OpenC2 Language Mapping for SDN Control - OASIS · Web viewOpen Command and Control (OpenC2)...

UNCLASSIFIED

Open Command and Control (OpenC2) Language Mapping for SDN Control

Version 0.9 21 April 2016

Randall Sharo <[email protected]>

UNCLASSIFIED

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

UNCLASSIFIED

TABLE OF CONTENTS1 INTRODUCTION.......................................................................................................................................... 4

2 SDN LANGUAGE BINDING FOR OPENC2....................................................................................................... 8

2.1 OVERVIEW.....................................................................................................................................................82.2 ACTUATOR VOCABULARY EXTENSIONS.................................................................................................................82.3 ACTIONS........................................................................................................................................................9

2.3.1 SCAN.....................................................................................................................................................112.3.1.1 OpenC2 Definition........................................................................................................................................112.3.1.2 SDN Binding..................................................................................................................................................11

2.3.2 LOCATE.................................................................................................................................................132.3.2.1 OpenC2 Definition........................................................................................................................................132.3.2.2 SDN Binding..................................................................................................................................................13

2.3.3 QUERY..................................................................................................................................................152.3.3.1 OpenC2 Definition........................................................................................................................................152.3.3.2 SDN Binding..................................................................................................................................................15

2.3.4 GET.......................................................................................................................................................172.3.4.1 OpenC2 Definition........................................................................................................................................172.3.4.2 SDN Binding..................................................................................................................................................17

2.3.5 DENY.....................................................................................................................................................192.3.5.1 OpenC2 Definition........................................................................................................................................192.3.5.2 SDN Binding..................................................................................................................................................19

2.3.6 ALLOW..................................................................................................................................................212.3.6.1 OpenC2 Definition........................................................................................................................................212.3.6.2 SDN Binding..................................................................................................................................................21

2.3.7 STOP.....................................................................................................................................................232.3.7.1 OpenC2 Definition........................................................................................................................................232.3.7.2 SDN Binding..................................................................................................................................................23

2.3.8 SET........................................................................................................................................................252.3.8.1 OpenC2 Definition........................................................................................................................................252.3.8.2 SDN Binding..................................................................................................................................................25

2.3.9 MOVE...................................................................................................................................................262.3.9.1 OpenC2 Definition........................................................................................................................................262.3.9.2 SDN Binding..................................................................................................................................................26

2.3.10 REDIRECT..........................................................................................................................................282.3.10.1 OpenC2 Definition........................................................................................................................................282.3.10.2 SDN Binding..................................................................................................................................................28

2.3.11 THROTTLE.........................................................................................................................................302.3.11.1 OpenC2 Definition........................................................................................................................................302.3.11.2 SDN Binding..................................................................................................................................................30

2.3.12 SUBSTITUTE......................................................................................................................................312.3.12.1 OpenC2 Definition........................................................................................................................................312.3.12.2 SDN Binding..................................................................................................................................................31

2.3.13 COPY................................................................................................................................................332.3.13.1 OpenC2 Definition........................................................................................................................................332.3.13.2 SDN Binding..................................................................................................................................................33

i

UNCLASSIFIED

18

19

20

212223242526272829303132333435363738394041424344454647484950515253545556575859606162

UNCLASSIFIED

2.3.14 MITIGATE.........................................................................................................................................342.3.14.1 OpenC2 Definition........................................................................................................................................342.3.14.2 SDN Binding..................................................................................................................................................34

2.4 RESPONSE....................................................................................................................................................362.4.1 OpenC2 Definition................................................................................................................................362.4.2 SDN Binding..........................................................................................................................................36

2.5 SPECIFIER VOCABULARY EXTENSIONS.................................................................................................................37

3 EXAMPLE USE CASES................................................................................................................................. 39

3.1 STOP ABUSE OF MAC ADDRESS 00:DE:AD:BE:EF:00...........................................................................................393.2 PREVENT UNPRIVILEGED USER FROM ACCESSING ADMIN NETWORK..........................................................................39

4 WORKS CITED........................................................................................................................................... 41

5 APPENDIX A: OPENC2 SDN XML SCHEMA..................................................................................................42

ii

UNCLASSIFIED

63646566676869

70

7172

73

74

75

76

UNCLASSIFIED

List of Tables

TABLE 2-1. SDN ACTUATOR CLASSES..................................................................................................................................8TABLE 2-2. SUMMARY OF ACTION DEFINITIONS FOR SDN ACTUATOR........................................................................................9TABLE 2-3. SUPPORTED TARGETS: SCAN...........................................................................................................................11TABLE 2-4. EXAMPLE USAGE OF SCAN..............................................................................................................................12TABLE 2-5. SUPPORTED TARGETS: LOCATE........................................................................................................................13TABLE 2-6. EXAMPLE USAGE OF LOCATE..........................................................................................................................13TABLE 2-7. SUPPORTED TARGETS: QUERY.........................................................................................................................15TABLE 2-8. EXAMPLE USAGE OF QUERY............................................................................................................................15TABLE 2-9. SUPPORTED TARGETS: GET..............................................................................................................................17TABLE 2-10. EXAMPLE USAGE OF GET..............................................................................................................................17TABLE 2-11. SUPPORTED TARGETS: DENY.........................................................................................................................19TABLE 2-12. EXAMPLE USAGE OF DENY............................................................................................................................19TABLE 2-13. SUPPORTED TARGETS: ALLOW......................................................................................................................21TABLE 2-14. EXAMPLE USAGE OF ALLOW.........................................................................................................................21TABLE 2-15. SUPPORTED TARGETS: STOP..........................................................................................................................23TABLE 2-16. EXAMPLE USAGE OF STOP............................................................................................................................23TABLE 2-17. SUPPORTED TARGETS: SET............................................................................................................................25TABLE 2-18. EXAMPLE USAGE OF SET...............................................................................................................................25TABLE 2-19. SUPPORTED TARGETS: MOVE........................................................................................................................26TABLE 2-20. EXAMPLE USAGE OF MOVE...........................................................................................................................26TABLE 2-21. SUPPORTED TARGETS: REDIRECT...................................................................................................................28TABLE 2-22. EXAMPLE USAGE OF REDIRECT.....................................................................................................................28TABLE 2-23. SUPPORTED TARGETS: THROTTLE..................................................................................................................30TABLE 2-24. EXAMPLE USAGE OF THROTTLE....................................................................................................................30TABLE 2-25. SUPPORTED TARGETS: SUBSTITUTE...............................................................................................................31TABLE 2-26. EXAMPLE USAGE OF SUBSTITUTE.................................................................................................................31TABLE 2-27. SUPPORTED TARGETS: COPY.........................................................................................................................33TABLE 2-28. EXAMPLE USAGE OF COPY............................................................................................................................33TABLE 2-29. SUPPORTED TARGETS: MITIGATE..................................................................................................................34TABLE 2-30. EXAMPLE USAGE OF MITIGATE.....................................................................................................................34TABLE 2-31. EXAMPLE USAGE OF RESPONSE....................................................................................................................36TABLE 2-32. OPENC2 TARGETS SUPPORTED BY SDN ACTUATOR............................................................................................37

iii

UNCLASSIFIED

77

78798081828384858687888990919293949596979899

100101102103104105106107108109110111

112

UNCLASSIFIED

1 INTRODUCTIONSoftware-defined Networking (SDN) is a new approach to networking that has the potential to enable ongoing network innovation and enable the network as a programmable, pluggable component of the larger cloud infrastructure. Key aspects of SDN include separation of data and control planes; a uniform vendor-agnostic interface, such as OpenFlow, between control and data planes; a logically centralized control plane, realized using a network OS, that constructs and presents a logical map of the entire network to services or network control applications on top; and slicing and virtualization of the underlying network. With SDN, a researcher, network administrator, or third party can introduce a new capability by writing a software program that simply manipulates the logical map of a slice of the network. (Kobayashi, 2013)

But, with great power comes great responsibility. SDN applications have the ability to shape and control network traffic in ways unanticipated by existing network security architectures. Through microsegmentation, small subnetworks may be formed that violate the assumptions of existing network sensors and Intrusion Detection Systems. Implementing security in an SDN environment requires not only knowledge of what the SDN control plane is doing, but a means to orchestrate the control plane itself.

