IETF
sacm@jabber.ietf.org
Tuesday, November 5, 2013< ^ >
Jon has set the subject to: http://www.ietf.org/proceedings/87/agenda/agenda-87-sacm
Room Configuration
Room Occupants

GMT+0
[00:39:40] Jon joins the room
[00:43:12] Jon leaves the room
[01:17:36] SACM joins the room
[01:36:18] Tobia Castaldi joins the room
[01:37:57] <SACM> Hello!
[01:38:06] SACM leaves the room
[01:38:21] Lisa Lorenzin joins the room
[01:39:32] <Lisa Lorenzin> Audio stream is good
[01:41:20] Adam Montville joins the room
[01:43:33] <Lisa Lorenzin> Hello!
[01:44:02] <Adam Montville> Hello
[01:44:09] Kazuya Okada joins the room
[01:44:14] Chris Inacio joins the room
[01:44:46] <Chris Inacio> Is anyone remote in the room?
[01:45:02] <Lisa Lorenzin> Yes
[01:46:22] <Chris Inacio> Okay, thanks for letting me know.  (Jabber scribe, just checking.)
[01:46:42] <Tobia Castaldi> Slide 5: WG Status
[01:48:15] <Tobia Castaldi> Current presenter: chairs
[01:48:15] <Tobia Castaldi> Slide 5: WG Status
[01:49:00] satoru.kanno@jabber.org joins the room
[01:49:46] luis nunez joins the room
[01:50:02] Jon Baker joins the room
[01:50:15] Danny joins the room
[01:50:23] <Tobia Castaldi> Presentation stopped
[01:50:46] <Tobia Castaldi> Slide 1: Security Automation and  Continuous 
[01:51:21] <Lisa Lorenzin> Is this the sacm-1.pdf set?
[01:51:38] <Lisa Lorenzin> So yes :)
[01:51:38] <Tobia Castaldi> Slide 2: Terminology Document
[01:51:54] David Harringotn joins the room
[01:52:03] <Chris Inacio> Good, because I could pull them up that fast
[01:52:14] <Adam Montville> Yes: http://www.ietf.org/proceedings/88/slides/slides-88-sacm-1.pptx
[01:52:38] <Tobia Castaldi> Slide 3: Use Cases Document
[01:52:49] <Tobia Castaldi> FYI a Meetecho session is available at http://www.meetecho.com/ietf88/sacm
[01:53:24] kohei.kasamatsu130 joins the room
[01:53:25] Matt Hansbury joins the room
[01:54:05] <Tobia Castaldi> Slide 4: Use Cases Status ­00­
[01:54:43] <Tobia Castaldi> Slide 5: Use Cases Status ­01­
[01:55:25] <Tobia Castaldi> Slide 6: Use Cases Status ­02­
[01:56:40] <Tobia Castaldi> Slide 7: Use Cases ­03­
[01:57:06] <Tobia Castaldi> Slide 8: Use Cases ­04­.
[01:57:21] <Tobia Castaldi> Slide 9: Use Cases in ­04­ 
[01:57:28] <Chris Inacio> Slide 12:
[01:57:40] <Tobia Castaldi> Slide 12: Some Use Cases from ­01­ not in�
[01:58:09] David Harringotn leaves the room
[01:58:49] <Tobia Castaldi> Slide 13: Issues
[01:59:05] David Harrington joins the room
[01:59:27] sean.turner@jabber.psg.com joins the room
[01:59:29] <Chris Inacio> Thoughts on if use cases should be simplified on jabber?
[02:00:22] <Lisa Lorenzin> Seems like they could be abstracted - lots of point use cases with many areas of overlap.
[02:01:44] David Harrington leaves the room
[02:01:50] <Chris Inacio> That was echoed in the show of hands in the room.
[02:02:46] <Lisa Lorenzin> Focus on building blocks - more flexible
[02:05:38] dbharrington@comcast.net joins the room
[02:06:07] <Lisa Lorenzin> Is there a format that allows a middle ground? Define the building blocks, then put them together as case scenarios?
