2.4.5 G and R for Security Incident Processing (grip)

NOTE: This charter is a snapshot of the 41st IETF Meeting in Los Angeles, California. It may now be out-of-date. Last Modified: 12-Feb-98


Louis Mamakos <louie@uu.net>
Barbara Fraser <byf@cert.org>
K.P. Kossakowski <kpk@cert.dfn.de>

Operations and Management Area Director(s):

John Curran <jcurran@bbn.com>
Michael O'Dell <mo@uu.net>

Operations and Management Area Advisor:

Michael O'Dell <mo@uu.net>

Mailing Lists:

General Discussion:grip-wg@uu.net
To Subscribe: grip-wg-request@uu.net

Description of Working Group:

The full name of this working group is Guidelines and Recommendations for Security Incident processing.

This working group is co-chartered by the Security Area.

The purpose of the GRIP Working Group is to provide guidelines and recommendations to facilitate the consistent handling of security incidents in the Internet community. Guidelines will address technology vendors, network service providers, response teams in their roles assisting organizations in resolving security incidents. These relationships are functional and can exist within and across organizational boundaries.

The working group will produce two quality documents:

1) Guidelines for security incident response teams.

2) Guidelines for vendors (this will include both technology producers and network service providers).

Goals and Milestones:

Feb 95


Produce document describing problem statement and document taxonomy/vocabulary. Also cite the Site Security Handbook documents to make clear the relationship and scope between the two working groups and documents.

Feb 95


Produce draft outline for remainder of Response Team Document.



Meet at Danvers IETF to review full Internet-Draft of Response Team Document.

Jun 95


Produce Internet-Draft on Guidelines for vendors.

Jun 95


Produce final version of Response Team Internet-Draft.



Meet at Stockholm IETF. Review vendor Guideline Internet-Draft.

Sep 95


Produce final version of Vendor Guideline Internet-Draft. Submit to IESG for review.


No Request For Comments

Current Meeting Report

Minutes of the G and R for Security Incident Processing (grip) Working Group

Reported by Barbara Fraser

The working group met once during the IETF meeting. The purpose of the meeting was to review the current draft, draft-ietf-grip-isp-04.txt and to resolve any outstanding issues. Another major purpose was to surface concerns that might prevent the progression of this document.

Neither Operations Area ADs were able to attend the meeting but Jeff Schiller, Security AD, did attend and we were able to discuss the future handling of the document. There has been some concern expressed to members of the IESG and to the working group chair by one major ISP that the content of the document includes objectionable recommendations related to business issues. There were a number of major ISPs represented in the room and none of them agreed with the concern. Discussion followed and Jeff recommended that we continue to complete the document and said he'd support progression of the document if the working group reached consensus and the working group chair made the recommendation for progression of the document.

Review of the document proceeded from start to finish in the document and during the meeting we were able to review through section 8. The other sections will be discussed on the mailing list. The following changes will be incorporated into the document:

1. The section on handling incidents will be reworked to describe roles and responsibilities of the ISPs and to state that the ISPs should have documented policies and procedures regarding what types of information they will share with whom. Such policies and procedures should be made available to all subscribers. The document will not state that any particular type of information should be shared since this will be impacted by each ISP's particular environment. The important point is that the ISP should articulate exactly what information is being shared so that the subscribers are aware.

2. The section describing recommendations on mail relays will track with the work being done in a <fill in the draft number and working group>

3. There was discussion concerning ingress and egress filtering and there again was consensus that these were sound recommendations. So, no changes will be made to this section. There was an interesting discussion related to this where members in the group described various laws that have either been passed or are in draft state making header forging illegal. Such a law has already been passed in Sweden and offenders have already been successfully prosecuted.

4. The section describing xtnd xmit and smtp auth will also track other related work in the IETF.

The document editor will make the changes and submit a new (hopefully final) draft to IDs. The group also decided to float the draft to as many ISPs and other knowledgeable folks outside the working group to actively solicit review prior to submitting it to the IESG.


None Received

Attendees List

go to list