This paper outlines a command set that integrates SDN controller functionality with the Open Command and Control (OpenC2) language and command set (OpenC2 Consortium, 2016). Through this command set, cyber security orchestrators may gain visibility into the SDN’s decisions and gain control over security-related outcomes.

A Software Defined Network (SDN) primarily consists of three primary elements (Figure 1):

Datapaths - Physical or virtual forwarding elements that provide programmable bridging, tagging, and/or routing capabilities. Datapaths are controlled via a standardized interface, called the “Southbound API”.

Controllers - Software applications that control datapaths via the Southbound API. Controllers provide the building blocks for basic network functionality and in some cases comprise an autonomous network control infrastructure. Controllers that are able to receive command and control from external sources implement a “Northbound API”.

Applications - Higher-level applications or services that direct the actions of Controllers. Applications may exist to support new or custom protocols, to orchestrate the actions of multiple controllers, or to provide health and status monitoring capabilities.

4

UNCLASSIFIED

113

114115116117118119120121122

123124125126127128

129130131132

133

134135136

137138139140

141142143

Physical/VirtualSwitches (a.k.a. “datapaths”)

Controllers

Applications

Northbound API

Southbound API

UNCLASSIFIED

Figure 1. SDN APIs

This common architecture for SDNs lends well to orchestration. Figure 2 shows how an OpenC2 Agent can simultaneously function as an SDN Application, bridging between the Active Cyber Defense and Software Defined Networking domains.

5

UNCLASSIFIED

144145

146147148

(Other Actuators)(Other Actuators)

Controllers

Physical/VirtualSwitches

Northbound API

Southbound API

OpenC2 Message Fabric

Orchestration

OpenC2 SDN Agent (Other Actuators)

UNCLASSIFIED

Figure 2. SDN Integration via OpenC2

Since SDN controllers manage physical and virtual switches in the same manner, it is also possible to project security provisions into Virtualized Networks (VNs) when those VNs are implemented via SDN. In this paper we describe a set of extensions necessary for OpenC2-enabled systems to orchestrate Tenant Networks (TNs) – physical or virtual network segments administered via SDN technologies.

Unlike a VLAN or overlay network, there may not be any tag or label added to a packet to identify its association with a particular network; a controller is free to associate MAC addresses, port identifiers, or VLAN tags together to form a common network per its configuration commands. This property makes tenant networks more difficult to characterize without being able to access the internals of the SDN controller. It also makes it difficult to assign a specific name or number to a tenant. To overcome this problem, this paper allows the SDN controller to identify its own names for each tenant network. Orchestrators will repeat tenant network names back to controllers as part of their action messages, requiring only that each controller assign a unique identifier to each tenant network.

6

UNCLASSIFIED

149150

151

152153154155

156157158159160161162163

UNCLASSIFIED

Figure 3. Virtual Tenant Network (VTN) over SDN (NEC, 2013)

With this architecture, an OpenC2 SDN Agent is able to participate in OpenC2 workflow processing, transforming actions into a format suitable for a given controller implementation. The details of network management are not directly exposed to the orchestrator, but the agent does have the capacity to detect events within the SDN and report them across the fabric.

Where possible we try not to embrace any one specific SDN standard, for as of this writing there are many competing alternatives (OpenFlow, P4, SNMP-based schemes, NETCONF-based schemes, and OVSDB to name a few). Instead, we define a query-command structure where protocol-specific identifiers are first returned to the orchestrator via queries, then those same identifiers are repeated to the controllers as command targets.

7

UNCLASSIFIED

164

165

166167168169

170171172173174

175

Randall Sharo, 03/11/16,

I would like to call this an “ontological approach” – “tell me the names of your elements, I’ll tell you what to do with them”, but I may not be using the term correctly.

UNCLASSIFIED

2 SDN LANGUAGE BINDING FOR OPENC2

2.1 OverviewThe OpenC2 Language Specification (OpenC2 Consortium, 2016) describes a vocabulary by which network elements may be commanded and controlled. While this language was originally specified with relatively static networks such as building infrastructure or datacenters in mind, the language itself is very extensible by design. In this section we describe a set of extensions that enable visibility and control of network behavior within an SDN.

2.2 Actuator Vocabulary ExtensionsDue to the unique nature of how an SDN may interpret actions, we recommend creation of new actuator classes, as shown in Table 2-1. An SDN controller is not precisely a sensor, firewall, router, or IDS, but it may have capabilities in common with any or all of those pre-defined actuators types. By defining unique actuator classes, we can ensure that SDN-specific behavior is unambiguously defined when compared to other actuator classes.

Table 2-1. SDN Actuator Classes

Name Specifier Type Descriptionnetwork.sdn cybox:URIObjectType Specifies that one or more Software Defined

Networking controllers should act on the message.A specifier may be provided to uniquely identify an SDN controller. An URI is sufficient when all controllers have unique REST Northbound APIs.Example: “https://mycontroller.mydomain.gov:8081/”

8

UNCLASSIFIED

176

177

178179180181182

183

184185186187188189190

191

UNCLASSIFIED

2.3 ActionsTable 2-2 summarizes the behavior of OpenC2 actions when applied to an SDN actuator. Subsequent sections provide further example usages for each action.

Table 2-2. Summary of Action Definitions for SDN Actuator

ACTIONS THAT GATHER AND CONVEY INFORMATIONSCAN Systematically search a network segment for devices and services reachable via a

specified address and protocol.

LOCATE The LOCATE action requests the network location (controller+dataport) of a network device or service.

QUERY Requests known information about a specified network device or service.

REPORT Reserved for future implementation.

GET Retrieves configuration information for the actuator, controller, or datapath.

NOTIFY Reserved for future implementation.

ACTIONS THAT CONTROL PERMISSIONSDENY Blocks a targeted flow of packets from traversing the network.

CONTAIN Reserved for future implementation.

ALLOW Allows a targeted flow of packets to traverse the network.

ACTIONS THAT CONTROL ACTIVITIES/DEVICES

START Reserved for future implementation.

STOP Removes the effect of a MOVE, REDIRECT, THROTTLE, SUBSTITUTE, COPY, or MITIGATE action.

RESTART Reserved for future implementation.

PAUSE Reserved for future implementation.

RESUME Reserved for future implementation.

SET Change configuration information for the actuator, targeted controller, or targeted datapath.

UPDATE Reserved for future implementation.

MOVE Relocates a network device or service to an alternate tenant network or VLAN. Affects all traffic to/from designated target.

REDIRECT Redirects network traffic to an alternate route, tenant network, VLAN, or Dataport. Affects traffic unidirectionally.

DELETE Removes targeted entries from a firewall rule list or Access Control List.

9

UNCLASSIFIED

192

193194

195

UNCLASSIFIED

SNAPSHOT Reserved for future implementation.

DETONATE Reserved for future implementation.

RESTORE Reserved for future implementation.

SAVE Reserved for future implementation.

