Re: [mile] Request for draft reviews - review of FC5070-bis
"Moriarty, Kathleen" <kathleen.moriarty@emc.com> Fri, 28 June 2013 14:08 UTC
Return-Path: <kathleen.moriarty@emc.com>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 095ED21F855F for <mile@ietfa.amsl.com>; Fri, 28 Jun 2013 07:08:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.389
X-Spam-Level: *
X-Spam-Status: No, score=1.389 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FRT_STOCK2=3.988]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NnWiQBizuMYG for <mile@ietfa.amsl.com>; Fri, 28 Jun 2013 07:08:15 -0700 (PDT)
Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id 4FA6021F8517 for <mile@ietf.org>; Fri, 28 Jun 2013 07:08:14 -0700 (PDT)
Received: from hop04-l1d11-si01.isus.emc.com (HOP04-L1D11-SI01.isus.emc.com [10.254.111.54]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r5SE82Dg026178 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 28 Jun 2013 10:08:04 -0400
Received: from mailhub.lss.emc.com (mailhubhoprd04.lss.emc.com [10.254.222.226]) by hop04-l1d11-si01.isus.emc.com (RSA Interceptor); Fri, 28 Jun 2013 10:07:45 -0400
Received: from mxhub05.corp.emc.com (mxhub05.corp.emc.com [128.222.70.202]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r5SE7i6j009737; Fri, 28 Jun 2013 10:07:44 -0400
Received: from mx15a.corp.emc.com ([169.254.1.184]) by mxhub05.corp.emc.com ([128.222.70.202]) with mapi; Fri, 28 Jun 2013 10:07:44 -0400
From: "Moriarty, Kathleen" <kathleen.moriarty@emc.com>
To: Takeshi Takahashi <takeshi_takahashi@nict.go.jp>, "daniel.piggott@switch2it.co.uk" <daniel.piggott@switch2it.co.uk>, "'Panos Kampanakis (pkampana)'" <pkampana@cisco.com>, "mile@ietf.org" <mile@ietf.org>, "Stoecker, Paul" <Paul.Stoecker@rsa.com>, Roman Danyliw <rdd@cert.org>
Date: Fri, 28 Jun 2013 10:07:43 -0400
Thread-Topic: [mile] Request for draft reviews - review of FC5070-bis
Thread-Index: AQGrfDo3oosvrhqkCdnIlKmQHVtubgJFBsa4mW6okECAEEfc4A==
Message-ID: <F5063677821E3B4F81ACFB7905573F24DF1B833C@MX15A.corp.emc.com>
References: <1C9F17D1873AFA47A969C4DD98F98A753C8AC8@xmb-rcd-x10.cisco.com> <027901ce68fa$f9eb4060$edc1c120$@piggott@switch2it.co.uk> <001101ce6bea$f89a8ac0$e9cfa040$@nict.go.jp>
In-Reply-To: <001101ce6bea$f89a8ac0$e9cfa040$@nict.go.jp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EMM-MHVC: 1
Subject: Re: [mile] Request for draft reviews - review of FC5070-bis
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mile>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jun 2013 14:08:20 -0000
Roman & Paul, Can you help on Daniel's questions below? If possible, can we iterate on the draft before the next meeting as well to address some of the questions raised at the last IETF meeting? I believe we have some other outstanding questions on this draft, I will re-forward them if I can find them. Thank you! Kathleen -----Original Message----- From: Takeshi Takahashi [mailto:takeshi_takahashi@nict.go.jp] Sent: Tuesday, June 18, 2013 2:14 AM To: daniel.piggott@switch2it.co.uk; 'Panos Kampanakis (pkampana)'; Moriarty, Kathleen; mile@ietf.org; Stoecker, Paul Subject: RE: [mile] Request for draft reviews - review of FC5070-bis Hi Daniel and all, Though the discussion is on IODEF-bis rather than IODEF-SCI, I hope you do not mind sharing my opinion here :) > Would these be worth considering in the IODEF incident schema? I agree. > An incident classification level or assurance level for each incident? I feel that the assurance or trustworthiness of the information is something we could consider outside IODEF document. The sender can describe "Confidence" instead of the trustworthiness. (E.g., I cannot say that I myself is very trustworthy sender of the information, but I can say that I am confident on the information. Receiver can judge whether he/she trust me or not.) > Mac address of reporting device? I think it is good idea. The "person" who reports IODEF document could be a machine, such as IDS. For instance, we could reconsider the structure of "Contact" class. > A field for whether any device is virtual or physical? I agree. > A hash of each incident raw data? > Memory address space field (as you have PID)? I agree on the usefulness of these information. Instead of extending IODEF itself, we could consider using external schema for that purpose. These could be then embedded into IODEF document through the use of IODEF-SCI. > NTP Time source of the incident device? I agree. > In the example above in Appendix III below should the service IP protocol be 4? I've used the example described in the RFC5070, and I didn't realize this point. Thank you for pointing it out. Kind wishes, Take From: mile-bounces@ietf.org [mailto:mile-bounces@ietf.org] On Behalf Of Daniel Piggott Sent: Friday, June 14, 2013 9:31 PM To: 'Panos Kampanakis (pkampana)'; 'Moriarty, Kathleen'; mile@ietf.org; Paul.Stoecker@rsa.com Subject: Re: [mile] Request for draft reviews - review of FC5070-bis Hello, is there any update to my response to the document reviewed below? Sent 6th June 22:57? Kathleen informed me it only made part of the distribution list. Thks Daniel Structured Cybersecurity Information draft (close to final): http://datatracker.ietf.org/doc/draft-ietf-mile-sci/ Having looked through this draft and the example 11. Appendix III: An XML Example Would these be worth considering in the IODEF incident schema? An incident classification level or assurance level for each incident? Mac address of reporting device? A field for whether any device is virtual or physical? A hash of each incident raw data? Memory address space field (as you have PID)? NTP Time source of the incident device? In the example above in Appendix III below should the service IP protocol be 4? System category="target"> <Node> <Address category="ipv4-net">192.0.2.16/28</Address> </Node> <Service ip_protocol="6"> <Port>80</Port> </Service> And one last question, if the receiving node getting the alerts via IODEF goes offline From: Panos Kampanakis (pkampana) [mailto:pkampana@cisco.com] Sent: 06 June 2013 19:26 To: Moriarty, Kathleen; mile@ietf.org; 'Paul.Stoecker@rsa.com' (Paul.Stoecker@rsa.com) Subject: Re: [mile] Request for draft reviews - review of FC5070-bis Hi Paul, Good starting point. Some comments and nits below from my first pass. There should be more when I review again. I remember sometime in the past there was a discussion about what is an incidents if that should be updated in the 5070. I see that in your draft an incident is used as it was in 5070. I was just wondering if we had reached a consensus on it. I also didn't see "uid" and "set id" definitions in the draft. I don't see the EMailDetails class described in the document. Nits: - Should "This document contains changes with respect to its predecessor RFC5070:" be bulleted? - The list in "This class will contain indicators from the list below " is not exactly below. The same for "the following included indicators are ones commonly used ". And the same for me occurrences of "following" in this section - I am not sure if we want to keep the "<!-- CHANGE:" comments in the draft - there are some XML complexType like "SoftwareType" that are described as classes in the comments IODEF schema, but these are not classes. I aqlso see that you will have usecases-examples in this doc, so mayne I will remove mine from the guidance document. Rgs, Panos From: mile-bounces@ietf.org [mailto:mile-bounces@ietf.org] On Behalf Of Moriarty, Kathleen Sent: Friday, May 17, 2013 2:13 PM To: mile@ietf.org Subject: [mile] Request for draft reviews Greetings! We have had a number of documents updated since the last meeting. Thank you to all of the editors for making the requested changes! The current list of drafts up for review (including those that will be a part of the WG after the charter update) include: RFC5070-bis (IODEF Revision): http://datatracker.ietf.org/doc/draft-ietf-mile-rfc5070-bis/ Draft on IODEF Guidance: (input from experience, real use cases, and draft review will be helpful) http://datatracker.ietf.org/doc/draft-ietf-mile-iodef-guidance/ Structured Cybersecurity Information draft (close to final): http://datatracker.ietf.org/doc/draft-ietf-mile-sci/ IODEF Enumeration Reference Format: http://datatracker.ietf.org/doc/draft-montville-mile-enum-reference-format/ Resource-Oriented Lightweight Indicator Exchange (ROLIE): http://datatracker.ietf.org/doc/draft-field-mile-rolie/ Please take some time to review the drafts and provide feedback to the list. It would be helpful if we can iterate on most of them prior to the next meeting. A couple of the drafts are very close to being done. The list of current drafts and published RFCs can be found at the following link: http://datatracker.ietf.org/wg/mile/ We will follow up soon on the charter update as well. Thank you all in advance! Kathleen
- Re: [mile] Request for draft reviews - review of … Panos Kampanakis (pkampana)
- Re: [mile] Request for draft reviews - review of … Daniel Piggott
- Re: [mile] Request for draft reviews - review of … Daniel Piggott
- Re: [mile] Request for draft reviews - review of … Takeshi Takahashi
- Re: [mile] Request for draft reviews - review of … Moriarty, Kathleen
- Re: [mile] Request for draft reviews - review of … Moriarty, Kathleen
- Re: [mile] Request for draft reviews - review of … Roman D. Danyliw