IETF Logo Mail Archive

Re: [mile] Working Group Last Call for draft-ietf-mile-sci

Ian Hardman <Ian.Hardman@blackthorn.com> Mon, 15 July 2013 16:19 UTC

Return-Path: <Ian.Hardman@blackthorn.com>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 039E011E8178 for <mile@ietfa.amsl.com>; Mon, 15 Jul 2013 09:19:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=x tagged_above=-999 required=5 tests=[]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p+7Tnni1G6CS for <mile@ietfa.amsl.com>; Mon, 15 Jul 2013 09:19:23 -0700 (PDT)
Received: from mail.qccis.com (mail.qccis.com [46.65.209.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5C9D11E8118 for <mile@ietf.org>; Mon, 15 Jul 2013 09:18:45 -0700 (PDT)
Received: from qccsrv13.qcc.local ([10.1.0.13]) by qccsrv13.qcc.local ([10.1.0.13]) with mapi; Mon, 15 Jul 2013 17:18:37 +0100
From: Ian Hardman <Ian.Hardman@blackthorn.com>
To: "mile@ietf.org" <mile@ietf.org>
Date: Mon, 15 Jul 2013 17:18:35 +0100
Thread-Topic: [mile] Working Group Last Call for draft-ietf-mile-sci
Thread-Index: Ac58ad1+1qXeIhPWQU26W+11bwt8fwABR+uAATDX45AACMWS4AAIB3HQ
Message-ID: <43E1A65ED32E444C9DBE53F853C1E47893C8FE5D50@qccsrv13.qcc.local>
References: <5E860DD6-0BCD-4B02-94F8-9C5F03CEAFDA@tik.ee.ethz.ch> <43E1A65ED32E444C9DBE53F853C1E47893C8FE566E@qccsrv13.qcc.local> <43E1A65ED32E444C9DBE53F853C1E47893C8FE5C50@qccsrv13.qcc.local> <F5063677821E3B4F81ACFB7905573F24DF2F83DA@MX15A.corp.emc.com>
In-Reply-To: <F5063677821E3B4F81ACFB7905573F24DF2F83DA@MX15A.corp.emc.com>
Accept-Language: en-US, en-GB
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-GB
Content-Type: multipart/mixed; boundary="_003_43E1A65ED32E444C9DBE53F853C1E47893C8FE5D50qccsrv13qcclo_"
MIME-Version: 1.0
Subject: Re: [mile] Working Group Last Call for draft-ietf-mile-sci
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mile>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jul 2013 16:19:25 -0000

Kathleen has ask me to forward these documents to you.

These documents contain a summary based on alert handling, but there are a number of other areas we would like see implemented.

The main issue we have when synchronising incidents, when particular objects/XML elements are either:
        repeated through the XML exchange (typically with people) or
        there has been no change since it was last sent

We believe all the XML Elements need some method of referring to the objects/elements without having to supply the whole object again.  For example:

o)  party A sent information regarding an incident to party B.
o) it was later found out a known threat source was influencing a threat agent
o) information need to be resent with just the packet stating that that known threat source was now influencing the threat agent.

Then viz
o) it was later found out a known threat source was no longer influencing that threat agent
o) information need to be resent with just the packet stating that that known threat source was no longer influencing the threat agent.

There may be something in the specification we have not picked up on but we add attributes to say where we are just referencing object and the process.

Anyway see what you think and any help in standardising data interchange will be much appreciated.


Thanks,

Ian

-----Original Message-----
From: Moriarty, Kathleen [mailto:kathleen.moriarty@emc.com]
Sent: 15 July 2013 13:28
To: Ian Hardman
Cc: Neil Hare-Brown; mile-chairs@tools.ietf.org
Subject: RE: [mile] Working Group Last Call for draft-ietf-mile-sci

Hi Ian,

I should have gone through all of the materials before sending my first email.  The presentation looks great for the workshop on the 26th and will be really helpful for people to understand what has been done for your use case.

For a draft, any extensions you have created that you think could be of broader use, like the alerting would be good to submit as a draft to MILE creating an extension.  The extension could be off the SCI draft or direct to IODEF.  For altering, if you want that off the SCI draft, you may need to ask Take to create a branch where that is appropriate, or use the EventReport with a special tag or something?  I would ask that you provide this feedback as soon as possible on list since the draft is in last call for about another week.  If you do want to get in a draft and present it at the MILE meeting (get a slot on the MILE agenda too).

Your document also includes some recommended changes to IODEF.  Could you post those to the list and also to the tool Roman started using to track IODEF issues?  We can get the working group to weigh in on them and should be able to fix it in RFC5070-bis.


Please let us know if you have any questions.

Thank you!
Kathleen

-----Original Message-----
From: Ian Hardman [mailto:Ian.Hardman@blackthorn.com]
Sent: Monday, July 15, 2013 4:26 AM
To: Moriarty, Kathleen
Cc: Neil Hare-Brown
Subject: RE: [mile] Working Group Last Call for draft-ietf-mile-sci

Kathleen,

There are a number of points that we would like see implemented to aid data transfer between hosts.

I have attached a document which contains a summary based on alert handling, but there are a number of other areas we would like see implemented.

The main issue we have when synchronising incidents, when particular objects/XML elements are either
        repeated through the XML exchange (typically with people) or
        there has been no change since it was last sent

As you can tell this can lead to large XML file, particular when you are looking at files (RecordData).  This was also brought up in the BCS meeting.  How we implemented it,  is to pass the unique id of the element and/or the unique external reference of the element and passing an attribute to say "no change".  Maybe it is already included and we haven't seen it.  Either way it would be good to get a standard on this.

I am not too sure how we should be submitting these ideas, or should we just discuss it in Berlin?

Many thanks.

Ian



-----Original Message-----
From: mile-bounces@ietf.org [mailto:mile-bounces@ietf.org] On Behalf Of Brian Trammell
Sent: 09 July 2013 07:02
To: MILE IETF
Subject: [mile] Working Group Last Call for draft-ietf-mile-sci

Greetings, all,

This is the Working Group Last Call for draft-ietf-mile-sci, IODEF-extension for structured cybersecurity information.

The last call starts now, and ends Saturday 27 July, just before the IETF 87 meeting in Berlin.

Please read the latest revision of the draft, http://tools.ietf.org/html/draft-ietf-mile-sci-08, and send your comments to the mailing list; we'd also appreciate a comment if you're fine with the draft as is.

Many thanks, and best regards,

Brian

_______________________________________________
mile mailing list
mile@ietf.org
https://www.ietf.org/mailman/listinfo/mile

This email and any attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender immediately, and do not disclose the contents to another person, use it for any purpose, or store, or copy the information in any medium. Please also destroy and delete the message from your computer.

This email and any attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender immediately, and do not disclose the contents to another person, use it for any purpose, or store, or copy the information in any medium. Please also destroy and delete the message from your computer.

v2.23.0 | Report a Bug | By Email