MODIFY Reserved for future implementation.

THROTTLE The THROTTLE action limits the maximum allocated bandwidth for a class of network traffic.

DELAY Reserved for future implementation.

SUBSTITUTE Applies Address Translation to the targeted network traffic. Address translation can be applied upon SDN domain ingress, egress, or both.

COPY Clones targeted network traffic to a secondary tenant network, VLAN, or Dataport.

SYNC Reserved for future implementation.

SENSOR RELATED ACTION

DISTILL Reserved for future implementation.

AUGMENT Reserved for future implementation.

EFFECTS-BASED ACTION

INVESTIGATE Reserved for future implementation.

MITIGATE Activate controller-specific mitigations for the specified Threat Source and Threat Type.

REMEDIATE Reserved for future implementation.

10

UNCLASSIFIED

196

197

UNCLASSIFIED

2.3.1 SCAN2.3.1.1 OpenC2 DefinitionThe SCAN action is the systematic examination of some aspect of the entity or its environment in order to obtain information. This action can be used to command the characterization of an environment (e.g., perform network, port, or vulnerability scanning) or to look for a specific occurrence of an object (e.g., file, IP, process). SCAN commands are distinct from the QUERY in that SCAN implies an analytic while a QUERY implies a routine retrieval of data.

2.3.1.2 SDN BindingSystematically search a network segment for devices and services reachable via a specified address and protocol. Network segments will be searched for devices responding to packets with a specified address, protocol, and (optional) port number. The SCAN action does not immediately return the location of the target: a subsequent LOCATE or QUERY action may be sent to retrieve the results of the scan.

The SCAN action applies to the following TARGET types and specifiers.

Table 2-3. Supported Targets: SCAN

Target Type Description Target Specifier

cybox:Address The Address object describes a VLAN or tenant network to be scanned.

cybox:AddressObjectType:

VLAN_Name, VLAN_Number

The SCAN action accepts the following modifiers.

Modifier Type Description

method enumeration: arp, ping, tcpsyn, udpprobe

Optional. Describes the scanning technique to use.

search cybox:SocketAddressObjectType Required. Describes the network address and/or port number to find.

on-device sdn:DataportType Optional. Narrows a scan to a specific datapath or dataport.

report-to cybox:URIObjectType Optional. Where to report scan completion or errors (if any).

The following table lists potential applications of the SCAN command to identify network devices reachable from an SDN actuator.

11

UNCLASSIFIED

198

199

200201202203204205

206

207208209210211

212

213

214

215

216

217

218219

UNCLASSIFIED

Table 2-4. Example Usage of SCAN

DESCRIPTION ACTION TARGET ACTUATOR MODIFIER

TARGET-SPECIFIER ACTUATOR-SPECIFIER

1 Scan the network for IP address 1.1.1.1

SCAN cybox:Address network.sdn search = 1.1.1.1

(none) (none)

2 Scan an SDN island for web servers (TCP port 80)

SCAN cybox:Address network.sdn search = tcp destination port: 80

(none) https://my.controller.gov/

3 Scan a datapath for IP address 2.2.2.2 using ARP

SCAN cybox:Address network.sdn search = 2.2.2.2,

on-device = dpid:10:20:30:40:50:60:70:80

method = arp

(none)

4 Scan VLAN 7 for IP address 3.3.3.3 using ICMP Echo requests

SCAN cybox:Address network.sdn search = 3.3.3.3,

method = pingVLAN_Number: 7 (optional)

5 Scan Tenant Network ‘devteam’ for devices that react to packet delivery on UDP port 1000

SCAN cybox:Address network.sdn search = tcp destination port 1000,

method = udpprobe

VLAN_Name: ‘devteam’ (optional)

12

UNCLASSIFIED

220

221

UNCLASSIFIED

2.3.2 LOCATE2.3.2.1 OpenC2 DefinitionThe LOCATE action is used to find an object either physically, logically, functionally, or by organization. This action enables one to tell where in the system an event or trigger occurred.This action is used for example to enable one to tell where in the system an event or trigger occurred, confirm that an asset is appropriately deployed, or ascertain details regarding a rogue device.

2.3.2.2 SDN BindingThe LOCATE action requests the SDN actuator to report the topological location of a device within the SDN. The actuator will not actively query the targeted device, but rather will report any information passively collected to date. Reported location will include identity of master controller, datapath identifier, and dataport identifier.

Table 2-5. Supported Targets: LOCATE


cybox:Address The Address object is intended to specify a cyber address.

cybox:AddressObjectType:

Address Value, VLAN Name, VLAN Number

The LOCATE action accepts the following modifiers.


report-to cybox:URIObjectType Required. Identifies where to send the target’s location

on-device sdn:DataportType Optional. Only locate address usage on the specified datapath or dataport.

The following examples describe how a LOCATE action may be used to find devices within an SDN.

Table 2-6. Example Usage of LOCATE



1 LOCATE cybox:Address network.sdn

13

UNCLASSIFIED

222

223

224225226227

228

229230231232

233

234

235

236

237

238

239

240

241

UNCLASSIFIED



Get network location of an IP address

report-to = requestor-address

12.34.56.78 (optional)

2 Find if a mac address has been seen on a particular datapath

LOCATE cybox:Address network.sdn report-to = requestor-address,

on-device = dpid:11:22:33:44:55:66:77:88

mac 04:00:00:00:00:01 (optional)

3 Find if a mac address has been seen on VLAN 12

LOCATE cybox:Address network.sdn report-to = requestor-address

mac 06:08:0a:0c:10:20, vlan_number 12

(optional)

14

UNCLASSIFIED

242

UNCLASSIFIED

2.3.3 QUERY2.3.3.1 OpenC2 DefinitionThe QUERY action initiates a single request for information.QUERY, like SCAN, is used to find out more information about the system or its environment. In the case of QUERY, however, it is an isolated or specific information request, rather than a broadly scoped scan or on-going check. QUERY tends to be a simple retrieval of a value for a specific parameter, while SCAN implies a more thorough examination and identification of anomalies (relative to a known good state). The response to a query is typically (but not necessarily) conveyed within the command and control channel.

2.3.3.2 SDN BindingA QUERY action requests known information about a specified network device or service.

Table 2-7. Supported Targets: QUERY


openc2:Data The actuator will report the targeted (custom) data field.

openc2:DataObjectType

The QUERY action accepts the following modifiers.


on-device sdn:DatapathType Optional. Narrows the query to return results for a specific datapath.

report-to cybox:URIObjectType Required. Identifies where to send the target’s location

The following examples describe how a QUERY action may be used within an SDN.

Table 2-8. Example Usage of QUERY



1 List all active layer-2 links within the SDN

QUERY openc2:Data network.sdn report-to = requestor-address

‘links’ (optional)

15

UNCLASSIFIED

243

244

245246247248249250251

252

253

254

255

256

257

258

259

260

261

UNCLASSIFIED



2 Get controller master/slave status


‘role’ (optional)

3 Get all known information about a device

QUERY Openc2:Data network.sdn report-to = requestor-address

‘device’: mac: 04:04:04:04:04:04

(optional)

4 Get flow table from a single datapath

QUERY openc2:Data network.sdn report-to = requestor-address, on-device = dpid:10:20:30:40:50:60:70:80

‘flows’ (optional)

5 Get a list of all previously-scheduled activities


‘ActivityList’

6 Get a list of all devices attached to datapath 1

QUERY Openc2:Data Network.sdn report-to = requestor-address, on-device = dpid:00:00:00:00:00:01

‘devices’

16

UNCLASSIFIED

262

263

UNCLASSIFIED

2.3.4 GET2.3.4.1 OpenC2 DefinitionThe GET action tasks an entity to retrieve a specific object. The location of the object can be designated in the specifier of the TARGET. The entity typically (but not necessarily) retrieves the object outside of the command and control channel.

