Re: [mile] Request for draft reviews - review of FC5070-bis
"Daniel Piggott" <daniel.piggott@switch2it.co.uk> Fri, 14 June 2013 12:35 UTC
Return-Path: <daniel.piggott@switch2it.co.uk>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F67921F98AD for <mile@ietfa.amsl.com>; Fri, 14 Jun 2013 05:35:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.839
X-Spam-Level: **
X-Spam-Status: No, score=2.839 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FRT_STOCK2=3.988, HTML_MESSAGE=0.001, MSGID_MULTIPLE_AT=1.449]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LwHzL6LdGtvQ for <mile@ietfa.amsl.com>; Fri, 14 Jun 2013 05:35:21 -0700 (PDT)
Received: from mail50.extendcp.co.uk (mail50.extendcp.co.uk [79.170.44.50]) by ietfa.amsl.com (Postfix) with ESMTP id 961A621F9298 for <mile@ietf.org>; Fri, 14 Jun 2013 05:35:20 -0700 (PDT)
Received: from switchtx.gotadsl.co.uk ([62.3.238.89] helo=88181134W) by mail50.extendcp.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.80.1) id 1UnTDp-00035o-VJ; Fri, 14 Jun 2013 13:35:18 +0100
From: Daniel Piggott <daniel.piggott@switch2it.co.uk>
To: "'Panos Kampanakis (pkampana)'" <pkampana@cisco.com>, "'Moriarty, Kathleen'" <kathleen.moriarty@emc.com>, mile@ietf.org, Paul.Stoecker@rsa.com
References: <1C9F17D1873AFA47A969C4DD98F98A753C8AC8@xmb-rcd-x10.cisco.com>
In-Reply-To: <1C9F17D1873AFA47A969C4DD98F98A753C8AC8@xmb-rcd-x10.cisco.com>
Date: Fri, 14 Jun 2013 13:30:37 +0100
Organization: Switch2IT Ltd
Message-ID: <027901ce68fa$f9eb4060$edc1c120$@piggott>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_027A_01CE6903.5BAFA860"
X-Mailer: Microsoft Office Outlook 12.0
Content-Language: en-gb
Thread-Index: Ac5i40Efq7jEmbbOQliqLxTXBAUoFgAGxBJw
X-Antivirus: avast! (VPS 130613-1, 13/06/2013), Outbound message
X-Antivirus-Status: Clean
X-Authenticated-As: daniel.piggott@switch2it.co.uk
X-Mailman-Approved-At: Fri, 14 Jun 2013 08:07:03 -0700
Subject: Re: [mile] Request for draft reviews - review of FC5070-bis
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: daniel.piggott@switch2it.co.uk
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mile>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jun 2013 12:35:27 -0000
Hello, is there any update to my response to the document reviewed below? Sent 6th June 22:57? Kathleen informed me it only made part of the distribution list. Thks Daniel Structured Cybersecurity Information draft (close to final): http://datatracker.ietf.org/doc/draft-ietf-mile-sci/ Having looked through this draft and the example 11. Appendix III: An XML Example Would these be worth considering in the IODEF incident schema? An incident classification level or assurance level for each incident? Mac address of reporting device? A field for whether any device is virtual or physical? A hash of each incident raw data? Memory address space field (as you have PID)? NTP Time source of the incident device? In the example above in Appendix III below should the service IP protocol be 4? System category="target"> <Node> <Address category="ipv4-net">192.0.2.16/28</Address> </Node> <Service ip_protocol="6"> <Port>80</Port> </Service> And one last question, if the receiving node getting the alerts via IODEF goes offline From: Panos Kampanakis (pkampana) [mailto:pkampana@cisco.com] Sent: 06 June 2013 19:26 To: Moriarty, Kathleen; mile@ietf.org; 'Paul.Stoecker@rsa.com' (Paul.Stoecker@rsa.com) Subject: Re: [mile] Request for draft reviews - review of FC5070-bis Hi Paul, Good starting point. Some comments and nits below from my first pass. There should be more when I review again. I remember sometime in the past there was a discussion about what is an incidents if that should be updated in the 5070. I see that in your draft an incident is used as it was in 5070. I was just wondering if we had reached a consensus on it. I also didn't see "uid" and "set id" definitions in the draft. I don't see the EMailDetails class described in the document. Nits: - Should "This document contains changes with respect to its predecessor RFC5070:" be bulleted? - The list in "This class will contain indicators from the list below " is not exactly below. The same for "the following included indicators are ones commonly used ". And the same for me occurrences of "following" in this section - I am not sure if we want to keep the "<!-- CHANGE:" comments in the draft - there are some XML complexType like "SoftwareType" that are described as classes in the comments IODEF schema, but these are not classes. I aqlso see that you will have usecases-examples in this doc, so mayne I will remove mine from the guidance document. Rgs, Panos From: mile-bounces@ietf.org [mailto:mile-bounces@ietf.org] On Behalf Of Moriarty, Kathleen Sent: Friday, May 17, 2013 2:13 PM To: mile@ietf.org Subject: [mile] Request for draft reviews Greetings! We have had a number of documents updated since the last meeting. Thank you to all of the editors for making the requested changes! The current list of drafts up for review (including those that will be a part of the WG after the charter update) include: RFC5070-bis (IODEF Revision): http://datatracker.ietf.org/doc/draft-ietf-mile-rfc5070-bis/ Draft on IODEF Guidance: (input from experience, real use cases, and draft review will be helpful) http://datatracker.ietf.org/doc/draft-ietf-mile-iodef-guidance/ Structured Cybersecurity Information draft (close to final): http://datatracker.ietf.org/doc/draft-ietf-mile-sci/ IODEF Enumeration Reference Format: http://datatracker.ietf.org/doc/draft-montville-mile-enum-reference-format/ Resource-Oriented Lightweight Indicator Exchange (ROLIE): http://datatracker.ietf.org/doc/draft-field-mile-rolie/ Please take some time to review the drafts and provide feedback to the list. It would be helpful if we can iterate on most of them prior to the next meeting. A couple of the drafts are very close to being done. The list of current drafts and published RFCs can be found at the following link: http://datatracker.ietf.org/wg/mile/ We will follow up soon on the charter update as well. Thank you all in advance! Kathleen
- Re: [mile] Request for draft reviews - review of … Panos Kampanakis (pkampana)
- Re: [mile] Request for draft reviews - review of … Daniel Piggott
- Re: [mile] Request for draft reviews - review of … Daniel Piggott
- Re: [mile] Request for draft reviews - review of … Takeshi Takahashi
- Re: [mile] Request for draft reviews - review of … Moriarty, Kathleen
- Re: [mile] Request for draft reviews - review of … Moriarty, Kathleen
- Re: [mile] Request for draft reviews - review of … Roman D. Danyliw