[02:07:14] <Lisa Lorenzin> Yes - have our cake & eat it too.
[02:07:30] Chris Inacio wipes brow and smiles then.
[02:07:41] <Lisa Lorenzin> Thanks for representing me so well :)
[02:09:28] jjrh joins the room
[02:10:51] David Harrington joins the room
[02:11:12] Lisa Lorenzin raises hand
[02:11:20] <Jon Baker> i have
[02:11:30] <Danny> i have
[02:11:38] <Chris Inacio> fire away
[02:11:42] <Chris Inacio> getting in line
[02:11:59] <Chris Inacio> and what's your last name?
[02:12:26] <Chris Inacio> sorry, you were commenting that you read it, my bad
[02:12:35] acferen joins the room
[02:13:07] <Danny> Danny Haynes - just letting you know I read it
[02:13:20] <Lisa Lorenzin> (sorry, i'll try to be more clear next time!)
[02:14:33] acferen leaves the room
[02:15:22] <Jon Baker> 2.1 is about providing a defined / standardized format for expressing security guidance
[02:15:32] acferen joins the room
[02:15:39] <Chris Inacio> (is that a question?)
[02:15:42] <Jon Baker> 2.2 is about using that guide in a given environment
[02:16:08] <Jon Baker> sorry.. not really just my statement that the two are different
[02:17:41] <Chris Inacio> Jon: I would agree with those statements.
[02:18:41] <David Harrington> what was her response?
[02:18:54] <David Harrington> It's hard to see from here ;-)
[02:19:11] <Chris Inacio> "yes"
[02:19:19] <Chris Inacio> It is out of scope.
[02:19:22] <Lisa Lorenzin> Response is a different use case from acquisition
[02:19:38] <Lisa Lorenzin> Is it out of scope for the WG, or just for this use case?
[02:19:57] <Chris Inacio> I believe for WG, have to check the charter
[02:20:09] <Tobia Castaldi> Slide 7: Internet-DraftEnterprise Use Cases for S
[02:20:47] <Lisa Lorenzin> yes, looks like charter stops at reporting results
[02:21:00] <Tobia Castaldi> Slide 8: Internet-DraftEnterprise Use Cases for S
[02:21:08] <Chris Inacio> Lisa: yup.
[02:22:07] <Lisa Lorenzin> 2.5 - does that include external signs of infection, or only local / self-reported?
[02:23:02] <Chris Inacio> Lisa: do you want that at the mic (or me to editoralize :) )
[02:24:03] <Lisa Lorenzin> Yes please
[02:24:05] <Adam Montville> Lisa: Can you characterize "external" signs of infection?  Is this in an information sharing context?
[02:24:17] <Chris Inacio> network activity?
[02:24:25] <Lisa Lorenzin> Adam: results from vulnerability scanners / IPS / behavior monitoring
[02:24:28] <Chris Inacio> Will get in line at mic
[02:24:36] <Adam Montville> Thank you.
[02:26:45] <David Harrington> I think both are in charter.
[02:27:33] kohei.kasamatsu130 leaves the room
[02:27:50] <Chris Inacio> i agree that later in the doc we talk about multipke collection methods, but im at the mic next either way
[02:29:43] <Lisa Lorenzin> Is there any good reason to exclude it?
[02:31:35] luis nunez leaves the room
[02:34:30] dbharrington@comcast.net leaves the room
[02:38:02] <David Harrington> I think remediation/mitigation is out of scope for our solution, but not for a use case that needs sack.
[02:38:23] <David Harrington> s/sack/sacm/
[02:38:57] <Chris Inacio> (do you want me to say that at the mic?)
[02:39:07] <David Harrington> yes please.
[02:40:30] <David Harrington> mic: do we want to take it out, or add text that identifies it as an example of usage?
[02:41:16] <David Harrington> yes.
[02:42:18] <Lisa Lorenzin> Mic: this is an example of a scenario, not a use case - would like to see this rewritten to focus on the functional purpose
[02:42:51] <Lisa Lorenzin> So i think i'm saying what Nancy just said
[02:42:54] <Lisa Lorenzin> :)
[02:43:00] <David Harrington> Can you provide text that meet your request?
