idnits 2.17.1 draft-ietf-opsec-efforts-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1.a on line 16. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1154. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1131. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1138. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1144. ** The document seems to lack an RFC 3978 Section 5.1 IPR Disclosure Acknowledgement. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. ** The document uses RFC 3667 boilerplate or RFC 3978-like boilerplate instead of verbatim RFC 3978 boilerplate. After 6 May 2005, submission of drafts without verbatim RFC 3978 boilerplate is not accepted. The following non-3978 patterns matched text found in the document. That text should be removed or replaced: This document is an Internet-Draft and is subject to all provisions of Section 3 of RFC 3667. By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (January 22, 2005) is 7035 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: '1' is defined on line 1094, but no explicit reference was found in the text == Unused Reference: '2' is defined on line 1099, but no explicit reference was found in the text Summary: 5 errors (**), 0 flaws (~~), 4 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group C. Lonvick 2 Internet-Draft D. Spak 3 Expires: July 23, 2005 Cisco Systems 4 January 22, 2005 6 Security Best Practices Efforts and Documents 7 draft-ietf-opsec-efforts-00.txt 9 Status of this Memo 11 This document is an Internet-Draft and is subject to all provisions 12 of section 3 of RFC 3667. By submitting this Internet-Draft, each 13 author represents that any applicable patent or other IPR claims of 14 which he or she is aware have been or will be disclosed, and any of 15 which he or she become aware will be disclosed, in accordance with 16 RFC 3668. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as 21 Internet-Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt. 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html. 34 This Internet-Draft will expire on July 23, 2005. 36 Copyright Notice 38 Copyright (C) The Internet Society (2005). 40 Abstract 42 This document provides a snapshot of the current efforts to define or 43 apply security requirements in various Standards Developing 44 Organizations (SDO). 46 Table of Contents 48 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 49 2. Format of this Document . . . . . . . . . . . . . . . . . . 6 50 3. Online Security Glossaries . . . . . . . . . . . . . . . . . 7 51 3.1 ATIS Telecom Glossary 2000 . . . . . . . . . . . . . . . . 7 52 3.2 Critical Infrastructure Glossary of Terms and Acronyms . . 7 53 3.3 Internet Security Glossary - RFC 2828 . . . . . . . . . . 7 54 3.4 Compendium of Approved ITU-T Security Definitions . . . . 7 55 3.5 Microsoft Solutions for Security Glossary . . . . . . . . 8 56 3.6 SANS Glossary of Security Terms . . . . . . . . . . . . . 8 57 3.7 USC InfoSec Glossary . . . . . . . . . . . . . . . . . . . 8 58 4. Standards Developing Organizations . . . . . . . . . . . . . 9 59 4.1 3GPP - Third Generation P P . . . . . . . . . . . . . . . 9 60 4.2 3GPP2 - Third Generation P P 2 . . . . . . . . . . . . . . 9 61 4.3 ANSI - The American National Standards Institute . . . . . 9 62 4.4 ATIS - Alliance for Telecommunications Industry 63 Solutions . . . . . . . . . . . . . . . . . . . . . . . . 9 64 4.4.1 ATIS Network Performance, Reliability and Quality 65 of Service Committee, formerly T1A1 . . . . . . . . . 10 66 4.4.2 ATIS Network Interface, Power, and Protection 67 Committee, formerly T1E1 . . . . . . . . . . . . . . . 10 68 4.4.3 ATIS Telecom Management and Operations Committee, 69 formerly T1M1 OAM&P . . . . . . . . . . . . . . . . . 10 70 4.4.4 ATIS Ordering and Billing Forum regarding T1M1 O&B . . 10 71 4.4.5 ATIS Wireless Technologies and Systems Committee, 72 formerly T1P1 . . . . . . . . . . . . . . . . . . . . 11 73 4.4.6 ATIS Packet Technologies and Systems Committee, 74 regarding T1S1 . . . . . . . . . . . . . . . . . . . . 11 75 4.4.7 ATIS Protocol Interworking Committee, regarding T1S1 . 11 76 4.4.8 ATIS Optical Transport and Synchronization 77 Committee, formerly T1X1 . . . . . . . . . . . . . . . 