moparisthebest
/
xeps
mirror of https://github.com/moparisthebest/xeps
1
0
Fork 0
Code Issues Releases Wiki Activity

0.5

This commit is contained in:
Peter Saint-Andre 2012-05-16 16:44:02 -06:00
parent f3a7e59cbc
commit 6b1096f618
1 changed files with 218 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

283
xep-0268.xml
View File

@ -41,6 +41,12 @@
</author>
&stpeter;
&mwild;
<revision>
<version>0.5</version>
<date>2012-05-16</date>
<initials>psa</initials>
<remark><p>Simplified the processing model to send reports only in IQ-sets (not in IQ-results); filled out the sections on inquiries, requests, and responses; corrected the schema and examples.</p></remark>
</revision>
<revision>
<version>0.4</version>
<date>2012-04-17</date>
@ -90,87 +96,221 @@
</section1>
<section1 topic='Interactions' anchor='interactions'>
<p>This document defines several interactions (similar to those in &rfc6045;) between XMPP server deployments with respect to incident handling. These interactions are transported using the XMPP &IQ; stanza as described below.</p>
<p>This document defines several interactions (similar to those in RID, see &rfc6045;) between XMPP server deployments with respect to incident handling. These interactions are transported using the XMPP &IQ; stanza as described below, where each element (qualified by the 'urn:xmpp:incident:2' namespace) is used as a wrapper for IODEF data.</p>
<ol>
<li><p>The &lt;report/&gt; element (contained in an &IQ; stanza of type "set" or, in response to an &lt;inquiry/&gt; element, of type "result") describes the nature of an incident and also flags the 'status' of the incident as "new", "updated", or "resolved"; it is sent from one server to another for informative purposes (sometimes in reply to the &lt;inquiry/&gt; element) but without requesting assistance (for which see the &lt;request/&gt; element).</p></li>
<li><p>The &lt;inquiry/&gt; element (contained in an &IQ; stanza of type "get") asks for information about an incident; it is expected that the reply will contain a &lt;report/&gt; element.</p></li>
<li><p>The &lt;request/&gt; element (contained in an &IQ; stanza of type "get") asks for assistance in resolving an incident.</p></li>
<li><p>The &lt;response/&gt; element (contained in an &IQ; stanza of type "result") provides assistance in resolving an incident.</p></li>
<li><p>The &lt;report/&gt; element (contained in an &IQ; stanza of type "set") describes the nature of an incident and also flags the 'status' of the incident as "new", "updated", or "resolved"; it is sent from one server to another for informative purposes but without requesting assistance (for which see the &lt;request/&gt; element). This element is similar to a RID message type of "Report".</p></li>
<li><p>The &lt;inquiry/&gt; element (contained in an &IQ; stanza of type "get") asks for information about an incident; it is expected that the reply will contain a &lt;report/&gt; element. This element is similar to a RID message type of "IncidentQuery".</p></li>
<li><p>The &lt;request/&gt; element (contained in an &IQ; stanza of type "get") asks for assistance in resolving an incident, e.g., by requesting that the server take some action. This element is similar to a RID message type of "Investigation" or "TraceRequest".</p></li>
<li><p>The &lt;response/&gt; element (contained in an &IQ; stanza of type "set") provides assistance in resolving an incident. This element is similar to a RID message type of "Result".</p></li>
</ol>
</section1>
<section1 topic='Report Format and Processing' anchor='report'>
<p>An incident report consists of an XMPP &IQ; stanza of type "set" or "result" containing an IODEF document. An example is shown below.</p>
<example caption="An incident report"><![CDATA[
<iq from='jabber.org' id='vk2x91g47 to='im.flosoft.biz' type='set'>
