Section 6: No software, no hardware...no endpoint?

[adammontville]

The paragraph above figure 15 in section 6 (and figure 15 as well) describes an endpoint as having zero or more hardware components and zero or more software components, where each may have zero or more running instances.

...the make up of an Endpoint asset which contains zero or more hardware components and zero or more software components each of which may have zero or more instances running...

This feels incorrect, because it defines an endpoint as being capable of having neither hardware nor software, but (as mentioned elsewhere in the draft) is network addressable. Is it possible to have an endpoint without hardware and without software? Even if academically so, what place does it have in our information model?

[cliffordk]

Hello, Adam. It’s a fair question. Not every hardware or software component will have been observed by a SACM sensor. The paragraph says that an endpoint might have no hardware or software components known to SACM sensors. That’s not quite the same as what you said, Adam. SACM sensors could know about an endpoint because they see traffic to and from its MAC address. SACM sensors might not know the components of the endpoint at all. I think it’s useful to model an endpoint even if its components are wholly unknown. Other sensors could respond by probing to learn more about the endpoint, for example. Best, Cliff From: adammontville <[email protected]> Reply-To: sacmwg/draft-ietf-sacm-information-model <[email protected]> Date: Tuesday, June 20, 2017 at 12:12 PM To: sacmwg/draft-ietf-sacm-information-model <[email protected]> Cc: Subscribed <[email protected]> Subject: [sacmwg/draft-ietf-sacm-information-model] Section 6: No software, no hardware...no endpoint? (#80) The paragraph above figure 15 in section 6 (and figure 15 as well) describes an endpoint as having zero or more hardware components and zero or more software components, where each may have zero or more running instances. ...the make up of an Endpoint asset which contains zero or more hardware components and zero or more software components each of which may have zero or more instances running... This feels incorrect, because it defines an endpoint as being capable of having neither hardware nor software, but (as mentioned elsewhere in the draft) is network addressable. Is it possible to have an endpoint without hardware and without software? Even if academically so, what place does it have in our information model? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub<#80>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AMcywqOQaHwmkdtnU8vAeyCMqZCb02aDks5sF-9ugaJpZM4N_0ew>.

[adammontville]

Hi Cliff, thanks for your response (it's been a while :-). I do not believe the paragraph in question qualifies the endpoint model to those known to SACM sensors:

   contains zero or more hardware components and zero or more software
   components each of which may have zero or more instances running an
   endpoint at any given time as well as zero or more identities that
   act on behalf of the endpoint when interfacing with other endpoints,
   tools, or services.  An endpoint may also contain other endpoints in
   the case of a virtualized environment.```

But, I take your point relative to observations from outside the bounds of the endpoint (i.e. MAC address, as your example states). In that case, I think this ticket should change from "do we need to update our model?" to "can we improve this paragraph to mention why endpoints can be modeled without hardware or software?"