11 78 4.5 CC - Common Criteria . . . . . . . . . . . . . . . . . . . 11 79 4.6 DMTF - Distributed Management Task Force, Inc. . . . . . . 12 80 4.7 ETSI - The European Telecommunications Standard 81 Institute . . . . . . . . . . . . . . . . . . . . . . . . 12 82 4.8 GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 12 83 4.9 IEEE - The Institute of Electrical and Electronics 84 Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 12 85 4.10 IETF - The Internet Engineering Task Force . . . . . . . 13 86 4.11 INCITS - InterNational Committee for Information 87 Technology Standards . . . . . . . . . . . . . . . . . . 13 88 4.12 ISO - The International Organization for 89 Standardization . . . . . . . . . . . . . . . . . . . . 13 90 4.13 ITU - International Telecommunication Union . . . . . . 13 91 4.13.1 ITU Telecommunication Standardization Sector - 92 ITU-T . . . . . . . . . . . . . . . . . . . . . . . 13 93 4.13.2 ITU Radiocommunication Sector - ITU-R . . . . . . . 13 94 4.13.3 ITU Telecom Development - ITU-D . . . . . . . . . . 14 95 4.14 OASIS - Organization for the Advancement of 96 Structured Information Standards . . . . . . . . . . . . 14 97 4.15 OIF - Optical Internetworking Forum . . . . . . . . . . 14 98 4.16 NRIC - The Network Reliability and Interoperability 99 Council . . . . . . . . . . . . . . . . . . . . . . . . 14 100 4.17 TIA - The Telecommunications Industry Association . . . 14 101 4.18 Web Services Interoperability Organization (WS-I) . . . 15 102 5. Security Best Practices Efforts and Documents . . . . . . . 16 103 5.1 3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 16 104 5.2 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 16 105 5.3 American National Standard T1.276-2003 - Baseline 106 Security Requirements for the Management Plane . . . . . . 16 107 5.4 DMTF - Security Protection and Management (SPAM) 108 Working Group . . . . . . . . . . . . . . . . . . . . . . 17 109 5.5 DMTF - User and Security Working Group . . . . . . . . . . 17 110 5.6 ATIS Security & Emergency Preparedness Activities . . . . 17 111 5.7 ATIS Work-Plan to Achieve Interoperable, Implementable, 112 End-To-End Standards and Solutions . . . . . . . . . . . . 17 113 5.8 Common Criteria . . . . . . . . . . . . . . . . . . . . . 18 114 5.9 ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 115 5.10 GGF Security Area (SEC) . . . . . . . . . . . . . . . . 18 116 5.11 Information System Security Assurance Architecture . . . 19 117 5.12 Operational Security Requirements for IP Network 118 Infrastructure : Advanced Requirements . . . . . . . . . 19 119 5.13 INCITS Technical Committee T4 - Security Techniques . . 19 120 5.14 INCITS Technical Committee T11 - Fibre Channel 121 Interfaces . . . . . . . . . . . . . . . . . . . . . . . 19 122 5.15 ISO Guidelines for the Management of IT Security - 123 GMITS . . . . . . . . . . . . . . . . . . . . . . . . . 20 124 5.16 ISO JTC 1/SC 27 . . . . . . . . . . . . . . . . . . . . 20 125 5.17 ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . 21 126 5.18 ITU-T Recommendation M.3016 . . . . . . . . . . . . . . 21 127 5.19 ITU-T Recommendation X.805 . . . . . . . . . . . . . . 22 128 5.20 ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . 22 129 5.21 ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . 22 130 5.22 Catalogue of ITU-T Recommendations related to 131 Communications System Security . . . . . . . . . . . . . 22 132 5.23 ITU-T Security Manual . . . . . . . . . . . . . . . . . 23 133 5.24 NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . 23 134 5.25 OASIS Security Joint Committee . . . . . . . . . . . . . 23 135 5.26 OASIS Security Services TC . . . . . . . . . . . . . . . 24 136 5.27 OIF Implementation Agreements . . . . . . . . . . . . . 24 137 5.28 TIA . . . . . . . . . . . . . . . . . . . . . . . . . . 24 138 5.29 WS-I Basic Security Profile . . . . . . . . . . . . . . 24 139 6. Security Considerations . . . . . . . . . . . . . . . . . . 26 140 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . 27 141 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 28 142 9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . 29 143 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 30 144 10.1 Normative References . . . . . . . . . . . . . . . . . . . 