Re: [mile] re-charter re-boot
"Waltermire, David A." <david.waltermire@nist.gov> Fri, 07 June 2013 14:41 UTC
Return-Path: <david.waltermire@nist.gov>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F2F121F96EB for <mile@ietfa.amsl.com>; Fri, 7 Jun 2013 07:41:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.845
X-Spam-Level:
X-Spam-Status: No, score=-4.845 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_BASE64_TEXT=1.753, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pgOkhHHbP7qX for <mile@ietfa.amsl.com>; Fri, 7 Jun 2013 07:41:00 -0700 (PDT)
Received: from wsget1.nist.gov (wsget1.nist.gov [129.6.13.150]) by ietfa.amsl.com (Postfix) with ESMTP id 52AB021F9928 for <mile@ietf.org>; Fri, 7 Jun 2013 07:40:54 -0700 (PDT)
Received: from WSXGHUB1.xchange.nist.gov (129.6.18.96) by wsget1.nist.gov (129.6.13.150) with Microsoft SMTP Server (TLS) id 14.3.123.3; Fri, 7 Jun 2013 10:40:33 -0400
Received: from MBCLUSTER.xchange.nist.gov ([fe80::d479:3188:aec0:cb66]) by WSXGHUB1.xchange.nist.gov ([129.6.18.96]) with mapi; Fri, 7 Jun 2013 10:40:51 -0400
From: "Waltermire, David A." <david.waltermire@nist.gov>
To: Eric Burger <eburger@standardstrack.com>, "mile@ietf.org IETF" <mile@ietf.org>
Date: Fri, 07 Jun 2013 10:40:50 -0400
Thread-Topic: [mile] re-charter re-boot
Thread-Index: Ac5hgiV83Xv96/NgRE6mJwUXUiaQ1ACCP9mg
Message-ID: <D7A0423E5E193F40BE6E94126930C4930C048394D5@MBCLUSTER.xchange.nist.gov>
References: <3CBA099FBA0AB843895D72474092B8CF27B988@MIVEXAMER1N1.corp.nai.org> <1513DCD0-0332-4FA9-8DC2-7090384D6425@standardstrack.com>
In-Reply-To: <1513DCD0-0332-4FA9-8DC2-7090384D6425@standardstrack.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_D7A0423E5E193F40BE6E94126930C4930C048394D5MBCLUSTERxcha_"
MIME-Version: 1.0
Subject: Re: [mile] re-charter re-boot
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mile>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jun 2013 14:41:08 -0000
Eric, I couldn't agree more. It hasn't been clear what the requirements are that the WG is trying to address. I think we need this higher-level requirements document to help crystalize what work the work group needs to accomplish for this re-chartering cycle. Absent that, I don't see how we can gauge what enhancements are in scope to make to IODEF and what other protocol modifications/additions are needed. Sincerely, Dave From: mile-bounces@ietf.org [mailto:mile-bounces@ietf.org] On Behalf Of Eric Burger Sent: Tuesday, June 04, 2013 8:18 PM To: mile@ietf.org IETF Subject: Re: [mile] re-charter re-boot What is really missing, but I am not sure it belongs as a work group document, is a requirements document for the protocol and markup itself. The only thing I could find was RFC 3067. However, those were requirements for a specific network operator with specific needs. On Jun 4, 2013, at 7:14 PM, kent_landfield@mcafee.com<mailto:kent_landfield@mcafee.com> wrote: Hi Panos, I was expecting that to be more of a proper use of the specifications and specification integration document and not an overview of the higher level uses cases of the area these protocols are supporting. If I am wrong then I would love to hear it. If someone has volunteered to be the author for that mile(stone) could they please clarify? If what I am considering is already covered then I am good. ;-) Kent Landfield McAfee | An Intel Company Direct: +1.972.963.7096 Mobile: +1.817.637.8026 Web: www.mcafee.com<http://www.mcafee.com/> From: "Panos Kampanakis (pkampana)" <pkampana@cisco.com<mailto:pkampana@cisco.com>> Date: Tuesday, June 4, 2013 5:24 PM To: Kent Landfield <Kent_Landfield@McAfee.com<mailto:Kent_Landfield@McAfee.com>>, Sean Turner <turners@ieca.com<mailto:turners@ieca.com>>, "mile@ietf.org<mailto:mile@ietf.org>" <mile@ietf.org<mailto:mile@ietf.org>> Subject: RE: [mile] re-charter re-boot The charter looks good to me. Kent, A clarification. Would the doc you are suggesting be different of what Kathleen had in the charter "Provide guidance on the implementation and use of RID transports based on use cases. The guidance document will show the relationship between transport options (RID + RID transport and IODEF/RID + ROLIE) and may identify the need for additional transport bindings." Or did you have something similar in mind? Rgs, Panos From: mile-bounces@ietf.org<mailto:mile-bounces@ietf.org> [mailto:mile-bounces@ietf.org] On Behalf Of Kent_Landfield@McAfee.com<mailto:Kent_Landfield@McAfee.com> Sent: Monday, June 03, 2013 2:10 PM To: turners@ieca.com<mailto:turners@ieca.com>; mile@ietf.org<mailto:mile@ietf.org> Subject: Re: [mile] re-charter re-boot I have no problem with the revised charter as is but I think there is something missing. It would be good to have as a milestone a document that described use cases for these protocols. I rather see this separated out since we are in a situation now of addressing the transport (RID) , the data model for exchange (IODEF) and query/reporting capabilities (ROLIE). We need to tie the three together and a document such as this would help lay a foundation for usage in multiple areas. FWIW... Kent Landfield McAfee | An Intel Company Direct: +1.972.963.7096 Mobile: +1.817.637.8026 Web: www.mcafee.com<http://www.mcafee.com/> From: Sean Turner <turners@ieca.com<mailto:turners@ieca.com>> Date: Monday, June 3, 2013 12:30 PM To: "mile@ietf.org<mailto:mile@ietf.org>" <mile@ietf.org<mailto:mile@ietf.org>> Subject: Re: [mile] re-charter re-boot Comments from anybody else? spt On 5/25/13 