2.1.3.2 We have defined a new command argument direction of type Direction and we specify that the argument

"Specifies whether to apply rules to incoming or outgoing traffic. If omitted, rules are applied to ingress packets."

I propose removing the second sentence.

What is stated is actuator-specific - the default behavior of the technology. An actuator that gets an OpenC2 command without the argument direction populated will treat the command based on its default behavior (vendor's decision). If the actuator requires specifying the direction, then we should do it. If we don't specify the direction and the actuator does not have a default behavior for such use cases, then the command is invalid.

Vasileios-Mavroeidis commented 2 years ago

The usage requirements of the argument specify that:

If absent or not explicitly set, then the Command MUST apply to both.

This is in opposition to the description of the argument.

I suggest removing this description/sentence too.

Vasileios-Mavroeidis commented 2 years ago

At the Feb 9th meeting we agreed to refine the language in the spec than eliminating the default behavior of the actuator in the case that the direction argument is not populated. It is a fact that many packet filters dictate default behavior "ingress" when the direction is not specified. An example can be seen here: https://cloud.google.com/vpc/docs/firewalls#direction_of_the_rule

Also, the usage requirements of the argument specify that when absent or not explicitly set, then the Command MUST apply to both. This is wrong and will be removed.