30 145 10.2 Informative References . . . . . . . . . . . . . . . . . . 30 146 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 30 147 Intellectual Property and Copyright Statements . . . . . . . 31 149 1. Introduction 151 The Internet is being recognized as a critical infrastructure similar 152 in nature to the power grid and a potable water supply. Just like 153 those infrastructures, means are needed to provide resiliency and 154 adaptability to the Internet so that it remains consistently 155 available to the public throughout the world even during times of 156 duress or attack. For this reason, many SDOs are developing 157 standards with hopes of retaining an acceptable level, or even 158 improving this availability, to its users. These SDO efforts usually 159 define themselves as "security" efforts. It is the opinion of the 160 authors that there are many different definitions of the term 161 "security" and it may be applied in many diverse ways. As such, we 162 offer no assurance that the term is applied consistently throughout 163 this document. 165 Many of these SDOs have diverse charters and goals and will take 166 entirely different directions in their efforts to provide standards. 167 However, even with that, there will be overlaps in their produced 168 works. If there are overlaps then there is a potential for conflicts 169 and confusion. This may result in: 170 Vendors of networking equipment who are unsure of which standard 171 to follow. 172 Purchasers of networking equipment who are unsure of which 173 standard will best apply to the needs of their business or 174 ogranization. 175 Network Administrators and Operators unsure of which standard to 176 follow to attain the best security for their network. 177 For these reasons, the authors wish to encourage all SDOs who have an 178 interest in producing or in consuming standards relating to good 179 security practices to be consistent in their approach and their 180 recommendations. In many cases, the authors are aware that the SDOs 181 are making good efforts along these lines. However, the authors do 182 not participate in all SDO efforts and cannot know everything that is 183 happening. 185 The OpSec Working Group met at the 61st IETF and agreed that this 186 document could be a useful reference in producing the documents 187 described in the Working Group Charter. The authors have agreed to 188 keep this document current and request that those who read it will 189 submit corrections or comments. 191 Comments on this document may be addressed to the OpSec Working Group 192 or directly to the authors. 193 opsec@ops.ietf.org 195 2. Format of this Document 197 The body of this document has three sections. 199 The first part of the body of this document, Section 3, contains a 200 listing of online glossaries relating to networking and security. It 201 is very important that the definitions of words relating to security 202 and security events be consistent. Inconsistencies between the 203 useage of words on standards is unacceptable as it would prevent a 204 reader of two standards to appropriately relate their 205 recommendations. The authors of this document have not reviewed the 206 definitions of the words in the listed glossaries so can offer no 207 assurance of their alignment. 209 The second part, Section 4, contains a listing of SDOs that appear to 210 be working on security standards. 212 The third part, Section 5, lists the documents which have been found 213 to offer good practices or recommendations for securing networks and 214 networking devices. 216 3. Online Security Glossaries 218 This section contains references to glossaries of network and 219 computer security terms 221 3.1 ATIS Telecom Glossary 2000 223 http://www.atis.org/tg2k/ 225 Under an approved T1 standards project (T1A1-20), an existing 226 5800-entry, search-enabled hypertext telecommunications glossary 227 titled Federal Standard 1037C, Glossary of Telecommunication Terms 228 was updated and matured into this glossary, T1.523-2001, Telecom 229 Glossary 2000. This updated glossary was posted on the Web as a 230 American National Standard (ANS). 