Extended Incident Handling (INCH) WG Minutes
<BR>
IETF 58 - Thursday, 13.00-15.00, November 13, 2003
<BR>
Minneapolis, USA
<BR>

<BR>
                Chair: Roman Danyliw &lt;rdd@cert.org&gt;
<BR>
Security Area Adviser: Steven Bellovin &lt;smb@research.att.com&gt;
<BR>

<BR>
---[ Agenda ]-----------------------------------------------------------
<BR>

<BR>
  o Administrative
<BR>
      - WG issues
<BR>
      - status of the drafts
<BR>

<BR>
  o Implementation
<BR>
      - CERT/CC: libair
<BR>
      - eCSIRT.net: ihsh
<BR>
      - JPCERT/CC: IODEF verifier
<BR>

<BR>
  o Potential related work
<BR>
      - draft-moriarty-ddos-rid-05
<BR>

<BR>
  o Requirements Review 
<BR>
      - draft-ietf-inch-requirements-02
<BR>

<BR>
  o Data Model Review 
<BR>
      - draft-ietf-inch-iodef-02
<BR>

<BR>

<BR>
---[ Administrative ]---------------------------------------------------
<BR>

<BR>
o rfc3067-bis draft dropped in favor of draft-ietf-inch-requirements-02
<BR>

<BR>
o Updates to the schedule were made to reflect a slight slippage in the delivery dates (WG last-call) of the WG drafts.
<BR>

<BR>
 ] NOV 03    Initial I-D of the implementation guidelines document
<BR>
 ] DEC 03    Submit requirements I-D to the IESG as Informational
<BR>
 ] FEB 03    Submit incident data language specification I-D to the IESG as Proposed Standard
<BR>
 ] MAR 04    Submit implementation guidelines I-D to the IESG as Informational
<BR>

<BR>
o Future Direction of the WG
<BR>
     o IODEF exchange protocol
<BR>
     o Interoperability testing
<BR>
     o Is IODEFa generic framework?  How to handle extensions?
<BR>

<BR>
---[ Implementation ]---------------------------------------------------
<BR>

<BR>
There are at least four implementation of IODEF being used for various projects.  The authors of three IODEF implementations presented status updates on their efforts.
<BR>

<BR>
  o CERT/CC: libair  (Roman Danyliw)
<BR>
    see: &lt;http://www.andrew.cmu.edu/~rdanyliw/inch/ietf58/ietf58-inch-libair.pdf&gt;
<BR>

<BR>
  o eCSIRT.net: ihsh  (Roman Danyliw for Arne Helme)
<BR>
    see: &lt;http://www.andrew.cmu.edu/~rdanyliw/inch/ietf58/ietf58-inch-ecsirt-cl.pdf&gt;
<BR>
    see: &lt;http://www.andrew.cmu.edu/~rdanyliw/inch/ietf58/ietf58-inch-ecsirt-ihsh.pdf&gt;
<BR>

<BR>
  o JPCERT/CC: IODEF verifier (Hiroyuki Kido)
<BR>
    see: &lt;http://www.andrew.cmu.edu/~rdanyliw/inch/ietf58/ietf58-inch-jpcertcc.pdf&gt;
<BR>

<BR>
Note: XML-IODEF (in CPAN) of JANET-CERT is the fourth implementation.
<BR>

<BR>
---[ Related Work ]-----------------------------------------------------
<BR>

<BR>
Kathleen Moriarty presented on RID-DoS (Real-time Inter-network Defense against Denial of Server Attacks), a protocol for network peers to exchange information during a DoS (see draft-moriarty-ddos-rid-05).
<BR>

<BR>
see: &lt;http://www.andrew.cmu.edu/~rdanyliw/inch/ietf58/ietf58-inch-rid.pdf&gt;
<BR>

<BR>
Comments and Discussion:
<BR>

<BR>
The proposal of this work prompted a larger discussion of the scope of the working group.  With this draft and the current implementation results, interest in expanding the data model and providing an exchange protocol was expressed.
<BR>

<BR>
Several approaches were discussed as to how to expanding the scope of the data model.  However, the clear consensus was that the community needs an unchanging model to allow adoption.  Hence, the existing data model draft should be published as is.  With regard to the desire to add RID or statistics to IODEF, separate WG drafts would be accepted.  These drafts would be extensions of the current IODEF data-model making using of the &lt;AdditionalData&gt; element.
<BR>

<BR>
Updating of the WG charter will be required to support this extension drafts.  Text was submitted to the AD to this effect shortly after the meeting.
<BR>

<BR>
Consensus on designing (or adopting) an exchange protocol was not present.  Further discussion about taking on this work (and re-chartering) is required.
<BR>

<BR>
---[ Requirements ]-----------------------------------------------------
<BR>

<BR>
Glenn Mansfield Keeni and Yuri Demchenko prepared a presentation to address the major changes since the 01 draft of the requirement draft (draft-ietf-inch-requirements-02).  It is the feeling of the authors that this draft should be ready for WG last call in December 2003.
<BR>

<BR>
see: &lt;http://www.andrew.cmu.edu/~rdanyliw/inch/ietf58/ietf58-inch-req.pdf&gt;
<BR>

<BR>
Comments and Discussion:
<BR>

<BR>
  o The use of SHOULD and MUST needs to be evaluated in the requirements
<BR>
  
<BR>
---[ Data Model ]-------------------------------------------------------
<BR>

<BR>
Jan Meijer presented a review of the open issues related to the current data model (draft-ietf-inch-iodef-02).  The most significant change to the draft will be the conversion of the DTD to an XML Schema.
<BR>

<BR>
see: &lt;http://www.andrew.cmu.edu/~rdanyliw/inch/ietf58/ietf58-inch-datamodel.pdf&gt;
<BR>

<BR>
Comments and Discussion:
<BR>

<BR>
  o Continued investigation into XML-Signature will be required
<BR>

<BR>
  o While the use of XML Schema is not an IETF requirement, it should be adopted regardless
<BR>

<BR>
  o Once the Schema is complete, the use of the IETF designated XML-Doctors, and other XML experts is desirable
<BR>

<BR>
  o The use of terms defined in the requirements document should be consistent with the data model document