SBOM Extension for MUD
draft-lear-opsawg-mud-sbom-00

Document Type Active Internet-Draft (individual)
Last updated 2020-05-18
Stream (None)
Intended RFC status (None)
Formats plain text xml pdf htmlized (tools) htmlized bibtex
Yang Validation 0 errors, 0 warnings.
Additional URLs
- Yang catalog entry for ietf-mud-sbom@2020-03-06.yang
- Yang impact analysis for draft-lear-opsawg-mud-sbom
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                            E. Lear
Internet-Draft                                             Cisco Systems
Intended status: Standards Track                                 S. Rose
Expires: November 19, 2020                                          NIST
                                                            May 18, 2020

                         SBOM Extension for MUD
                     draft-lear-opsawg-mud-sbom-00

Abstract

   Software bills of materials (SBOMs) are formal descriptions of what
   pieces of software are included in a product.  This memo specifies a
   means for manufacturers to state how SBOMs may be retrieved through
   an extension to manufacturer usage descriptions (MUD).

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on November 19, 2020.

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Lear & Rose             Expires November 19, 2020               [Page 1]
Internet-Draft                SBOM for MUD                      May 2020

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  How This Information Is Used  . . . . . . . . . . . . . .   3
     1.2.  SBOM formats  . . . . . . . . . . . . . . . . . . . . . .   3
     1.3.  Discussion points . . . . . . . . . . . . . . . . . . . .   3
   2.  The mud-sbom extension model extension  . . . . . . . . . . .   4
   3.  The mud-sbom augmentation to the MUD YANG model . . . . . . .   4
   4.  Examples  . . . . . . . . . . . . . . . . . . . . . . . . . .   7
     4.1.  Without ACLS  . . . . . . . . . . . . . . . . . . . . . .   7
     4.2.  Located on the Device . . . . . . . . . . . . . . . . . .   8
     4.3.  SBOM Obtained from Contact Information  . . . . . . . . .   9
     4.4.  With ACLS . . . . . . . . . . . . . . . . . . . . . . . .   9
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .  12
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  12
     6.1.  MUD Extension . . . . . . . . . . . . . . . . . . . . . .  12
     6.2.  Well-Known Prefix . . . . . . . . . . . . . . . . . . . .  12
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  13
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .  13
     7.2.  Informative References  . . . . . . . . . . . . . . . . .  13
   Appendix A.  Changes from Earlier Versions  . . . . . . . . . . .  13
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  14

1.  Introduction

   Manufacturer Usage Descriptions (MUD) [RFC8520] provides a means for
   devices to identify what they are and what sort of network access
   they need.  This memo specifies a YANG model [RFC6991] for reporting
   and a means for transmitting the report, and appropriate extensions
   to the MUD file to indicate how to report and how often.

   Software bills of material (SBOMs) are descriptions of what software,
   including versionioning and dependencies, a device contains.  There
   are different SBOM formats such as Software Package Data Exchange
   [SPDX] and Software Identity Tags [SWID].

   This memo extends the MUD YANG schema to provide location information
   of an SBOM.

   These SBOMs are typically found in one of three ways:

   o  on devices themselves

   o  on a web site (e.g., via URI)

   o  through direct contact with the manufacturer.

Lear & Rose             Expires November 19, 2020               [Page 2]
Internet-Draft                SBOM for MUD                      May 2020

   Some devices will have interfaces that permit direct SBOM retrieval.
   Examples of these interfaces might be 'ssh' or an HTTP endpoint for
   retrieval.  There may also be private interfaces as well.
Show full document text