232 3.2 Critical Infrastructure Glossary of Terms and Acronyms 234 http://www.ciao.gov/ciao_document_library/glossary/a.htm 236 The Critical Infrastructure Assurance Office (CIAO) was created to 237 coordinate the Federal Government's initiatives on critical 238 infrastructure assurance. While the glossary was not created as a 239 glossary specifically for security terms, it is populated with many 240 security related definitions, abbreviations, organizations, and 241 concepts. 243 3.3 Internet Security Glossary - RFC 2828 245 http://www.ietf.org/rfc/rfc2828.txt 247 Created in May 2000, the document defines itself to be, "an 248 internally consistent, complementary set of abbreviations, 249 definitions, explanations, and recommendations for use of terminology 250 related to information system security." The glossary makes the 251 distinction of the listed definitions throughout the document as 252 being: 253 o a recommended Internet definition 254 o a recommended non-Internet definition 255 o not recommended as the first choice for Internet documents but 256 something that an author of an Internet document would need to 257 know 258 o a definition that shouldn't be used in Internet documents 259 o additional commentary or usage guidance 261 3.4 Compendium of Approved ITU-T Security Definitions 263 http://www.itu.int/itudoc/itu-t/com17/activity/def004.html 264 Addendum to the Compendium of the Approved ITU-T Security-related 265 Definitions 266 http://www.itu.int/itudoc/itu-t/com17/activity/add002.html 268 These extensive materials were created from approved ITU-T 269 Recommendations with a view toward establishing a common 270 understanding and use of security terms within ITU-T. 272 3.5 Microsoft Solutions for Security Glossary 274 http://www.microsoft.com/security/glossary/ 276 The Microsoft Solutions for Security Glossary was created to explain 277 the concepts, technologies, and products associated with computer 278 security. This glossary contains several definitions specific to 279 Microsoft proprietary technologies and product solutions. 281 3.6 SANS Glossary of Security Terms 283 http://www.sans.org/resources/glossary.php 285 The SANS Institute (SysAdmin, Audit, Network, Security) was created 286 in 1989 as, "a cooperative research and education organization." 287 Updated in May 2003, SANS cites the NSA for their help in creating 288 the online glossary of security terms. The SANS Institute is also 289 home to many other resources including the SANS Intrusion Detection 290 FAQ and the SANS/FBI Top 20 Vulnerabilities List. 292 3.7 USC InfoSec Glossary 294 http://www.usc.edu/org/infosec/resources/glossary_a.html 296 A glossary of Information Systems security terms compiled by the 297 University of Southern California Office of Information Security. 299 4. Standards Developing Organizations 301 This section of this document lists the SDOs, or organizations that 302 appear to be developing security related standards. These SDOs are 303 listed in alphabetical order. 305 Note: The authors would appreciate corrections and additions. This 306 note will be removed before publication as an RFC. 308 4.1 3GPP - Third Generation P P 310 http://www.3gpp.org 312 The 3rd Generation Partnership Project (3GPP) is a collaboration 313 agreement formed in December 1998. The collaboration agreement is 314 comprised of several telecommunications standards bodies which are 315 known as "Organizational Partners". The current Organizational 316 Partners involved with 3GPP are ARIB, CCSA, ETSI, ATIS, TTA, and TTC. 318 4.2 3GPP2 - Third Generation P P 2 320 http://www.3gpp2.org 322 Third Generation Partnership Project 2 (3GPP2) is a collaboration 323 among Organizational Partners much like its sister project 3GPP. The 324 Organizational Partners (OPs) currently involved with 3GPP2 are ARIB, 325 CCSA, TIA, TTA, and TTC. In addition to the OPs, 3GPP2 also welcomes 326 the CDMA Development Group and IPv6 Forum as Market Representation 327 Partners for market advice. 329 4.3 ANSI - The American National Standards Institute 331 http://www.ansi.org 333 ANSI is a private, non-profit organization that organizes and 334 oversees the U.S. voluntary standardization and conformity 335 assessment system. ANSI was founded October 19, 1918. 