2.3.4.2 SDN BindingRetrieves configuration information for the actuator, controller, or datapath. Unlike QUERY, which retrieves runtime information about the network under control, GET is used to retrieve parameters used to configure the actuator’s software implementation.

Table 2-9. Supported Targets: GET


openc2:Data The actuator will report the targeted (custom) data field.


The GET action accepts the following modifiers.


report-to cybox:URIObjectType Required. Identifies where to send the targeted data or error status

The following examples describe how a GET action may be used within an SDN.

Table 2-10. Example Usage of GET



1 Get the SDN Actuator’s master configuration data

GET Openc2:Data network.sdn report-to = requestor-address

(none) (optional)

2 Get the master configuration file for a specific controller

GET Openc2:Data network.sdn report-to = requestor-address

(none) https://192.168.1.1:8080/

17

UNCLASSIFIED

264

265

266267268

269

270271272

273

274

275

276

277

278

279

280

UNCLASSIFIED



3 Get SDN configuration information for a single datapath

GET openc2:Data network.sdn report-to = requestor-address

‘dpid:11:22:33:44:55:66:77:88’

(optional)

4 Get a list of software modules installed in

GET openc2:Data network.sdn report-to = requestor-address

‘modules_installed’ https://192.168.1.1:8080/

18

UNCLASSIFIED

281

282

UNCLASSIFIED

2.3.5 DENY2.3.5.1 OpenC2 DefinitionThe DENY action is used to prevent a certain event or action from completion, such as preventing a flow from reaching a destination (e.g., block) or preventing access. The DENY action can be used to prevent a flow from reaching a destination (e.g., block) or prevent access. DENY is a superset of current terms such as BLOCK (network perimeter devices) and DENY (user, access to system, access to files).

2.3.5.2 SDN BindingBlocks a targeted flow of packets from traversing the network.

Table 2-11. Supported Targets: DENY


sdn:Flow Identifies protocol fields of traffic to deny. Flow can specify source addresses, destination addresses, or both.

sdn:FlowType

The DENY action accepts the following modifiers.


on-device sdn:DataportType Optional. Identifies a datapath and optional port where targeted traffic will be denied.

priority integer Optional. Assigns a relative priority to this rule compared to other ALLOW or DENY rules.

report-to cybox:URIObjectType Optional. Where to report errors (if any).

The following examples describe how a DENY action may be used within an SDN.

19

UNCLASSIFIED

283

284

285286287288289

290

291

292

293

294

295

296

297

298

UNCLASSIFIED

Table 2-12. Example Usage of DENY



1 Deny access to IP Address 12.34.56.78

DENY sdn:Flow network.sdn

Destination IP: 12.34.56.78

(Optional)

2 Deny access to VLAN 12 from (trunked) Ethernet dataport 2

DENY sdn:Flow network.sdn on-device = dpid: 11:22:33:44:55:66:77:88, dataport=2Destination Vlan_Number

= 12(optional)

3 Deny access to 12.34.56.78 port 80


Destination IP: 12.34.56.78, port: 80

(optional)

4 Deny access to 10.10.10.10 from tenant network ‘localcloud’


Source VLAN_Name: ‘localcloud’


(optional)

5 Deny access to 10.10.10.10 from vlan 12


Source VLAN_Number: 12


(optional)

20

UNCLASSIFIED

299

300

301

UNCLASSIFIED

2.3.6 ALLOW2.3.6.1 OpenC2 DefinitionThe ALLOW action permits the access to or execution of something.An ALLOW action is typically associated with something that was previously denied (e.g., block, quarantine).

2.3.6.2 SDN BindingAllows a targeted flow of packets to traverse the network.

Table 2-13. Supported Targets: ALLOW


sdn:Flow Identifies protocol fields of traffic to allow. Can include source addresses, destination addresses, or both.

sdn:FlowType

The ALLOW action accepts no modifiers.


on-device sdn:DataportType Optional. Identifies a datapath and optional dataport where targeted traffic was denied.

priority integer Optional. Assigns a relative priority to this rule compared to other ALLOW or DENY rules.

report-to cybox:URIObjectType Optional. Where to report errors (if any).

The following examples describe how a ALLOW action may be used within an SDN.

Table 2-14. Example Usage of ALLOW



1 ALLOW sdn:Flow network.sdn

21

UNCLASSIFIED

302

303

304305306

307

308

309

310

311

312

313

314

315

316

UNCLASSIFIED



Remove restrictions on traffic destined to IP Address 12.34.56.78

Destination: 12.34.56.78 (Optional)

2 Remove restrictions on sessions from 11.0.0.0/24 to 12.34.56.78:80

ALLOW sdn:Flow network.sdn

Source: 11.0.0.0/24

Destination: 12.34.56.78:80, tcp

(optional)

3 Remove restrictions on packets sourced from MAC 00:00:00:00:00:01

ALLOW sdn:Flow network.sdn

Source Mac: 00:00:00:00:00:01

(optional)

22

UNCLASSIFIED

317

318

UNCLASSIFIED

2.3.7 STOP2.3.7.1 OpenC2 DefinitionThe STOP action halts a system or ends an activity. The STOP OpenC2 action is used to convey commonly used actions such as shutdown, kill, and terminate. The STOP action has nuances and options associated with it that are ACTUATOR specific. In the case where more than one type of STOP action is applicable for a particular target and actuator, the default implementation of STOP will be a graceful shutdown. Action modifiers are used to indicate immediate or atypical STOP actions.

2.3.7.2 SDN BindingRemoves the effect of a MOVE, REDIRECT, THROTTLE, SUBSTITUTE, COPY, or MITIGATE action.

Table 2-15. Supported Targets: STOP


ActivityId An activity identifier specifying a previous MOVE, REDIRECT, THROTTLE, SUBSTITUTE, COPY, or MITIGATE action. The identifier may be known from a previous action’s RESPONSE message or from a QUERY of running activities.

xs:QName

The STOP action accepts no modifiers.


delay time Optional. Time to wait before performing the action.

report-to cybox:URIObjectType Optional. Where to report success or failure.

The following examples describe how a STOP action may be used within an SDN.

23

UNCLASSIFIED

319

320

321322323324325326

327

328

329

330

331

332

333

334

335

UNCLASSIFIED

Table 2-16. Example Usage of STOP



1 Stop a previously-scheduled MITIGATE activity

STOP openc2:ActivityId network.sdn

SDN:MITIGATE-1212-3434-5656

(Optional)

24

UNCLASSIFIED

336

337

338

UNCLASSIFIED

2.3.8 SET2.3.8.1 OpenC2 DefinitionThe SET action changes a value, configuration, or state of a managed entity within an IT system. Typically this action is specified by a configuration item such as a sensor setting or privilege level and the command will have specifiers. SET commands are intended for specific individual changes to the entity and the parameters are communicated in the C2 channel.

2.3.8.2 SDN BindingChange configuration information for the actuator, targeted controller, or targeted datapath.

Table 2-17. Supported Targets: SET


openc2:Data The actuator will change the targeted (custom) data field.


The SET action accepts the following modifiers.


value openc2:Data Required. The value to assign to the targeted data field.

report-to cybox:URIObjectType Optional. Identifies where to send any error message caused by the SET action.

The following examples describe how a SET action may be used within an SDN.