<Incident xmlns='urn:ietf:params:xml:ns:iodef-1.0'
purpose='reporting'>
<IncidentID name='jabber.org'>4BF5D2CE-7C90-4860-BEF2-43A7D777D5FF</IncidentID>
<StartTime>2009-04-13T19:05:20Z</StartTime>
<EndTime>2009-04-13T19:27:22Z</EndTime>
<ReportTime>2009-04-13T19:31:07Z</ReportTime>
<Description xml:lang='en'>lots of MUC spammers from abuse.lit!</Description>
<Contact role='admin' type='person'>
<AdditionalData>
<jid xmlns='urn:xmpp:incident:2'>stpeter@jabber.org</jid>
</AdditionalData>
</Contact>
<Contact role='admin' type='person'>
<AdditionalData>
<jid xmlns='urn:xmpp:incident:2'>stpeter@jabber.org</jid>
</AdditionalData>
</Contact>
<Contact role='ext-type' ext-type='chatroom'>
<AdditionalData>
<jid xmlns='urn:xmpp:incident:2'>operators@muc.xmpp.org</jid>
</AdditionalData>
</Contact>
<RelatedActivity>
<IncidentID name='im.example.com'>133BCE2E-E669-4ECE-B0F8-766B9E65630D</IncidentID>
</RelatedActivity>
<Assessment>
<Impact lang='en' severity='medium' completion='succeeded' type='dos'/>
</Assessment>
<EventData>
<Flow>
<System category='source'>
<Node>
<Address category='ext-category' ext-category='xmpp'>abuser@abuse.lit</Address>
<Counter type='ext-type' ext-type='xmpp-presence'>123</Counter>
</Node>
<Node>
<Address category='ext-category' ext-category='xmpp'>luser27@abuse.lit</Address>
<Counter type='ext-type' ext-type='xmpp-presence'>47</Counter>
</Node>
</System>
<System category='target'>
<Node>
<Address category='ext-category' ext-category='xmpp'>jdev@conference.jabber.org</Address>
<Address category='ext-category' ext-category='xmpp'>jabber@conference.jabber.org</Address>
<NodeRole category='ext-category' ext-category='xmpp-muc'/>
</Node>
</System>
</Flow>
<info>
<category>muc</category>
<type>presence</type>
<type>long-messages</type>
</Incident>
<p>When one server wants to send information about an incident, it sends a incident report to another server. The report consists of an XMPP &IQ; stanza of type "set" containing a &lt;report/&gt; element that in turn contains an IODEF document. An example is shown below.</p>
<example caption="A report of trouble"><![CDATA[
<iq from='jabber.org' id='vk2x91g47' to='im.flosoft.biz' type='set'>
<report xmlns='urn:xmpp:incident:2'>
<Incident xmlns='urn:ietf:params:xml:ns:iodef-1.0'
purpose='reporting'>
<IncidentID name='jabber.org'>4BF5D2CE-7C90-4860-BEF2-43A7D777D5FF</IncidentID>
<StartTime>2009-04-13T19:05:20Z</StartTime>
<EndTime>2009-04-13T19:27:22Z</EndTime>
<ReportTime>2009-04-13T19:31:07Z</ReportTime>
<Description xml:lang='en'>lots of MUC spammers from clueless.lit!</Description>
<Contact role='admin' type='person'>
<AdditionalData>
<jid xmlns='urn:xmpp:incident:2'>stpeter@jabber.org</jid>
</AdditionalData>
</Contact>
<Contact role='admin' type='person'>
<AdditionalData>
<jid xmlns='urn:xmpp:jid:0'>stpeter@jabber.org</jid>
</AdditionalData>
</Contact>
<Contact role='ext-type' ext-type='chatroom'>
<AdditionalData>
<jid xmlns='urn:xmpp:jid:0'>operators@muc.xmpp.org</jid>
</AdditionalData>
</Contact>
<RelatedActivity>
<IncidentID name='im.example.com'>133BCE2E-E669-4ECE-B0F8-766B9E65630D</IncidentID>
</RelatedActivity>
<Assessment>
<Impact lang='en' severity='medium' completion='succeeded' type='dos'/>
</Assessment>
<EventData>
<Flow>
<System category='source'>
<Node>
<Address category='ext-category' ext-category='xmpp'>abuser@clueless.lit</Address>
<Counter type='ext-type' ext-type='xmpp-presence'>123</Counter>
</Node>
<Node>
<Address category='ext-category' ext-category='xmpp'>luser27@clueless.lit</Address>
<Counter type='ext-type' ext-type='xmpp-presence'>47</Counter>
</Node>
</System>
<System category='target'>
<Node>
<Address category='ext-category' ext-category='xmpp'>jdev@conference.jabber.org</Address>
<Address category='ext-category' ext-category='xmpp'>jabber@conference.jabber.org</Address>
<NodeRole category='ext-category' ext-category='xmpp-muc'/>