337 4.4 ATIS - Alliance for Telecommunications Industry Solutions 339 http://www.atis.org 341 ATIS is a United States based body that is committed to rapidly 342 developing and promoting technical and operations standards for the 343 communications and related information technologies industry 344 worldwide using pragmatic, flexible and open approach. Committee T1 345 as a group no longer exists as a result of the recent ATIS 346 reorganization on January 1, 2004. ATIS has restructured the former 347 T1 technical subcommittees into full ATIS standards committees to 348 easily identify and promote the nature of standards work each 349 committee performs. Due to the reorganization, some groups may have 350 a new mission and scope statement. 352 4.4.1 ATIS Network Performance, Reliability and Quality of Service 353 Committee, formerly T1A1 355 http://www.atis.org/0010/index.asp 357 ATIS Network Performance, Reliability and Quality of Service 358 Committee develops and recommends standards, requirements, and 359 technical reports related to the performance, reliability, and 360 associated security aspects of communications networks, as well as 361 the processing of voice, audio, data, image, and video signals, and 362 their multimedia integration. 364 4.4.2 ATIS Network Interface, Power, and Protection Committee, formerly 365 T1E1 367 http://www.atis.org/0050/index.asp 369 ATIS Network Interface, Power, and Protection Committee develops and 370 recommends standards and technical reports related to power systems, 371 electrical and physical protection for the exchange and interexchange 372 carrier networks, and interfaces associated with user access to 373 telecommunications networks. 375 4.4.3 ATIS Telecom Management and Operations Committee, formerly T1M1 376 OAM&P 378 http://www.atis.org/0130/index.asp 380 ATIS Telecom Management and Operations Committee develops 381 internetwork operations, administration, maintenance and provisioning 382 standards, and technical reports related to interfaces for 383 telecommunications networks. 385 4.4.4 ATIS Ordering and Billing Forum regarding T1M1 O&B 387 http://www.atis.org/obf/index.asp 389 The T1M1 O&B subcommittee has become part of the ATIS Ordering and 390 Billing Forum. 392 The ATIS-sponsored Ordering and Billing Forum (OBF) provides a forum 393 for customers and providers in the telecommunications industry to 394 identify, discuss and resolve national issues which affect ordering, 395 billing, provisioning and exchange of information about access 396 services, other connectivity and related matters. 398 4.4.5 ATIS Wireless Technologies and Systems Committee, formerly T1P1 400 http://www.atis.org/0160/index.asp 402 ATIS Wireless Technologies and Systems Committee develops and 403 recommends standards and technical reports related to wireless and/or 404 mobile services and systems, including service descriptions and 405 wireless technologies. 407 4.4.6 ATIS Packet Technologies and Systems Committee, regarding T1S1 409 T1S1 was split into two separate ATIS committees: the ATIS Packet 410 Technologies and Systems Committee and the ATIS Protocol Interworking 411 Committee. As a result of the reorganization of T1S1, these groups 412 will also probably have a new mission and scope. 414 4.4.7 ATIS Protocol Interworking Committee, regarding T1S1 416 T1S1 was split into two separate ATIS committees: the ATIS Packet 417 Technologies and Systems Committee and the ATIS Protocol Interworking 418 Committee. As a result of the reorganization of T1S1, these groups 419 will also probably have a new mission and scope. 421 4.4.8 ATIS Optical Transport and Synchronization Committee, formerly 422 T1X1 424 http://www.atis.org/0240/index.asp 426 ATIS Optical Transport and Synchronization Committee develops and 427 recommends standards and prepares technical reports related to 428 telecommunications network technology pertaining to network 429 synchronization interfaces and hierarchical structures including 430 optical technology. 432 4.5 CC - Common Criteria 434 http://csrc.nist.gov/cc/ 436 Note: The URL for the Common Criteria organization was 437 http://www.commoncriteria.org/ however, they have elected to take 438 their web site offline for the time being. It is hoped that the 439 proper URL will be available before this document becomes an RFC. 440 This note will be removed prior to publication as an RFC. 442 In June 1993, the sponsoring organizations of the existing US, 443 Canadian, and European criterias (TCSEC, ITSEC, and similar) started 444 the Common Criteria Project to align their separate criteria into a 445 single set of IT security criteria. 