Table 2-18. Example Usage of SET



1 Reload the SDN Actuator’s master configuration

SET openc2:Data network.sdn value = List of Key-value pairs


(none) (optional)

2 SET openc2:Data network.sdn

25

UNCLASSIFIED

339

340

341342343344

345

346

347

348

349

350

351

352

353

354

UNCLASSIFIED



Reload the configuration for a specific controller

value = List of Key-value pairs


(none) https://192.168.1.1:8080/

3 Set a specific configuration parameter

SET Openc2:Data network.sdn value = property_value

‘property_name’ https://192.168.1.1:8080/

26

UNCLASSIFIED

355

UNCLASSIFIED

2.3.9 MOVE2.3.9.1 OpenC2 DefinitionThe MOVE action changes the location of a file, subnet, network, or, process. MOVE is distinct from CONTAIN in that CONTAIN implies a desired effect of isolation and MOVE supports the more general case.

2.3.9.2 SDN BindingRelocates a network device or service to an alternate tenant network or VLAN. Affects all traffic to/from designated target.

Table 2-19. Supported Targets: MOVE


sdn:dataport A Layer 2 port to be relocated to an alternate VLAN or tenant network.

sdn:DataportType

The MOVE action accepts the following modifiers.


move-to cybox:AddressObjectType Required. Device or service will be moved to this VLAN or tenant network. Moving a dataport to VLAN_Number zero makes it a trunk port.

report-to cybox:URIObjectType Optional. Identifies where to send any error message caused by the action.

The following examples describe how a MOVE action may be used within an SDN.

Table 2-20. Example Usage of MOVE



1 Move dataport 10 to tenant network ‘quarantine’

MOVE sdn:dataport network.sdn move-to = vlan_name: ‘quarantine’Dpid=22:33:44:55:22:33:4

4:55,dataport=10(optional)

27

UNCLASSIFIED

356

357

358359360

361

362363

364

365

366

367

368

369

370

371

UNCLASSIFIED



2 Make dataports 32-34 access ports for vlan 11

MOVE sdn:dataport network.sdn move-to = vlan_number: 11

Dpid=22:33:44:55:22:33:44:55,dataport=32,33,34

(optional)

3 Make dataport 35 a trunk port (i.e. vlan 0)

MOVE Sdn:dataport network.sdn move-to = vlan_number: 0

Dpid=22:33:44:55:22:33:44:55, dataport=35

(optional)

28

UNCLASSIFIED

372

373

UNCLASSIFIED

2.3.10 REDIRECT2.3.10.1 OpenC2 DefinitionThe REDIRECT action changes the flow of traffic to a particular destination other than its original intended destination. The REDIRECT action includes the case of bypassing an intermediate point. REDIRECT is distinct from MOVE in that it encompasses the entire flow rather than a single instance, item or object. MOVE supports the more atomic case.

2.3.10.2 SDN BindingRedirects network traffic to an alternate route, tenant network, VLAN, or Dataport. Affects traffic unidirectionally.

Table 2-21. Supported Targets: REDIRECT


sdn:Flow Describes the set of packets that will be redirected.

sdn:FlowType

The REDIRECT action accepts the following modifiers.


to-device Sdn:DataportType Required. Targeted traffic will be redirected to the specified dataport. Redirection to “null” cancels any pre-existing redirection.


The following examples describe how a REDIRECT action may be used within an SDN.

Table 2-22. Example Usage of REDIRECT



1 REDIRECT sdn:Flow network.sdn

29

UNCLASSIFIED

374

375

376377378379380

381

382383

384

385

386

387

388

389

390

391

UNCLASSIFIED



Redirect all 10.0.0.0/8 traffic to a designated dataport.

to-device = dpid: 22:22:22:22:22:22:22:22:22:22,dataport: 7

Destination: 10.0.0.0/8 (optional)

2 Cancel redirection on MAC address 00:de:ad:be:ef

REDIRECT sdn:Flow network.sdn to-device = null

Source mac: 00:de:ad:be:ef

(optional)

30

UNCLASSIFIED

392

UNCLASSIFIED

2.3.11 DELETE2.3.11.1 OpenC2 DefinitionThe DELETE action removes data and files.

2.3.11.2 SDN BindingDeletes specified firewall rules or Access Control List (ACL) entries from the SDN controller’s tables. The action identifies the entry to be deleted via an actuator-specific ActivityId, obtainable as part of the RESPONSE to an ALLOW, DENY, or QUERY action.

Table 2-23. Supported Targets: REDIRECT


ActivityId Identifies a firewall rule or ACL entry to be deleted. May take the form of any (actuator-specific) qualified name.

xs:QName

The DELETE action accepts the following modifiers.



The following examples describe how a DELETE action may be used within an SDN.

Table 2-24. Example Usage of REDIRECT



1 Attempt to delete a firewall rule and report the success/failure via HTTPS

DELETE ActivityId network.sdn report-to = https://12.34.56.78:8081/result?xid=12

firewall_rule:deca1234 (optional)

2 Attempt to delete an ACL entry, where

DELETE ActivityId network.sdn

31

UNCLASSIFIED

393

394

395

396

397398399

400

401

402

403

404

405

406

407

UNCLASSIFIED



controller supports descriptive ActivityId’s.

acl:10.0.0.0/8 (optional)

32

UNCLASSIFIED

408

UNCLASSIFIED

2.3.12 THROTTLE2.3.12.1 OpenC2 DefinitionThe THROTTLE action adjusts the throughput of entire data flow to a different rate.

2.3.12.2 SDN BindingThe THROTTLE action limits the maximum allocated bandwidth for a class of network traffic.

Table 2-25. Supported Targets: THROTTLE


sdn:Flow The packet flow to be throttled sdn:FlowType

The THROTTLE action accepts the following modifiers.


max-pps integer Required. Max allowed packets-per-second


The following examples describe how a THROTTLE action may be used within an SDN.

Table 2-26. Example Usage of THROTTLE



1 Throttle HTTP traffic to 11.11.11.11

THROTTLE sdn:FlowType network.sdn max-pps=100000

Tcp, destination = 11.11.11.11:80

(optional)

2 Throttle all traffic to MAC address 00:00:00:00:00:01

THROTTLE sdn:FlowType network.sdn max-pps = 1000000

Destination MAC = 00:00:00:00:00:01

(optional)

33

UNCLASSIFIED

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

UNCLASSIFIED

2.3.13 SUBSTITUTE2.3.13.1 OpenC2 DefinitionThe SUBSTITUTE action replaces all or part of the data, content or payload in the least detectable manner. SUBSTITUTE is used in cases where an attack is to be impeded or thwarted in an undetectable manner.

2.3.13.2 SDN BindingApplies Address Translation to the targeted network traffic. Address translation can be applied upon SDN domain ingress or egress. Traffic will be routed through the SDN based on replacement address(es).

Table 2-27. Supported Targets: SUBSTITUTE


sdn:Flow Describes the packets that will be remapped.

sdn:FlowType

The SUBSTITUTE action accepts the following modifiers.


replacement sdn:FlowType Required. The field(s) that will be substituted in packets.

when Enumeration: ingress, egress Optional. Specifies whether translation is applied when the packet enters the SDN domain (prior to routing), or upon leaving the SDN (after routing). If unspecified, then ingress is the default.


The following examples describe how a SUBSTITUTE action may be used within an SDN.