</Node>
</System>
</Flow>
</EventData>
</Incident>
</report>
</iq>
]]></example>
<p>If the report is contained in an &IQ; stanza of type "set" and the recipient of the report is able to process it, it MUST return an &IQ; stanza of type "result". Error handling will be defined in a future version of this specification.</p>
<p>If the recipient is able to process the report, it MUST return an &IQ; stanza of type "result"; if not, it MUST return an &IQ; stanza of type "error" (error handling will be defined in a future version of this specification).</p>
</section1>
<section1 topic='Inquiry Format and Processing' anchor='inquiry'>
<p>To follow.</p>
<p>When one server wants to find out more information about an incident, it sends an inquiry to another server (not necessarily the server where the incident occurred).</p>
<example caption="An inquiry about an incident"><![CDATA[
<iq from='tigase.org' id='br6a31m9' to='im.flosoft.biz' type='get'>
<inquiry xmlns='urn:xmpp:incident:2'>
<Incident xmlns='urn:ietf:params:xml:ns:iodef-1.0'
purpose='traceback'>
<IncidentID name='jabber.org'>4BF5D2CE-7C90-4860-BEF2-43A7D777D5FF</IncidentID>
</Incident>
</inquiry>
</iq>
]]></example>
<p>If the recipient is able to process the inquiry, it MUST return an &IQ; stanza of type "result" and then send a report about the incident using an &IQ; stanza of type "set" as defined above; if not, it MUST return an &IQ; stanza of type "error" (error handling will be defined in a future version of this specification).</p>
</section1>
<section1 topic='Request Format and Processing' anchor='request'>
<p>To follow.</p>
<p>When one server wants to ask for assistance in resolving an incident, it sends a request to another server (not necessarily the server where the incident occurred).</p>
<p>Here, the server where the attack occurred requests that the server where the attack originated will disable the offending accounts (via the "block-host" value for the 'action' attribute of the IODEF &lt;Expectation/&gt; element).</p>
<example caption="A request for assistance"><![CDATA[
<iq from='jabber.org' id='kq62vx31' to='clueless.lit' type='get'>
<request xmlns='urn:xmpp:incident:2'>
<Incident xmlns='urn:ietf:params:xml:ns:iodef-1.0'
purpose='mitigation'>
<IncidentID name='jabber.org'>4BF5D2CE-7C90-4860-BEF2-43A7D777D5FF</IncidentID>
<StartTime>2009-04-13T19:05:20Z</StartTime>
<EndTime>2009-04-13T19:27:22Z</EndTime>
<ReportTime>2009-04-13T19:31:07Z</ReportTime>
<Description xml:lang='en'>lots of MUC spammers from clueless.lit!</Description>
<Contact role='admin' type='person'>
<AdditionalData>
<jid xmlns='urn:xmpp:incident:2'>stpeter@jabber.org</jid>
</AdditionalData>
</Contact>
<Contact role='admin' type='person'>
<AdditionalData>
<jid xmlns='urn:xmpp:jid:0'>stpeter@jabber.org</jid>
</AdditionalData>
</Contact>
<Contact role='ext-type' ext-type='chatroom'>
<AdditionalData>
<jid xmlns='urn:xmpp:jid:0'>operators@muc.xmpp.org</jid>
</AdditionalData>
</Contact>
<RelatedActivity>
<IncidentID name='im.example.com'>133BCE2E-E669-4ECE-B0F8-766B9E65630D</IncidentID>
</RelatedActivity>
<Assessment>
<Impact lang='en' severity='medium' completion='succeeded' type='dos'/>
</Assessment>
<EventData>
<Flow>
<System category='source'>
<Node>
<Address category='ext-category' ext-category='xmpp'>abuser@clueless.lit</Address>
<Counter type='ext-type' ext-type='xmpp-presence'>123</Counter>
</Node>
<Node>
<Address category='ext-category' ext-category='xmpp'>luser27@clueless.lit</Address>
<Counter type='ext-type' ext-type='xmpp-presence'>47</Counter>
</Node>
</System>
<System category='target'>
<Node>
<Address category='ext-category' ext-category='xmpp'>jdev@conference.jabber.org</Address>
<Address category='ext-category' ext-category='xmpp'>jabber@conference.jabber.org</Address>
<NodeRole category='ext-category' ext-category='xmpp-muc'/>