447 4.6 DMTF - Distributed Management Task Force, Inc. 449 http://www.dmtf.org/ 451 Founded in 1992, the DMTF brings the technology industry's customers 452 and top vendors together in a collaborative, working group approach 453 that involves DMTF members in all aspects of specification 454 development and refinement. 456 4.7 ETSI - The European Telecommunications Standard Institute 458 http://www.etsi.org/ 460 ETSI is an independent, non-profit organization which produces 461 telecommunications standards. ETSI is based in Sophia-Antipolis in 462 the south of France and maintains a membership from 55 countries. 464 Joint work between ETSI and ITU-T SG-17 466 http://docbox.etsi.org/OCG/OCG/GSC9/GSC9_JointT%26R/ 467 GSC9_Joint_011_Security_Standardization_in_ITU.ppt 469 4.8 GGF - Global Grid Forum 471 http://www.gridforum.org 473 The Global Grid Forum (GGF) is a community-initiated forum of 474 thousands of individuals from industry and research leading the 475 global standardization effort for grid computing. GGF's primary 476 objectives are to promote and support the development, deployment, 477 and implementation of Grid technologies and applications via the 478 creation and documentation of "best practices" - technical 479 specifications, user experiences, and implementation guidelines. 481 4.9 IEEE - The Institute of Electrical and Electronics Engineers, Inc. 483 http://www.ieee.org 485 IEEE is a non-profit, technical professional association of more than 486 360,000 individual members in approximately 175 countries. The IEEE 487 produces 30 percent of the world's published literature in electrical 488 engineering, computers and control technology through its technical 489 publishing, conferences and consensus-based standards activities. 491 4.10 IETF - The Internet Engineering Task Force 493 http://www.ietf.org 495 IETF is a large, international community open to any interested 496 individual concerned with the evolution of the Internet architecture 497 and the smooth operation of the Internet. 499 4.11 INCITS - InterNational Committee for Information Technology 500 Standards 502 http://www.incits.org 504 INCITS focuses upon standardization in the field of Information and 505 Communications Technologies (ICT), encompassing storage, processing, 506 transfer, display, management, organization, and retrieval of 507 information. 509 4.12 ISO - The International Organization for Standardization 511 http://www.iso.org 513 ISO is a network of the national standards institutes of 148 514 countries, on the basis of one member per country, with a Central 515 Secretariat in Geneva, Switzerland, that coordinates the system. ISO 516 officially began operations on February 23, 1947. 518 4.13 ITU - International Telecommunication Union 520 http://www.itu.int/ 522 The ITU is an international organization within the United Nations 523 System headquartered in Geneva, Switzerland. The ITU is comprised of 524 three sectors: 526 4.13.1 ITU Telecommunication Standardization Sector - ITU-T 528 http://www.itu.int/ITU-T/ 530 ITU-T's mission is to ensure an efficient and on-time production of 531 high quality standards covering all fields of telecommunications. 533 4.13.2 ITU Radiocommunication Sector - ITU-R 535 http://www.itu.int/ITU-R/ 537 The ITU-R plays a vital role in the management of the radio-frequency 538 spectrum and satellite orbits. 540 4.13.3 ITU Telecom Development - ITU-D 542 (also referred as ITU Telecommunication Development Bureau - BDT) 544 http://www.itu.int/ITU-D/ 546 The Telecommunication Development Bureau (BDT) is the executive arm 547 of the Telecommunication Development Sector. Its duties and 548 responsibilities cover a variety of functions ranging from programme 549 supervision and technical advice to the collection, processing and 550 publication of information relevant to telecommunication development. 