34

UNCLASSIFIED

424

425

426427428

429

430431432

433

434

435

436

437

438

439

UNCLASSIFIED

Table 2-28. Example Usage of SUBSTITUTE



1 Replace destination address 11.1.1.1 with 12.2.2.2

SUBSTITUTE sdn:Flow network.sdn replacement = 12.2.2.2

Destination = 11.1.1.1 (optional)

2 Replace TCP endpoint 11.1.1.1:80 with 12.2.2.2:8080

SUBSTITUTE sdn:Flow network.sdn replacement = tcp, destination = 12.2.2.2, port=8080

Tcp, destination = 11.1.1.1, port = 80

(optional)

3 Replace destination MAC 00:11:11:11:11:11 with 00:22:22:22:22:22

SUBSTITUTE sdn:Flow network.sdn replacement = mac: 00:22:22:22:22:22MAC = 00:11:11:11:11:11 (optional)

35

UNCLASSIFIED

440

441

UNCLASSIFIED

2.3.14 COPY2.3.14.1 OpenC2 DefinitionThe COPY action duplicates a file or data flow.

2.3.14.2 SDN BindingClones targeted network traffic to a secondary tenant network, VLAN, or Dataport.

Table 2-29. Supported Targets: COPY


sdn:Flow Describes the flow of packets to be cloned.

sdn:FlowType

The COPY action accepts the following modifiers.


to-device sdn:DataportType Required. The dataport where cloned traffic should be sent.


The following examples describe how a COPY action may be used within an SDN.

Table 2-30. Example Usage of COPY



1 Clone all traffic sourced from 00:0b:ad:00:0b:ad to dataport 12

COPY sdn:Flow network.sdn to-device = dpid:12:34:56:78:9a:bc:de:f0,dataport:12

Source MAC = 00:0b:ad:00:0b:ad

(optional)

2 Clone all web traffic to dataport 11

COPY sdn:Flow network.sdn to-device = dpid:22:22:22:22:22:22:22:22, dataport:11

LIST[(tcp destination port 80), (tcp source port 80)]

(optional)

36

UNCLASSIFIED

442

443

444

445

446

447

448

449

450

451

452

453

454

455

UNCLASSIFIED

2.3.15 MITIGATE2.3.15.1 OpenC2 DefinitionThe MITIGATE action tasks the recipient enclave to circumvent the problem without necessarily eliminating the vulnerability or attack point. Mitigate implies that the impacts to the enclave’s operations should be minimized while addressing the issue. Examples of actions resulting from a received MITIGATE OpenC2 command could include deny a URL or process, scan, redirect traffic to honeypot, or move.

2.3.15.2 SDN BindingActivate controller-specific mitigations for the specified Threat Source and Threat Type. Each SDN actuator may have its own technology (or suite of technologies that mitigate a given threat type.

Table 2-31. Supported Targets: MITIGATE


cybox:Address Describes the traffic source that has unwanted behavior.

cybox:AddressObjectType

The MITIGATE action accepts the following modifiers.


threat-type Enumeration: passive-capture, active-scan, spoof, mitm, dos, all

Optional. Describes the unwanted activity taking place at the specified device/address. If unspecified, defaults to ‘all’

on-device Sdn:DataportType Optional. Identifies the dataport where unwanted network behavior is entering the domain.


The following examples describe how a MITIGATE action may be used within an SDN.

37

UNCLASSIFIED

456

457

458459460461462

463

464465

466

467

468

469

470

471

472

UNCLASSIFIED

Table 2-32. Example Usage of MITIGATE



1 Mitigate a router that may be exfiltrating data.

MITIGATE cybox:Address network.sdn threat-type = passive-capture

12.34.56.78 (optional)

2 Mitigate ARP spoofing coming from dataport 10, (match all MAC addresses)

MITIGATE Cybox:Address network.sdn threat-type = spoof, on-device = dpid:11:11:11:11:11:11:11:11,dataport:10

MAC

value: 00:00:00:00:00:00

mask: 00:00:00:00:00:00

(optional)

3 Mitigate man-in-the-middle attacks involving a device with MAC address 00:00:00:00:00:01

MITIGATE cybox:Address network.sdn threat-type = mitm

Mac: 00:00:00:00:00:01 (optional)

4 Mitigate denial of service attacks entering the network at dataport 20

MITIGATE Cybox:Address network.sdn threat-type = dos, on-device = dpid:11:11:11:11:11:11:11:11,dataport:10

12.34.56.0/24 (optional)

5 Mitigate port scans coming from IP address 11.11.11.11

MITIGATE cybox:Address network.sdn threat-type = active-scan

11.11.11.11 (optional)

38

UNCLASSIFIED

473

474

475

UNCLASSIFIED

2.4 Response2.4.1 OpenC2 DefinitionRESPONSE is used to provide any data requested as a result of an action. RESPONSE can be used to signal the acknowledgement of an action, provide the status of an action along with additional information related to the requested action, or signal the completion of the action. The recipient of the RESPONSE can be the original requester of the action or to another recipient(s) designated in the modifier of the action.

2.4.2 SDN BindingSDN actuators require no changes to the Response message structure as specified. Acknowledgements will generally include a command reference ID or “ActivityId” in the form of a qname, however. These ActivityId values can be passed back to the SDN actuator in a STOP action to undo previous actions.

Table 2-33. Example Usage of RESPONSE

Description ACTION TYPE

VALUE

Acknowledge the receipt of an action Response data.status

status = received action,

OpenC2 command, or command reference ID

Signal Completion of an action Response data.status

status = completed action,


Provide the status of an action Response data.status

status = current status,


39

UNCLASSIFIED

476

477

478479480481482

483

484485486

487

488

UNCLASSIFIED

2.5 Specifier Vocabulary ExtensionsThis section describes specifier types as used by an SDN actuator.

Table 2-34. OpenC2 Targets Supported by SDN Actuator

Target Type Description JSON Example

cybox:Address The Address object is intended to specify a network address or regular expression. The Address type may be used to specify addresses in Layer 2 or Layer 3, possibly including a VLAN or tenant network identifier.

{ “Address_Value” : “10.0.1.0/24”, “category”: “ipv4-net” }

cybox:SocketAddress The SocketAddress object is used when a Layer 4 port number and protocol identifier may (optionally) be provided along with a cybox:Address object.

{ “IP_Address” : {…}, “Port” : {…} }

cybox:Network_Connection The Network_Connection object is intended to represent a single network connection. An SDN Actuator may expect a Network_Connection when working with both source and destination SocketAddress elements simultaneously.

{ “Source_Socket_Address” : {…}, “Destination_Socket_Address” : {…} }

sdn:DatapathType A unique control-plane identifier for a single SDN datapath. For OpenFlow SDNs, the unique identifier may be an 8-octet datapath identifier qualified by the namespace “dpid”.

“dpid:00-01-02-03-04-05-06-07”

sdn:DataportIdentifierType Identifies a physical or logical port on an SDN-capable datapath. Will typically be an integer or descriptive name (e.g. “1”, “28”, “LOCAL”, “CONTROLLER”, “TABLE”)

“CONTROLLER”

sdn:DataportType One or more dataports on a specific datapath. Consists of a DatapathType element paired with an optional list of DataportIdentifierType. If the DataportIdentifierType list is omitted, it is interpreted as “all” ports on the datapath.

{ “datapath”: “dpid:00-01-02-03-04-05-06-07”, “port” : 12 }

40

UNCLASSIFIED

489

490

491

UNCLASSIFIED

Target Type Description JSON Example

sdn:Flow A cybox:NetworkConnectionObjectType that includes (optional) Layer 2 address and protocol fields. An SDN Actuator may expect an sdn:Flow when operating on combinations of Layer 2, Layer 3, and Layer 4 protocol fields simultaneously.

