search

oasis-tcs / openc2-oc2ls

OASIS OpenC2 TC: GitHub repository used to propose and track changes to the OpenC2 Language Specification as new working draft level revisions are created and the associated CSDs mature
https://github.com/oasis-tcs/openc2-oc2ls
Other
15 stars 19 forks source link

Undefined Consumer Behavior with Multiple Actuator Profiles #364

Open dmg2 opened 4 years ago

dmg2 commented 4 years ago

Problem: Much has been talked about OpenC2 sending one command to multiple consumers, presumably resulting in multiple responses back to the originating producer. Returning one response for each consumer queried seems reasonable and fairly well understood. However returning multiple responses for each consumer queried posses some interesting challenges. I want to explore this and bring to light some issues that should be addressed.

Assumptions: 1) We recognize that an OpenC2 producer can send one command to multiple consumers. 2) We recognize that an OpenC2 consumer can support multiple actuator profiles. 3) We recognize that OpenC2 commands have an "actuator" field which is utilized to "filter" a request. 4) We recognize that the "actuator" field allows for the specifying of one actuator or none at all. 5) We recognize that there is no way to specify more than one actuator besides not specifying one at all. 6) We recognize that not specifying an "actuator" results in a non filtered request which is handled by all available actuators.

Scenarios: In order to scope the following scenarios assume: 1) OpenC2 command is being sent to multiple consumers. 2) All Consumers support multiple actuator profiles.

Scenario#1: In the case of one "actuator" being specified in an OpenC2 command the result is that the consumer will send one response back to the producer. In this scenario the producer may receive multiple responses in total but only one from each consumer.

Scenario#2: In the case of no "actuator" being specified in an OpenC2 command the result is that the consumer sends more than one response back to the producer. In this scenario the producer will receive multiple responses from multiple consumers.

Scenario#3: Currently there is no way to specify more than one "actuator" but many have asked for this feature. In the case that multiple "actuators" are specified in an OpenC2 command a similar issue as in scenario#2 may be present.

Discussion: Focusing on Scenario#2 above we can see that not specifying an actuator in an OpenC2 command could lead to the consumer having to craft multiple responses. Since the OpenC2 specification does not have a way to concatenate responses it would seem that each of these multiple responses would have to be sent back to the producer individually. This posses an issue for some transfer types. Transfer types that utilize sessions such as HTTP/HTTPS would close the session once a response is sent, leaving the others to linger or fall off the queue. Concatenating them could alleviate this issue, but then it would open the door to other issues, such as how long should we wait before concatenating results and how do we do this with out affecting the way we validate individual actuator profile content. Lets not forget that actuator profiles can and will respond entirely different given the same "action-target" pair. One way to solve this without developing a concatenation method would be to simply put a stipulation on the use of transfer protocols that use sessions in this way, declaring that if you use them you have to explicitly state an "actuator" every time. This would mean forcing a new command id for each "actuator" derivative of the original command in order to check the status of those commands later. The same command id could be used across multiple consumers but not across multiple actuator profile derivatives. Open to solutions and discussions on this topic.

TLDR; Restrict OpenC2 due to limitations in the implementations transfer protocol OR Create a way to concatenate multiple actuator profile responses so that a consumer can reply only once.

patconnole commented 4 years ago

Here's an example of the problem described:

OpenC2 Consumer behavior is undefined for consumers that implement multiple actuator profiles. For example, what are the expected behaviors in the table below, using the example commands?

We have two Actuator Profiles, say, StateLESS Packet Filtering, and StateFUL Packet Filtering, with overlapping commands:

query-features = 
{
    "action": "query",
    "target": {
        "features": ["versions", "profiles", "rate_limit"]
    }
}

deny-ipv4_connection= 
{
    "action": "deny",
    "ipv4_connection": {
        "protocol": "tcp",
        "src_port": 21
    }
}

OpenC2 HTTPS v1.0

SLPF SLPF + SFPF
Consumer Receives Expected Consumer Behavior Expected Consumer Behavior
query-features ✅ 1 OpenC2 Response in 1 HTTP Response ❌ undefined;
deny-ipv4_connection ✅ 1 OpenC2 Response in 1 HTTP Response ❌ undefined;

There is no way to satisfy Rule 1 and Rule 2 if the Consumer implements SLPF and SFPF.

davaya commented 4 years ago

There are two questions to address:

Scenario #3: How to address a command to more than one but not all profiles? a) Assumption #6 is correct, not specifying an actuator means all supported profiles respond b) Syntax of OpenC2 says that Actuator is a Choice (exactly one must be present) but the "actuator" field of OpenC2-Command is optional. Assuming that it is semantically reasonable to address a command to more than one actuator, the syntax is trivial: change the definition of Actuator from Choice to Map{1..*}, i.e. from "exactly one" to "one or more". All currently valid commands with 0 or 1 actuators remain valid.

I do not see any logical/semantic problems to approving this change, except that it is not useful without a solution to Scenario #2.

Scenario #2: How to return a single response from more than one profile?

Common Results are not currently tagged by actuator/profile name. Profile-specific results are. The solution is for each actuator profile to define a copy of the common results that it needs and delete the common results that it does not need. For example, common results "versions" and "rate_limit" have logically the same value for each profile supported by a Consumer. "profiles" and "schema" (if the latter is added to the language spec) are inherently common, they apply to the Consumer, not a specific profile. "pairs" is inherently profile-specific. The "pairs" field of Results should be deprecated, and current and future profiles should define a profile-specific "pairs" result.

patconnole commented 4 years ago

All Consumers (with more than one Actuator) have at least one duplicate action-target pair: query-features. 


                                 Consumer
                      +------------------------------+
                      |                              |
                      |          +----------------+  |
                      |          |slpf            |  |
                      | <------> | query-features |  |
                      |          | ...            |  |
         Transfer     |          +----------------+  |
    <---------------> |                              |
                      |          +----------------+  |
                      |          |x-acme          |  |
                      | <------> | query-features |  |
                      |          | ...            |  |
                      |          +----------------+  |
                      |                              |
                      +------------------------------+

We can change the specification of the query-features Response to allow for multiple actuators, but what about other duplicate action-target pairs? Can we address that issue? Or is not expected to be a common situation?

If we want to address it, some questions that arise:

1: What does the Response mean when it represents the answer from more than one Actuator on a Consumer? Not just for query-features, but any command?

"status" : 200 <- All actuators succeeded? Some of them?

2: What action does a Consumer do when it has Actuators with overlapping action-target pairs, and no actuator is specified in the Command?

3: How do we solve this in a way that doesn't conflate Actuator Profiles and Transfer Specs, eg: "If using SLPF over HTTP, send one Response per Consumer..., if using SLPF over MQTT, send one Response per Actuator..."

dlemire60 commented 2 years ago

Related to other issues regarding multiple APs (#353, etc.). This proposes a breaking change to OpenC2 command: currently only one actuator because it's a choice. Seems reasonable to apply command to multiple profiles.

address in next version, @davaya and @Vasileios-Mavroeidis assigned.

dlemire60 commented 6 months ago

PR #435 addresses the question of multiple profile responses for "query features pairs" (as discussed in @davaya 's comments on scenario 2 above). That approach could possibly be generalized for other commands that invoke multiple profiles.