552 4.14 OASIS - Organization for the Advancement of Structured 553 Information Standards 555 http://www.oasis-open.org/ 557 OASIS is a not-for-profit, international consortium that drives the 558 development, convergence, and adoption of e-business standards. 560 4.15 OIF - Optical Internetworking Forum 562 http://www.oiforum.com/ 564 On April 20, 1998 Cisco Systems and Ciena Corporation announced an 565 industry-wide initiative to create the Optical Internetworking Forum, 566 an open forum focused on accelerating the deployment of optical 567 internetworks. 569 4.16 NRIC - The Network Reliability and Interoperability Council 571 http://www.nric.org/ 573 The purposes of the Committee are to give telecommunications industry 574 leaders the opportunity to provide recommendations to the FCC and to 575 the industry that assure optimal reliability and interoperability of 576 telecommunications networks. The Committee addresses topics in the 577 area of Homeland Security, reliability, interoperability, and 578 broadband deployment. 580 4.17 TIA - The Telecommunications Industry Association 582 http://www.tiaonline.org 584 TIA is accredited by ANSI to develop voluntary industry standards for 585 a wide variety of telecommunications products. TIA's Standards and 586 Technology Department is composed of five divisions: Fiber Optics, 587 User Premises Equipment, Network Equipment, Wireless Communications 588 and Satellite Communications. 590 4.18 Web Services Interoperability Organization (WS-I) 592 http://www.ws-i.org/ 594 WS-I is an open, industry organization chartered to promote Web 595 services interoperability across platforms, operating systems, and 596 programming languages. The organization works across the industry 597 and standards organizations to respond to customer needs by providing 598 guidance, best practices, and resources for developing Web services 599 solutions. 601 5. Security Best Practices Efforts and Documents 603 This section lists the works produced by the SDOs. 605 5.1 3GPP - TSG SA WG3 (Security) 607 http://www.3gpp.org/TB/SA/SA3/SA3.htm 609 TSG SA WG3 Security is responsible for the security of the 3GPP 610 system, performing analyses of potential security threats to the 611 system, considering the new threats introduced by the IP based 612 services and systems and setting the security requirements for the 613 overall 3GPP system. 615 Specifications: 616 http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--S3.htm 618 Work Items: 619 http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--s3--wis.htm 621 3GPP Confidentiality and Integrity algorithms: 622 http://www.3gpp.org/TB/Other/algorithms.htm 624 5.2 3GPP2 - TSG-S Working Group 4 (Security) 626 http://www.3gpp2.org/Public_html/S/index.cfm 628 The Services and Systems Aspects TSG (TSG-S) is responsible for the 629 development of service capability requirements for systems based on 630 3GPP2 specifications. Among its responsibilities TSG-S is addressing 631 management, technical coordination, as well as architectural and 632 requirements development associated with all end-to-end features, 633 services and system capabilities including, but not limited to, 634 security and QoS. 636 TSG-S Specifications: 637 http://www.3gpp2.org/Public_html/specs/index.cfm#tsgs 639 5.3 American National Standard T1.276-2003 - Baseline Security 640 Requirements for the Management Plane 642 Abstract: This standard contains a set of baseline security 643 requirements for the management plane. The President's National 644 Security Telecommunications Advisory Committee Network Security 645 Information Exchange (NSIE) and Government NSIE jointly established a 646 Security Requirements Working Group (SRWG) to examine the security 647 requirements for controlling access to the public switched network, 648 in particular with respect to the emerging next generation network. 650 In the telecommunications industry, this access incorporates 651 operation, administration, maintenance, and provisioning for network 652 elements and various supporting systems and databases. Members of 653 the SRWG, from a cross-section of telecommunications carriers and 654 vendors, developed an initial list of security requirements that 655 would allow vendors, government departments and agencies, and service 656 providers to implement a secure telecommunications network management 657 infrastructure. This initial list of security requirements was 658 submitted as a contribution to Committee T1 - Telecommunications, 659 Working Group T1M1.5 for consideration as a standard. The 660 requirements outlined in this document will allow vendors, government 661 departments and agencies, and service providers to implement a secure 662 telecommunications network management infrastructure. 