{ “Layer2_Protocol” : “Ethernet”, “Source_Layer2_Address” : {…}, “Destination_Layer2_Address”: : {…}, “Source_Socket_Address” : {…}, “Destination_Socket_Address” : {…} }

ActivityId Uniquely identifies an activity currently being executed by the actuator. May be an actuator implementation-specific qualified name of the form [namespace]:[identifier]

“firewall_rule:12”

ActivityList A list of ActivityId objects. May be used in cases where several ActivityId objects match a QUERY, for example.

[ “firewall_rule:12”, “firewall_rule:13” ]

41

UNCLASSIFIED

492

UNCLASSIFIED

3 EXAMPLE USE CASES

3.1 Stop Abuse of MAC Address 00:de:ad:be:ef:00In this scenario, an upper-tier enclave has detected suspicious traffic using source MAC address 00:de:ad:be:ef:00. This traffic may represent lateral movement of a malware package or may be an attempt at beaconing. The upper tier seeks to notify lower tiers of the potential threat. Lower tiers seek to analyze and contain the unwanted traffic until they know how to remediate the source.

Upper tier sense-making is unable to identify a legitimate source for traffic being observed with source MAC address 00:de:ad:be:ef:00. Upper tier wants lower tiers (enclaves) to mitigate this unexplained traffic source:

o MITIGATE(type = cybox:Address, target-specifier = Source MAC: 00:de:ad:be:ef:00, ThreatType = spoof)

Lower tier(s) receive action and select a workflow. Selected workflow proceeds as follows:o Block the unwanted traffic:

DENY(type = cybox:Address, target-specifier = Source MAC: 00:de:ad:be:ef:00, where = vlan_name: ‘primary_network’)

o Look for locations where the packets have recently entered the network: LOCATE(type = cybox:Address, target-specifier = Source MAC:

00:de:ad:be:ef:00, report-to = <orchestrator>) Orchestrator receives network locations (list of datapaths, network ports) where

the source is active.o Divert subsequent unwanted activity to an analysis network

SUBSTITUTE(type=sdn:Flow, target-specifier = Source MAC: 00:de:ad:be:ef:00, vlan_name:’primary_network’, replacement = vlan_name: ‘offline_analysis’)

Analysis takes place using traffic collections on offline tenant network or vlano Information collected from previous LOCATE action identifies unwanted activity on

datapath XXXX dataport 4. Find all devices connected to datapath XXXX that may be the source.

QUERY(type=openc2:Data, target-specifier = ‘devices’, on-device =dpid: XXXX, report-to = <orchestrator>)

Orchestrator receives list of devices that have communicated via datapath XXXXo Command Hawkeye-G or other actuator to SCAN and/or REMEDIATE potentially-

infected devices connected to dataport 4

3.2 Prevent unprivileged user from accessing admin networkIn this scenario, traffic with an unauthorized IP address has been seen on a privileged (admin) network. The enclave must locate the device being exploited and prevent further intrusion.

Sense-making identifies traffic within the ‘admin’ network segment that appears to have been routed from the ‘user’ network domain. Traffic should not be routeable from ‘user’ to ‘admin’. User IP space is 10.0.0.0/8, while admin IP space is 11.0.0.0/8

Block the unwanted traffic:

42

UNCLASSIFIED

493

494

495496497498

499500501502503504505506507508509510511512513514515516517518519520521522523524525

526

527528

529530531532

UNCLASSIFIED

o DENY(type = cybox:NetworkConnection, target-specifier = Source IP: 10.0.0.0/8, vlan_name: ‘admin’)

Look for locations where the packets have recently entered the ‘admin’ network:o LOCATE(type = cybox:Address, target-specifier = Source IP: 10.0.0.0/8, where =

vlan_name: ‘admin’, report-to = <orchestrator>)o Orchestrator receives network locations (list of datapaths, network ports) where the

source entered the ‘admin’ segment. Found point of ingress. User system 10.0.0.4 appears to be to blame. Divert abusive traffic to a

honeypot without taking host system offline:o REDIRECT(type=cybox:Network_Connection, target-specifier = Source IP: 10.0.0.4,

Destination IP = 11.0.0.2, to-device = dpid:01-02-03-04-05-06-07-08,dataport:11)

43

UNCLASSIFIED

533534535536537538539540541542543

UNCLASSIFIED

4 WORKS CITED[1] Kobayashi, M. (2013). Maturing of OpenFlow and Software-defined Networking. Retrieved

March 7, 2016, from Stanford University Department of Computer Science: http://yuba.stanford.edu/~nickm/papers/OF-Deployments-comnet2013.pdf

[2] NEC. (2013, June). NEC Contribution to OpenDaylight: Virtual Tenant Network (VTN). Retrieved March 11, 2016, from https://wiki.opendaylight.org/images/0/0e/NEC_VTN_Model_0606.pdf

[3] OpenC2 Consortium. (2016). Open Command and Control (OpenC2) Language Description Document, v0.6f.

[4]

44

UNCLASSIFIED

544

545546547

548549

550551

552

UNCLASSIFIED

5 APPENDIX A: OPENC2 SDN XML SCHEMA<?xml version="1.0" encoding="UTF-8"?><schema targetNamespace="http://www.openc2.org/sdn-action"

elementFormDefault="qualified" xmlns="http://www.w3.org/2001/XMLSchema"xmlns:tns="http://www.openc2.org/sdn-action" xmlns:cybox_custom="http://cybox.mitre.org/objects#CustomObject-1"xmlns:cybox_core="http://cybox.mitre.org/cybox-2" xmlns:Q1="http://cybox.mitre.org/objects#AddressObject-2"xmlns:Q2="http://cybox.mitre.org/objects#URIObject-2" xmlns:Q3="http://cybox.mitre.org/objects#NetworkConnectionObject-2"xmlns:Q4="http://cybox.mitre.org/common-2" xmlns:Q5="http://www.openc2.org/sdn-action"xmlns:Q6="http://cybox.mitre.org/objects#SocketAddressObject-1" xmlns:Q7="http://cybox.mitre.org/objects#NetworkConnectionObject-2">

<import schemaLocation="http://cybox.mitre.org/XMLSchema/objects/Socket_Address/1.1/Socket_Address_Object.xsd"namespace="http://cybox.mitre.org/objects#SocketAddressObject-1" />

<import schemaLocation="http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsd"namespace="http://cybox.mitre.org/common-2" />

<import schemaLocation="http://cybox.mitre.org/XMLSchema/objects/Network_Connection/2.1/Network_Connection_Object.xsd"namespace="http://cybox.mitre.org/objects#NetworkConnectionObject-2" />

<import schemaLocation="http://cybox.mitre.org/XMLSchema/objects/URI/2.1/URI_Object.xsd"namespace="http://cybox.mitre.org/objects#URIObject-2" />

<import schemaLocation="http://cybox.mitre.org/XMLSchema/objects/Address/2.1/Address_Object.xsd"namespace="http://cybox.mitre.org/objects#AddressObject-2" />

<import schemaLocation="http://cybox.mitre.org/XMLSchema/objects/Custom/1.1/Custom_Object.xsd"namespace="http://cybox.mitre.org/objects#CustomObject-1" />

<import schemaLocation="http://cybox.mitre.org/XMLSchema/core/2.1/cybox_core.xsd" namespace="http://cybox.mitre.org/cybox-2" />

