Monthly Archives: June 2015


CARIS Workshop Summary and Reflection

Kathleen Moriarty, Security AD & CARIS Program Committee Chair

The Internet Architecture Board (IAB) and the Internet Society (ISOC) hosted day-long Coordinating Attack Response at Internet Scale (CARIS) workshop took place last Friday in coordination with the Forum for Incident Response and Security Teams (FIRST) Conference in Berlin. The workshop included members of the FIRST community, attack response working group representatives (APWG, ACDC, etc.), network & security operators, RIR representatives, researchers, vendors, and representatives from standards communities. Key goals of the workshop were to improve mutual awareness, understanding, and coordination among the diverse participating organizations. The workshop also aimed at providing greater awareness of existing efforts to mitigate specific types of attacks, and greater understanding of the options others have to collaborate and engage with these efforts.

The day-long workshop included a mix of invited and selected speakers with opportunities to collaborate throughout, taking full advantage of the tremendous value of having these diverse communities with common goals in one room. There were approximately 50 participants engaged in the CARIS workshop from the 25 papers received and additional 20 template submissions.  The template submissions will be maintained at the Internet Society web site and as a result of the workshop will be amended to provide additional value to the computer security incident response teams (CSIRTs) and attack response communities/operators on their information exchange activities.  The CARIS participants found the template submissions to be very useful in coordinating their future attack mitigation efforts.  Nothing like this had previously been done — this is open for the global community and hosted in a neutral location.  All submissions are linked from the agenda.

The workshop talks and panels involved full participation from attendees who were required to read all other submissions.  The panels were organized to spur conversation between specific groups to see if we could further progress towards more efficient and effective attack mitigation efforts.  See paper and blog series for additional information on possible approaches to accomplish more effective attack response and information exchanges with methods that require fewer analysts.

Panel groups:

  • Coordination between CSIRTS and attack response mitigation efforts
  • Distributed Denial of Service and Botnet researchers, vendors, and operators
  • Infrastructure: DNS and RIR providers and researchers
  • Trust and Privacy with the exchange of potentially sensitive information
  • IAB wrap up for architecture next steps

There were a few items that stood out to me from the workshop (more to be included in the formal report):

  1. The participants are interested in expanded information on the resources and assistance offered by the RIRs and DNS providers.  Participants are going to define what is needed with follow through on next steps.
  2. Another reoccurring theme was the lack of knowledge by the community of basic security principles such as ingress and egress filtering explained in BCP38.  The CSIRTS, operators, and vendors of attack mitigation tools found this particularly frustrating.  As a result, follow up activities may include determining if security guidance BCPs require updates or to determine whether there are opportunities to educate on these basic principles already documented by the IETF.
  3. After the workshop, the Internet Society hosted a three and a half hour boat tour through the canals of Berlin, offering additional time for collaboration among participants.  One of the lively discussions was the need for better transports for information exchange.  As the author of Real-time Inter-network Defense (RID), I agree.  RID was written more than 10 years ago and while the patterns established still show promise, there are updated solutions being worked on.  One such solution is in the IETF DOTS working group, that has an approach similar to RID with updated formats and protocols to meet the demands of todays DDoS attacks.  While TAXII (another transport option) is just in transition to OASIS, its base is similar to RID in its use of SOAP-like messaging, which will likely prevent it from scaling to the demands of the Internet.  Vendors also cited several interoperability challenges in TAXII.  Alternatively, XMPP-Grid has been proposed in the IETF SACM working group and it offers promise as the data exchange protocol.  XMPP inherently meets the requirements for today’s information exchanges with features such as publish/subscribe, federation, and use of a control channel.  XMPP-grid is taking off too with at least 10 current vendors using open source code in their products with several more planning to add support.  Review and discussion of this draft would be helpful.  REST was also brought up as a needed interface.  IETF’s MILE has a draft detailing a common RESTful interface (ROLIE) that could be used with any data format and may be of interest.  It would be good to hear from the community if this draft is of value to assist with that gap and it would be resurrected if helpful.

This blog just offers a taste of the workshop and a full report will be forthcoming as will follow up from the IAB on this important meeting.  As the workshop chair, I was very excited that the CARIS workshop had over 20% female participation!   In a field where the percentage is usually between 12-18%, this was impressive.

I would like to offer a sincere thank you to each of the program committee members as well as our sponsors:

  • FIRST provided a room and excellent facilities in partnership with their annual conference in Berlin.
  • The Internet Society hosted the social event, a boat ride through the canals of Berlin.
  • EMC Corporation provided lunch, snacks and coffee throughout the day to keep us going!