[02:43:26] <Chris Inacio> If I had only known I could just have told you to put Mic in front of what you want me to say; I would have said that up front!  :)
[02:43:59] <sean.turner@jabber.psg.com> "vulnerability" is in the definitions section
[02:44:05] <sean.turner@jabber.psg.com> r/section/draft
[02:44:11] <Lisa Lorenzin> David: I don't see anything in this use case that differentiates it from the building blocks described before.  So I don't see what its purpose is - hence the request for a rewrite
[02:44:39] <David Harrington> it's a special use case.
[02:44:50] <Lisa Lorenzin> David: If it's just a scenario leveraging the previous use cases, then it seems redundant - but I didn't want to assume that, in case I had missed something unique in the scenario that isn't covered elsewhere.
[02:45:02] <Jon Baker> should the use cases make it clear that we support this different dimensions?
[02:45:56] <David Harrington> the use cases are supposed to drive the requirements; if low-latency support is expected to be a requirement, it would help to document a use case that explains why.
[02:46:40] <Lisa Lorenzin> David: ah, so low-latency is the unique aspect! *lightbulb* Thank you.  I honestly think that gets lost among the other detail... (Either that, or I'm just easily distracted. :) )
[02:46:52] <Chris Inacio> my feeling is that the great thing about building blocks is that you get 250+ things you can build that you never thought of when you built it in the first place, so trying to enumerate all those things might be futile.  With that said, I don't want to remove things that might be enlightening to someone 2 years from now who didn't live this.
[02:48:23] <Chris Inacio> room comment: bumper stickers "It's all posture" coming.
[02:48:42] <Lisa Lorenzin> Want! :)
[02:49:05] <Jon Baker> it is all posture, but it may be important to make it clear that you plan to support this variety of activities
[02:49:14] <Chris Inacio> sounds like stickermule.com time.
[02:49:33] <David Harrington> mic: what we collect might make a diff when choosing a protocol to collect it. netconf is good for collecting config, but not necessarily vulnerability assessments.
[02:49:58] <Jon Baker> @david harrintgon - great point
[02:50:20] <Jon Baker> the purpose for your information collection might lead you to use different mechanisms
[02:50:26] <Lisa Lorenzin> Mic: external trigger is admin changes the requirements  / internal trigger is endpoint changes status?
[02:51:12] <Lisa Lorenzin> Agree with (Dave?)
[02:53:36] <Lisa Lorenzin> Charter seems more broad than Nancy represents: not just collect & evaluate. Identify endpoints, determine what to assess, collect data, evaluate, report
[02:54:21] <sean.turner@jabber.psg.com> +1 to what David said
[02:55:38] <Chris Inacio> which David?  Harrington or Waltermire?
[02:56:22] <David Harrington> I often go by dbh, if that helps ;-)
[03:01:14] <David Harrington> mic: I recommend doing the "editing session" o the list, so we can reach consensus.
[03:01:50] <David Harrington> and have a paper trail.
[03:01:50] <Tobia Castaldi> Slide 1: SACM Requirements
[03:02:51] <David Harrington> the problem is that people not in attendance don't hear the reasoning behind the changes.
[03:04:07] <David Harrington> let me know when and i'll try (doesn't need to be mic'd
[03:05:23] <Chris Inacio> I told Dave W to make sure he tells you when the meeting happens.  (I'm sure it won't happen without him, but I'm not as reliable.)
[03:05:53] <David Harrington> thx
[03:05:59] <Chris Inacio> np
[03:06:39] <Chris Inacio> Can everyone hear?
[03:06:49] <David Harrington> ok here.
[03:09:05] <David Harrington> mic: we should use the rfc3444 defitions of info model vs dat model.
[03:11:04] <Tobia Castaldi> Slide 3: What is in scope?
[03:13:03] <David Harrington> and reporting?