</Node>
</System>
</Flow>
<Expectation action='block-host'/>
</EventData>
</Incident>
</request>
</iq>
]]></example>
<p>If the recipient is able to process the report, it MUST return an &IQ; stanza of type "result"; if not, it MUST return an &IQ; stanza of type "error" (error handling will be defined in a future version of this specification).</p>
</section1>
<section1 topic='Response Format and Processing' anchor='response'>
<p>To follow.</p>
<p>When one server provides assistance in resolving an incident, it sends a response to another server (not necessarily the server where the incident occurred).</p>
<p>Here, the server where the attack originated informs the server where the attack occurred that it has disabled the offending accounts (via the IODEF &lt;HistoryItem/&gt; element).</p>
<example caption="A response to a request for assistance"><![CDATA[
<iq from='clueless.list' id='ic1fa53v' to='jabber.org' type='set'>
<response xmlns='urn:xmpp:incident:2'>
<Incident xmlns='urn:ietf:params:xml:ns:iodef-1.0'
purpose='mitigation'>
<IncidentID name='jabber.org'>4BF5D2CE-7C90-4860-BEF2-43A7D777D5FF</IncidentID>
<StartTime>2009-04-13T19:05:20Z</StartTime>
<EndTime>2009-04-13T19:27:22Z</EndTime>
<ReportTime>2009-04-13T19:31:07Z</ReportTime>
<Description xml:lang='en'>lots of MUC spammers from clueless.lit!</Description>
<Contact role='admin' type='person'>
<AdditionalData>
<jid xmlns='urn:xmpp:incident:2'>stpeter@jabber.org</jid>
</AdditionalData>
</Contact>
<Contact role='admin' type='person'>
<AdditionalData>
<jid xmlns='urn:xmpp:jid:0'>stpeter@jabber.org</jid>
</AdditionalData>
</Contact>
<Contact role='ext-type' ext-type='chatroom'>
<AdditionalData>
<jid xmlns='urn:xmpp:jid:0'>operators@muc.xmpp.org</jid>
</AdditionalData>
</Contact>
<RelatedActivity>
<IncidentID name='im.example.com'>133BCE2E-E669-4ECE-B0F8-766B9E65630D</IncidentID>
</RelatedActivity>
<Assessment>
<Impact lang='en' severity='medium' completion='succeeded' type='dos'/>
</Assessment>
<EventData>
<Flow>
<System category='source'>
<Node>
<Address category='ext-category' ext-category='xmpp'>abuser@clueless.lit</Address>
<Counter type='ext-type' ext-type='xmpp-presence'>123</Counter>
</Node>
<Node>
<Address category='ext-category' ext-category='xmpp'>luser27@clueless.lit</Address>
<Counter type='ext-type' ext-type='xmpp-presence'>47</Counter>
</Node>
</System>
<System category='target'>
<Node>
<Address category='ext-category' ext-category='xmpp'>jdev@conference.jabber.org</Address>
<Address category='ext-category' ext-category='xmpp'>jabber@conference.jabber.org</Address>
<NodeRole category='ext-category' ext-category='xmpp-muc'/>
</Node>
</System>
</Flow>
<Expectation action='block-host'/>
</EventData>
<History>
<HistoryItem action='blockquote'>
<DateTime>2009-04-13T19:47:11Z</DateTime>
<Description>Account disabled</Description>
</HistoryItem>
</History>
</Incident>
</response>
</iq>
]]></example>
<p>If the recipient is able to process the report, it MUST return an &IQ; stanza of type "result"; if not, it MUST return an &IQ; stanza of type "error" (error handling will be defined in a future version of this specification).</p>
</section1>
<section1 topic='Internationalization Considerations' anchor='i18n'>
@ -217,8 +357,21 @@
xmlns='urn:xmpp:incident:2'
elementFormDefault='qualified'>
<xs:import namespace='urn:ietf:params:xml:ns:iodef-1.0'/>
<xs:element name='jid' type='xs:string'/>
<xs:element name='inquiry' type='IODEFContainerType'/>
<xs:element name='report' type='IODEFContainerType'/>
<xs:element name='request' type='IODEFContainerType'/>
<xs:element name='response' type='IODEFContainerType'/>
<xs:complexType name="IODEFContainerType">
<xs:sequence xmlns:i='urn:ietf:params:xml:ns:iodef-1.0'>
<xs:element ref='i:Incident' minOccurs='1' maxOccurs='1'/>
</xs:sequence>
</xs:complexType>
</xs:schema>
]]></code>
</section1>