Wednesday Morning Session
0900-1130 - Continental

Take & Alexey chairing with Dave 
Note taker: Sean Turner
Jabber scribe: Chris Inacio

Agenda Bash

--------------------------------
Updates
--------------------------------

http://www.ietf.org/proceedings/92/slides/slides-92-mile-0.pdf

5070-bis - WGLC before next meeting.  Maybe having an (virtual) interim to address any LC comments.
Enum reference about to be published.
Implementation draft is the next target of opportunity.  Will need Apps review
Darknet draft - not many updates but.
Guidance draft - time to get famous if you want to author talk to the chairs.

--------------------------------
Guidance Draft
--------------------------------

http://www.ietf.org/proceedings/92/slides/slides-92-mile-1.pdf

Time to pay attention to this draft now that we're about done with 5070-bis.
Basic idea is to profile the use of IODEF to those fields that are actually used.
Draft is still in eary stages so bring on the comments!!

Kathleen - Author is looking for more than just comments they're looking for contributions.

--------------------------------
5070-bis
--------------------------------

http://www.ietf.org/proceedings/92/slides/slides-92-mile-3.pdf

This draft about exchaing infor CSIRTS (computer security incident reports & cyber security indicators)
One draft since Hawaii.
Use the tracker to drive the draft to closure.
If you think we missed something need to speak up: either tell list, author, or chairs.
There are differences between v1 and v2 but the draft explicitly calls these out.
Language tags are going to be something we need to figure out.
Why not just use XML:lang - decided to just switch to the standard mechanism.
Translations - support multiple transcriptions and then magic would happen to figure out which was the translation - added explicit identier to indicate hich is the translation and they all share the same translation identifer.
ALso needed:
MLString was abused and certain classes it didn't make sense so they got switched back to xs:string.
All places where the MLStringType is used also needed to support multiple values.

Extending Attributes was a big topic of discussion in Hawaii
Just gonna use IANA registries?
Decided we want both public and private extension - now the -11 language supports.

Alexey: What happens if somebody does a private extension and then decide to make it more popular do you need to update the schema?
Kathleen: Private means it's just not published.
Daisuke: This will help when we transition from v1 to v2.
Kathleen: Use the same language but if you see a problem speak up.
Adam: Is there a way they'd go about sharing it?
Roman: How do we deal with collisions?
Bob: Please don't use standard vs non-standard!  Could use IANA vs vendor-id that's just fine.
Kathlen: Did some examples with format id and she's willing to share.
Eric: Bob's right.

Need some text to address this and maybe we could use the format attribute?
New attribute for workflow support i.e., status.
Why can't we use media type reqistry? Not sure so just added that.
Outstanding issues:
Exmplaes need work, but that makes sense because doing the examples before we're done would have been a total waste of time.
RelatedDNS
Missing stuff
iodef:SoftwareType
Some activity on the list about this topic: SWID vs CPE
Time to pick
OVAL
SWID
Do nothing
Support multiple

Sean explained his thinking from the list.
Kathleen & Dave + John Field: + 1 to what Sean said at the mic
Adam: It'll be useful for SACM as well
Dave: Are we talkign a new registry or a new registry?
Roman: Looking at a different registry.
Adam: Thinking it could other way.
Taking it to the list.
Take: What's the rationale for a new registry?
Roman: Each one of the enum classes uses a new registry - so we'd need to define a new registry.
Dave: Regardless of what we do - we're going to need a draft to instruct IANA on what to do.
Take: If it's expert review do we need a draft?
Alexey: No need for draft if there's nothing to do.

Looking for input on final presentation of things like schema.
Kathleen: Can we get some volunteers to comb the UML and the scema.
RelatedDNS
describe for lack of better description are A records
What we don't have is what is the representation of the different DNS fields
Not on the list is just the dig out
Should we do this or punt.
punt on #3: AddiitonalData.

Sean: What's the status of the json draft:
Roman: It's experimental.
Chris: Isn't option 4 the way to go we're just being lazy to do the work.  Somebody tell me I'm wrong.
Kathleen: Operators are using this stuff we can't just leave it out!
Chris: Agreed do the work to make the XML representation

Cause of incident:
Is weakness sufficient?  Do we want anything different.
Alexey: Roman made a compelling case to use the reference approach.
Take: Maybe we should use CWE through ENUM.

No interest in defining our own dictionaries.
Not on slides but on the mailing list
Need 10s of 10Ks not excitied to wrap each one - can't we have one tag for the big list?
Maybe bulk observables?
Counter is particular rates - would nice to carry pgates and averages?
Can observe the protocol port # but not the actual protocol being used?
Alexey: Is there an unpublished version?
Romain: Yes
Alexey: Will look to do WGLC before Prague maybe in April.

--------------------------------
MILE Implementation Report:
--------------------------------

http://www.ietf.org/proceedings/92/slides/slides-92-mile-2.pdf

Got input from some implementations
iodeflib - open source modules written in Python - designed as simple as possible
iodef.pm - open source perl
ns6dk - another open source implementation
eCRISP - being using IODEF
REN-ISAC - supported

Sean: Cool! Just don't wait for everyone on the planet to try to respond at some point decide to just publish.

--------------------------------
ROLIE - draft-ietf-mile-rolie:
--------------------------------

http://www.ietf.org/proceedings/92/slides/slides-92-mile-4.pdf

Motivated by a POC implementation and the key lesson learned was do a REST-based solution:
Makes it easier to share.
avoid operational consideration between sharing parties.
Leverages IdM solutions.
Avoids requirements for distributed policy enforcement.
Loose coupling, scalability.
Not intended to replace what we have rather augment it.

Bob: How many thigns can he post to fill up your database.  How do you mitigate the DDoS attack.
John: Rely on IdM solutions: client's will be authorized.
Kathleen: REST was the most common interface - maybe because they didn't know about.
SEan: At NANOG there's ton of requests for something that's easier.
John: This might be a way to get people in the door because it's easier and then get them to do more later.

Wrapping up an hour early.