[03:13:26] <David Harrington> is ascii art cubist?
[03:13:55] <Lisa Lorenzin> dbh: Reporting is explicitly listed as a step in the example in the charter
[03:14:27] <Lisa Lorenzin> dbh: as a "could include, but is not limited to" but I would interpret that to imply that reporting is in scope
[03:16:09] <Jon Baker> mic: wait - it would be in scope, we just might use nea
[03:16:38] <David Harrington> +1; we also might use new, netconf, snmp, and others.
[03:16:51] <Jon Baker> yeah exactly
[03:20:25] <Jon Baker> mic - i think dave w.'s point is that while nea might give us a protocol, it does not cover the representation/format of the configuration information that is collected
[03:20:36] <Jon Baker> or other needed data formats
[03:23:30] <Jon Baker> sometimes how you collect the data matters
[03:24:55] <Jon Baker> mic - we also need to tell the scanner what to look for - aka supply the check list
[03:27:13] <Tobia Castaldi> Slide 4: Architectural Requirements
[03:27:17] <Chris Inacio> jon: i'm standing in line, if your comment gets to obe, let me know
[03:29:40] <Tobia Castaldi> Slide 5: Security Considerations
[03:31:06] <Tobia Castaldi> Slide 6: Next Steps
[03:31:19] <Tobia Castaldi> Presentation stopped
[03:31:40] <Tobia Castaldi> Slide 6: Way Forward
[03:31:48] <Tobia Castaldi> Current presenter: Chairs
[03:31:49] <Tobia Castaldi> Slide 6: Way Forward
[03:33:22] acferen leaves the room
[03:33:25] <David Harrington> mic: is virtual interim something this week? or something between ief meetings?
[03:33:31] <Lisa Lorenzin> Where does the use cases I-D fit into this? Seems we'd need to finalize that before adopting requirements
[03:35:24] <David Harrington> I expect the use cases won't get finalized any times soon. I expect it will keep changing as we discuss requirements and architecture.
[03:36:20] <David Harrington> (chris can you mic my last comment?)
[03:36:27] <Chris Inacio> dbh: I think Sean Turner answered your question, right?  The meeting this week wouldn't be it.
[03:36:30] <Chris Inacio> I can.
[03:36:43] <David Harrington> yes, sean answered that question.
[03:37:19] <Lisa Lorenzin> Agree with Nancy
[03:39:11] <Adam Montville> Any further comment on dates/timeline in the jabber room?
[03:39:55] <David Harrington> if one, mid-sec seems fine; might prefer multiple virtual interims though.
[03:40:08] <David Harrington> s/mid-sec/mid-dec/
[03:40:09] <Tobia Castaldi> Presentation stopped
[03:40:12] <Lisa Lorenzin> Thanks Chris / Adam / Tobia for your Jabber support!
[03:40:19] <Adam Montville> np.  
[03:40:23] <Chris Inacio> our pleasure
[03:40:29] Kazuya Okada leaves the room
[03:40:30] <Adam Montville> dbh: we might…  
[03:40:53] sean.turner@jabber.psg.com leaves the room
[03:40:54] <David Harrington> ok. bye. enjoy vancouver !
[03:41:07] Adam Montville leaves the room
[03:41:07] <Tobia Castaldi> bye all
[03:41:11] Chris Inacio leaves the room
[03:41:12] <Tobia Castaldi> the sessios is over
[03:41:22] David Harrington leaves the room
[03:41:27] Lisa Lorenzin leaves the room
[03:42:26] Tobia Castaldi leaves the room
[03:42:31] Matt Hansbury leaves the room
[03:44:21] Danny leaves the room
[03:45:03] satoru.kanno@jabber.org leaves the room
[03:45:26] Jon Baker leaves the room
[04:00:52] jjrh leaves the room
[07:16:38] satoru.kanno@jabber.org joins the room
[15:08:41] sean.turner@jabber.psg.com joins the room
[15:10:33] sean.turner@jabber.psg.com leaves the room
[17:07:33] satoru.kanno@jabber.org leaves the room