9:11 AM, Moriarty, Kathleen wrote: Hi, Sorry for the delay in updating the charter. There is a lot of activity in this space right now as you all know. I took Sean's suggested content and updated it to reflect some of the activity and drivers for additional work in MILE. Several people have mentioned an interest in submitting extensions based on their current work, some in virtualized environments, some for indicator specific formats, some industry specific extensions, etc. There is also work developing by other groups who have mentioned that they will transition their work to an international standards body once it is mature, so room has been left in the charter to accommodate that work. The need for guidance on the transport options has surfaced so that implementers understand when they may choose a specific transport option to enable interoperable interfaces between products. The guidance may be use case specific where tighter security is needed (RID +HTTP/TLS with the object level security options enab led) or w here ease of access is the driver (ROLIE) with no client requirements necessary (can use a browser). We will follow up with the mile stones, here the the re-write: <intro> The Managed Incident Lightweight Exchange (MILE) working group develops standards to support computer and network security incident management; an incident is an unplanned event that occurs in an information technology (IT) infrastructure. An incident could be a benign configuration issue, IT incident, an infraction to a service level agreement (SLA), a system compromise, socially engineered phishing attack, or a denial-of-service (DoS) attack, etc. When an incident is detected, or suspected, there may be a need for organizations to collaborate. This collaboration effort may take several forms including joint analysis, information dissemination, and/or a coordinated operational response. Examples of the response may include filing a report, notifying the source of the incident, requesting that a third party resolve/mitigate the incident, sharing select indicators of compromise, or requesting that the source be located. By sharing indicators of compromise associated with an incident or possible threat, the information becomes a proactive defense for others that may include mitigation options. The Incident Object Description Exchange Format (IODEF) defines an information framework to represent computer and network security incidents; IODEF is defined in RFC 5070 and has been extended by RFC 5091 to support phishing reports; RFC 6484 provides a template for defining extensions to IODEF. Real-time Inter-network Defense (RID) defines a protocol to facilitate sharing computer and network security incidents; RID is defined in RFC 6545, and RID over HTTPS is defined in RFC 6546. </intro> The MILE WG is focused on two areas, IODEF the data format and extensions to represent incident and indicator data and RID, the policy and transport for structured data. With respect to IODEF, the working group will: - Revise the IODEF document to incorporate enhancements and extensions based on operational experience; use by Computer Security Incident Response Teams (CSIRTs) and others has exposed the need to extend IODEF to support industry specific extensions, use case specific content, and representations to associate information related to represented threats (system, threat actors, campaigns, etc.). The value of information sharing has been demonstrated and highlighted at an increasing rate through the success of the Information Sharing and Analysis Centers (ISACs) and the recent cyber security Executive Order in the US. International groups, such as the Multinational Association for Collaborative Cyber Situational Awareness (CCSA) have been running experiments to determine what data is useful to exchange between industries and nations to effectively mitigate threats. The work of these and other groups have identified or are working to develop data representations relevant to their use cases that may compliment/extend IODEF or be useful to exchange using RID and related transport protocols. - Provide guidance on the implementation and use of IODEF to aid implementers in developing interoperable specifications. With respect to RID, the working group will: - Define a resource-oriented approach to cyber security information sharing that follows the REST architectural style. This mechanism will allow CSIRTS to be more dynamic and agile in collaborating with a broader, and varying constituency. - Provide guidance on the implementation and use of RID transports based on use cases. The guidance document will show the relationship between transport options (RID + RID transport and IODEF/RID + ROLIE) and may identify the need for additional transport bindings. - RID may require modifications to address data provenance, additional policy options, or other changes now that there are multiple interoperable implementations of RFC6545 and RFC6546. With the RID implementations in the open source community, increased use and experimentation may demonstrate the need for a revision. <milestones> </milestones> Thank you! Kathleen ________________________________________ From: mile-bounces@ietf.org<mailto:mile-bounces@ietf.org> [mile-bounces@ietf.org<mailto:mile-bounces@ietf.org>] On Behalf Of Sean Turner [turners@ieca.com<mailto:turners@ieca.com>] Sent: Wednesday, May 01, 2013 9:04 PM To: mile@ietf.org<mailto:mile@ietf.org> Subject: [mile] re-charter