<element name="SCAN" type="tns:ScanActionType" /><element name="LOCATE" type="tns:LocateActionType" /><element name="QUERY" type="tns:QueryActionType" /><element name="GET" type="tns:GetActionType" /><element name="DENY" type="tns:DenyActionType" /><element name="CONTAIN" type="tns:ContainActionType" /><element name="ALLOW" type="tns:AllowActionType" /><element name="STOP" type="tns:StopActionType" /><element name="SET" type="tns:SetActionType" /><element name="MOVE" type="tns:MoveActionType" /><element name="REDIRECT" type="tns:RedirectActionType" /><element name="THROTTLE" type="tns:ThrottleActionType" /><element name="SUBSTITUTE" type="tns:SubstituteActionType" /><element name="COPY" type="tns:CopyActionType" /><element name="MITIGATE" type="tns:MitigateActionType" />

<complexType name="OpenC2ActionType" abstract="true"><sequence>

<element name="target" type="tns:TargetType" maxOccurs="1"minOccurs="1" />

<element name="actuator" type="tns:SDNActuatorType"maxOccurs="1" minOccurs="0" />

</sequence></complexType>

<complexType name="SDNActuatorType"><sequence>

<element name="specifier" type="Q2:URIObjectType" maxOccurs="unbounded"minOccurs="0" />

45

UNCLASSIFIED

553

UNCLASSIFIED

</sequence><attribute name="type">

<simpleType><restriction base="string">

<enumeration value="network.sdn" /></restriction>

</simpleType></attribute>

</complexType>

<complexType name="TargetType"><sequence>

<element name="specifier" type="Q4:ObjectPropertiesType"maxOccurs="unbounded" minOccurs="0" />

</sequence><attribute name="type" type="string" />

</complexType>

<complexType name="ScanActionType"><complexContent>

<extension base="tns:OpenC2ActionType"><sequence>

<element name="method" maxOccurs="1" minOccurs="0"><simpleType>

<restriction base="string"><enumeration value="arp" /><enumeration value="ping" /><enumeration value="tcpsyn" /><enumeration value="udpprobe" />

</restriction></simpleType>

</element><element name="search" type="Q6:SocketAddressObjectType"

maxOccurs="1" minOccurs="1" />

<element name="on-device" type="tns:DataportType"maxOccurs="1" minOccurs="0" />

<element name="report-to" type="Q2:URIObjectType"maxOccurs="1" minOccurs="0" />

</sequence></extension>

</complexContent></complexType>

<complexType name="LocateActionType"><complexContent>



46

UNCLASSIFIED

UNCLASSIFIED




<complexType name="QueryActionType"><complexContent>


<element name="on-device" type="tns:DatapathType"maxOccurs="1" minOccurs="0" />




<complexType name="GetActionType"><complexContent>





<complexType name="DenyActionType"><complexContent>



<element name="priority" type="unsignedInt" maxOccurs="1" minOccurs="0"></element><element name="report-to" type="Q2:URIObjectType"




<complexType name="ContainActionType"><complexContent>

47

UNCLASSIFIED

UNCLASSIFIED


<element name="where" type="Q1:AddressObjectType"maxOccurs="1" minOccurs="1" />




<complexType name="AllowActionType"><complexContent>




<element name="priority" type="unsignedInt" maxOccurs="1" minOccurs="0"></element></sequence>

</extension></complexContent>

</complexType>

<complexType name="StopActionType"><complexContent>



<element name="delay" type="time" maxOccurs="1" minOccurs="0" /></sequence>


</complexType>

<complexType name="SetActionType"><complexContent>


<element name="value"type="Q4:ObjectPropertiesType">

</element><element name="report-to" type="Q2:URIObjectType"


48

UNCLASSIFIED

UNCLASSIFIED



<complexType name="MoveActionType"><complexContent>


<element name="move-to" type="Q1:AddressObjectType"maxOccurs="1" minOccurs="1" />




<complexType name="RedirectActionType"><complexContent>


<element name="to-device" type="tns:DataportType"maxOccurs="1" minOccurs="1" />




<complexType name="ThrottleActionType"><complexContent>


<element name="max-pps" maxOccurs="1" minOccurs="1"><simpleType>

<restriction base="int"><minInclusive value="1" />






<complexType name="SubstituteActionType">

49

UNCLASSIFIED

UNCLASSIFIED

<complexContent><extension base="tns:OpenC2ActionType">

<sequence><element name="replacement" maxOccurs="1"

minOccurs="1" type="tns:FlowType" />

<element name="when" maxOccurs="1" minOccurs="0"><simpleType>

<restriction base="string"><enumeration value="ingress"></enumeration><enumeration value="egress"></enumeration>






<complexType name="CopyActionType"><complexContent>


<element name="to-device" type="tns:DataportType"maxOccurs="1" minOccurs="1" />




<complexType name="MitigateActionType"><complexContent>


<element name="threat-type" maxOccurs="1"minOccurs="1"><simpleType>

<restriction base="string"><enumeration value="passive-capture" /><enumeration value="active-scan" /><enumeration value="spoof" /><enumeration value="mitm" /><enumeration value="dos" /><enumeration value="all" />


</element>

50

UNCLASSIFIED

UNCLASSIFIED


<element name="on-device" type="tns:DataportType"maxOccurs="1" minOccurs="0">

</element></sequence>


</complexType>

<complexType name="DataportType"><complexContent>

<extension base="Q4:ObjectPropertiesType"><sequence>

<element name="datapath" type="tns:DatapathType" maxOccurs="1"minOccurs="1" />

<element name="port" type="tns:DataportIdentifierType"maxOccurs="1" minOccurs="0" />



<simpleType name="DatapathType"><restriction base="string">

<patternvalue="dpid:[0-9a-fA-F]{2}-[0-9a-fA-F]{2}-[0-9a-fA-F]{2}-[0-9a-fA-F]{2}-[0-9a-fA-F]{2}-[0-9a-fA-F]{2}-[0-9a-fA-F]{2}-[0-

9a-fA-F]{2}|dpid:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}" />


<simpleType name="DataportIdentifierType"><union

memberTypes="tns:NamedDataportIdentifierType tns:NumericDataportIdentifierType" /></simpleType>

<simpleType name="NamedDataportIdentifierType"><restriction base="string">

<enumeration value="ALL" /><enumeration value="CONTROLLER" /><enumeration value="TABLE" /><enumeration value="IN_PORT" /><enumeration value="ANY" /><enumeration value="UNSET" /><enumeration value="LOCAL" /><enumeration value="NORMAL" /><enumeration value="FLOOD" /><enumeration value="all" /><enumeration value="controller" />

51

UNCLASSIFIED

UNCLASSIFIED

<enumeration value="table" /><enumeration value="in_port" /><enumeration value="any" /><enumeration value="unset" /><enumeration value="local" /><enumeration value="normal" /><enumeration value="flood" />


<simpleType name="NumericDataportIdentifierType"><restriction base="unsignedInt">

<minInclusive value="1" /><maxInclusive value="4294967040" />


<complexType name="FlowType"><complexContent>

<extension base="Q3:NetworkConnectionObjectType"><sequence>

<element name="Layer2_Protocol" maxOccurs="1"minOccurs="0"><simpleType>

<restriction base="string"><enumeration value="Ethernet"></enumeration>


</element><element name="Source_Layer2_Address"

type="Q1:AddressObjectType" maxOccurs="1" minOccurs="0"></element><element name="Destination_Layer2_Address"

type="Q1:AddressObjectType" maxOccurs="1" minOccurs="0"></element>



</schema>

52

UNCLASSIFIED

OpenC2 Language Mapping for SDN Control - OASIS · Web viewOpen Command and Control (OpenC2)...

Documents

Transcript of OpenC2 Language Mapping for SDN Control - OASIS · Web viewOpen Command and Control (OpenC2)...