Re: [I2nsf] Security event reporting management - the firstMILE
"Susan Hares" <shares@ndzh.com> Thu, 24 March 2016 22:30 UTC
Return-Path: <shares@ndzh.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E44612D96A for <i2nsf@ietfa.amsl.com>; Thu, 24 Mar 2016 15:30:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.738
X-Spam-Level: *
X-Spam-Status: No, score=1.738 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DOS_OUTLOOK_TO_MX=2.845, RDNS_NONE=0.793] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y4G_IBq7yY-L for <i2nsf@ietfa.amsl.com>; Thu, 24 Mar 2016 15:30:29 -0700 (PDT)
Received: from hickoryhill-consulting.com (unknown [50.245.122.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F2AF12D965 for <i2nsf@ietf.org>; Thu, 24 Mar 2016 15:30:29 -0700 (PDT)
X-Default-Received-SPF: pass (skip=loggedin (res=PASS)) x-ip-name=74.43.47.77;
From: Susan Hares <shares@ndzh.com>
To: 'Robert Moskowitz' <rgm-ietf@htt-consult.com>, i2nsf@ietf.org
References: <56F16E19.9080709@htt-consult.com>
In-Reply-To: <56F16E19.9080709@htt-consult.com>
Date: Thu, 24 Mar 2016 18:29:55 -0400
Message-ID: <039801d1861c$b155ede0$1401c9a0$@ndzh.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGvb8vYJ+w0r+F7vPiluzJICfpXgp+tFrtQ
Content-Language: en-us
X-Authenticated-User: skh@ndzh.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/i2nsf/hW8p2wbzkMR35yRv4QIwnB-rEYI>
Subject: Re: [I2nsf] Security event reporting management - the firstMILE
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Mar 2016 22:30:31 -0000
I2NSF people: The I2NSF gap analysis and I2RS work on management flows during DDoS or network attacks (I'm a co-chair) cause me to realize there was something different during periods of outage/network attack. The growth of this is expanding beyond the management interfaces to BGP. BGP's Flow Specification is being expanded to spread flow filters (RFC5575++++) (another WG I co-chair) that help stop DDoS attacks in carriers. After being hit with the perfect storm of needs in 3 WGs, Bob and I looked at the problem (draft-hares-i2nsf-mgtflow) and solutions. I suspect the first thing to look at is the problem and provide us feedback. If you want to discuss the solutions, we are glad to chat about it as well. Sue -----Original Message----- From: I2nsf [mailto:i2nsf-bounces@ietf.org] On Behalf Of Robert Moskowitz Sent: Tuesday, March 22, 2016 12:09 PM To: i2nsf@ietf.org Subject: [I2nsf] Security event reporting management - the firstMILE One of the functions described within the I2NSF environment is monitoring security events. I have not found any IETF work covering general security alerts from security defense devices aside from the specific DDoS reporting in DOTS. So I have developed firstMILE: https://www.ietf.org/internet-drafts/draft-moskowitz-firstmile-00.txt Which proposes a sub/pub model including initial registration for security alerts reporting. At this point the draft is more a skeleton for hanging how the three components work: Registration of security device to monitor(s). Subscription of monitors for specific reporting. Publication of security reports to subscribed monitors. I have covered some of the requirements for these components. I bring this to the I2NSF workgroup for: Is this something the I2NSF wg should talk on? And am I correct that currently security alert reporting is not covered within the IETF. For the pub portion, I hold that the requirements align with the DOTS requirements, other than the bi-directional communications needs. Do others agree? If so, I have a DOTS draft: https://www.ietf.org/internet-drafts/draft-moskowitz-dots-ssls-02.txt DOTS Secure Session Layer Services This introduces a real session layer, something really not present in the IETF stack, that provides a set of services. SSLS and its services are laid out in: https://www.ietf.org/internet-drafts/draft-hares-i2nsf-ssls-00.txt Sue and I developed the design for SSLS, as it is broadly applicable in a number of areas under i2nsf. Two other drafts that fit into this architecture are: https://www.ietf.org/internet-drafts/draft-moskowitz-sse-03.txt and https://www.ietf.org/internet-drafts/draft-moskowitz-gpcomp-00.txt SO..... I open the floor to discussion. I would be interested in how others see this part of the security defense environment. I am interested in how others see SLS and particularly SSLS and its use for firstMILE pub. I have requested a slot in the meeting to cover my work. _______________________________________________ I2nsf mailing list I2nsf@ietf.org https://www.ietf.org/mailman/listinfo/i2nsf
- [I2nsf] Security event reporting management - the… Robert Moskowitz
- Re: [I2nsf] Security event reporting management -… Susan Hares