Program Committee:
Matthew Ford, Internet Society, UK
Ted Hardie, Google
Joe Hildebrand, Cisco, USA
Eliot Lear, Cisco, Switzerland
Kathleen M. Moriarty, EMC Corporation, USA
Andrew Sullivan, Dyn
Brian Trammell, ETH Zurich, Switzerland

New Ideas for IETF Education


Education and newcomer orientation activities have existed in the IETF in various forms from the early 1990s (if not earlier). As the IETF and the world around us evolves, we are now rethinking what types of activities are best suited for the future.

Many individuals have graciously contributed their time to talk about the IETF generally, about the tools that we use in our work, trained working group chairs, and introduced various technical topics. A key activity has the Sunday orientation sessions before our meetings begin, but there’s also a wealth of material at the team’s web site. Many presentations have been held in different languages, and information about the IETF (such as the Tao) also exist in many languages. In the last couple of years, we have also launched the mentoring program, pairing new participants with more experienced ones. There are also related activities, such as the ISOC Fellow and Policy programs, drawing in additional people to IETF meetings.

All this has made a big impact, but of course we must also continuously evaluate what methods work best. At the same time we are looking for new blood for the team.

Our crystal ball for the future says that we will see more and more

  • mixing of product prototyping, open source, and standards  efforts in various ways
  • collaboration and information being over the Internet
  • participants that employ remote participation
  • working methods that follow the same trends as general Internet usage

A newcomer’s orientation at the meeting is still very useful; we often get several hundred new participants in our meetings. However, perhaps the focus of our efforts should be elsewhere. How do we cater for the open source developer who has not been to the IETF before, but wants to publish a YANG data model as an RFC. He is on a mission to implement a feature, and waiting for the next meeting may be a burden. Can we do something to enable people to join IETF efforts with a lower level of effort, or with more targeted help for their specific circumstances? And can we provide our educational efforts in a modern Internet fashion? And can we employ economies of scale, so that we would only have to do things once and then they can be replicated many times?

We have several initial ideas for improvements. The first idea is that everything we do should be on video; it is much easier to convince someone to speak about a topic once than to commit to a series. Once recorded in high quality fashion, anything that we do will build up a library of material that can be used over and over again. And viewed by anyone, including those busy people who may not have time to attend a session on Sundays. And delivered on a modern Internet platform, these videos can be easily distributed and shared and pointed to, without much effort from the IETF’s side.

The second idea is focus on more targeted topics. Previously, we’ve used most of our resources on fairly generic, broad topics. Such as the overall IETF orientation. Could we have 5-10 minute videos on how to submit a data model to the IETF or what the UTA working group is doing?

As noted, these are initial ideas and we need to think about how well they would work. But I’m sure there is a lot we could do, and we would love to get your feedback on this topic. Would education in a webinar form be interesting? Should we poll the IETF community about the topics they see as useful? Could we get working groups to explain “how we got here” about their successful projects, for others to learn?

Similarly, having run the popular mentoring program for a couple of years, it is time to evaluate what works well and what new things we could perhaps do. One potential organisational idea is that there should be just one team taking care of all our education and mentoring efforts.

At IETF-93 in Prague, we will hold a 2-hour session to talk about various ideas that you might have on how to evolve the education and mentoring efforts. Please join our session!

Jari Arkko, IETF Chair, Mirjam Kuehne, EDU Team, and Nalini Elkins, EDU and Mentoring Teams

Code Sprint at IETF-93


We will once again have a Code Sprint in Prague prior to IETF-93.

Please support the tools team with your time and expertise! Or come and build the feature that you always wanted to have :-) The details are as follows:

When: Saturday, July 18, 2015, beginning at 09:30 and running until 18:00

Where: The IETF meeting hotel (Hilton Prague)

What: A bunch of hackers get together to work on code for the IETF data tracker, web site and other tools. Some people may be working on improvements in existing functionality, others may be adding exciting new functionality. All code will become part of the open source IETF tools.

Who: Hopefully you can help :-) Henrik and Robert will be coordinating the efforts. Please support the tools development effort, join the volunteer team and contribute!

Wiki: The wiki for the sprint is at IETF93Sprint.

Sign-up: The sign-up sheet is at IETF93SprintSignUp.


Jari Arkko, IETF Chair

New Ideas for IETF-93

This is a good time to submit more new proposals for the IETF! Our meeting in Prague is coming up in July, and the proposals for new working groups (“Birds-of-Feather or BoF sessions”) are due this Friday.

Please contact your Area Director to ask for help and read RFC 5434 for more information on how to create new working groups at the IETF. And remember that BoFs need not always be run to form a working group. They can also be setup to discuss a problem or an idea. In other words, if you believe discussion of an issue within Internet technology would be useful, please propose a session.

And of course, new working groups are usually for bigger and fundamentally new proposals, while much of the ongoing work goes on in the existing working groups. If you have suggestions around any of the protocols that we are currently working on, let the working group know by posting on their mailing list.

Looking forward to seeing you all in Prague!

Jari Arkko, IETF Chair