re-boot Hi, I'd like to propose a significant re-write of the proposed charter. I think there's too much history that's not really needed any more and there's some repetition that's unneeded. I also think it's a little open ended wrt what's actually going to get done. Based on recent experience, I have a strong feeling that the current charter wouldn't get through the process. I'm proposing four sections: intro, iodef-related work, rid-related work, milestones. The intro should: - explain what the WG does: develop standards to do foo. - summarize what foo is. - highlight existing RFCs that are part of the space: IODEF: 5070/5091/6848 & RID: 6545/6546. Then we talk about what drafts the WG will produce for the two topic areas. How about this (or something like this): <intro> The Managed Incident Lightweight Exchange (MILE) working group develops standards to support computer and network security incident management; an incident is an unplanned event that occurs in an information technology (IT) infrastructure. An incident could be a benign configuration issue, IT incident, an infraction to a service level agreement (SLA), a system compromise, socially engineered phishing attack, or a denial-of-service (DoS) attack, etc. When an incident is detected, or suspected, there may be a need for organizations to collaborate. This collaboration effort may take several forms including joint analysis, information dissemination, and/or a coordinated operational response. Examples of the response may include filing a report, notifying the source of the incident, requesting that a third party resolve/mitigate the incident, sharing indicators of compromise, or requesting that the source be located. The Incident Object Description Exchange Format (IODEF) defines an information framework to represent computer and network security incidents; IODEF is defined in RFC 5070 and has been extended by RFC 5091 to support phishing reports; RFC 6484 provides a template for defining extensions to IODEF. Real-time Inter-network Defense (RID) defines a protocol to facilitate sharing computer and network security incidents; RID is defined in RFC 6545, and RID over HTTPS is defined in RFC 6546. </into> This working group does two things IODEF and RID; we should be clear about that and then list the actual documents we're going to produce that relate to each one. For the list of deliverables it looks like there's three 5070bis, a reference/guidance draft, and a resource-oriented indicator exchange? Questions: Are the GRC and Forensic drafts dead-dead? I assume they'd not be included in the milestone list. Is there going to only be one 5070bis draft or will there be a 5070bis + other optional extension drafts? I assume it's just a 5070bis based on the milestones but thought I'd ask. Are we only extending IODEF based on use or is there something else we need to consider? How about something along the lines of (need some help filling in the blanks): <iodef> With respect to IODEF, the working group will: - Revise the IODEF document to incorporate enhancements and extensions based on operational experience; use by Computer Security Incident Response Teams (CSIRTs) and others has exposed the need to extend IODEF to support x, y, z (need to have some idea what's missing) base on a, b, c (need to know a bit more about why stuff is missing did something new pop up?). - Provide guidance on the implementation and use of IODEF to aid implementers in developing interoperable specifications. </iodef> For RID: Are we also doing defining guidance for RID as well or is that incorporated in the IODEF guidance? Is RID itself going to be untouched and we're just producing a new "transport"? Is it just for indicators or is it for the whole incident? Or has "indicators" over taken "incident"? <rid> With respect to RID, the working group will: - Define a resource-oriented approach to cyber security information sharing that follows the REST architectural style. This mechanism will allow CSIRTS to be more dynamic and agile in collaborating with a broader, and varying constituency. </rid> <milestones> These looked fine, but I'd like some actual dates for the TBDs ;) </milestones> spt _______________________________________________ mile mailing list mile@ietf.org<mailto:mile@ietf.org> https://www.ietf.org/mailman/listinfo/mile _______________________________________________ mile mailing list mile@ietf.org<mailto:mile@ietf.org> https://www.ietf.org/mailman/listinfo/mile _______________________________________________ mile mailing list mile@ietf.org<mailto:mile@ietf.org> https://www.ietf.org/mailman/listinfo/mile
- [mile] re-charter re-boot Sean Turner
- Re: [mile] re-charter re-boot Moriarty, Kathleen
- Re: [mile] re-charter re-boot Moriarty, Kathleen
- Re: [mile] re-charter re-boot Sean Turner
- Re: [mile] re-charter re-boot Kent_Landfield
- Re: [mile] re-charter re-boot Sean Turner
- Re: [mile] re-charter re-boot Kent_Landfield
- Re: [mile] re-charter re-boot Eric Burger
- Re: [mile] re-charter re-boot Sean Turner
- Re: [mile] re-charter re-boot Panos Kampanakis (pkampana)
- Re: [mile] re-charter re-boot Kent_Landfield
- Re: [mile] re-charter re-boot Eric Burger
- Re: [mile] re-charter re-boot Sean Turner
- Re: [mile] re-charter re-boot Kent_Landfield
- Re: [mile] re-charter re-boot Waltermire, David A.
- Re: [mile] re-charter re-boot Moriarty, Kathleen
- Re: [mile] re-charter re-boot Kent_Landfield
- Re: [mile] re-charter re-boot John Field