664 Documents: 665 http://webstore.ansi.org/ansidocstore/product.asp?sku=T1%2E276%2D2003 667 5.4 DMTF - Security Protection and Management (SPAM) Working Group 669 http://www.dmtf.org/about/committees/spamWGCharter.pdf 671 The Working Group will define a CIM Common Model that addresses 672 security protection and detection technologies, which may include 673 devices and services, and classifies security information, attacks 674 and responses. 676 5.5 DMTF - User and Security Working Group 678 http://www.dmtf.org/about/committees/userWGCharter.pdf 680 The User and Security Working Group defines objects and access 681 methods required for principals - where principals include users, 682 groups, software agents, systems, and organizations. 684 5.6 ATIS Security & Emergency Preparedness Activities 686 http://www.atis.org/atis/atisinfo/emergency/security_committee_activi 687 ties_T1.htm 689 The link above contains the description of the ATIS Communications 690 Security Model, the scopes of the Technical Subcommittees in relation 691 to the security model, and a list of published documents produced by 692 ATIS addressed to various aspects of network security. 694 5.7 ATIS Work-Plan to Achieve Interoperable, Implementable, End-To-End 695 Standards and Solutions 697 ftp://ftp.t1.org/T1M1/NEW-T1M1.0/3M101940.pdf 698 The ATIS TOPS Security Focus Group has made recommendations on work 699 items needed to be performed by other SDOs. 701 5.8 Common Criteria 703 http://csrc.nist.gov/cc/ 705 Version 1.0 of the CC was completed in January 1996. Based on a 706 number of trial evaluations and an extensive public review, Version 707 1.0 was extensively revised and CC Version 2.0 was produced in April 708 of 1998. This became ISO International Standard 15408 in 1999. The 709 CC Project subsequently incorporated the minor changes that had 710 resulted in the ISO process, producing CC version 2.1 in August 1999. 712 Common Criteria v2.1 contains: 713 Part 1 - Intro & General Model 714 Part 2 - Functional Requirements (including Annexes) 715 Part 3 - Assurance Requirements 717 Documents: Common Criteria V2.1 718 http://csrc.nist.gov/cc/CC-v2.1.html 720 5.9 ETSI 722 http://www.etsi.org 724 The ETSI hosted the ETSI Global Security Conference in late November, 725 2003, which could lead to a standard. 727 Groups related to security located from the ETSI Groups Portal: 728 OCG Security 729 3GPP SA3 730 TISPAN WG7 732 5.10 GGF Security Area (SEC) 734 https://forge.gridforum.org/projects/sec/ 736 The Security Area (SEC) is concerned with various issues relating to 737 authentication and authorization in Grid environments. 739 Working groups: 740 Authorization Frameworks and Mechanisms WG (AuthZ-WG) - 741 https://forge.gridforum.org/projects/authz-wg 742 Certificate Authority Operations Working Group (CAOPS-WG) - 743 https://forge.gridforum.org/projects/caops-wg 744 OGSA Authorization Working Group (OGSA-AUTHZ) - 745 https://forge.gridforum.org/projects/ogsa-authz 746 Grid Security Infrastructure (GSI-WG) - 747 https://forge.gridforum.org/projects/gsi-wg 749 5.11 Information System Security Assurance Architecture 751 IEEE Working Group - http://issaa.org/ 753 Formerly the Security Certification and Accreditation of Information 754 Systems (SCAISWG), IEEE Project 1700's purpose is to develop a draft 755 Standard for Information System Security Assurance Architecture for 756 ballot and during the process begin development of a suite of 757 associated standards for components of that architecture. 759 Documents: http://issaa.org/documents/index.html 761 5.12 Operational Security Requirements for IP Network Infrastructure : 762 Advanced Requirements 764 IETF Internet-Draft 766 Abstract: This document defines a list of operational security 767 requirements for the infrastructure of large ISP IP networks (routers 768 and switches). A framework is defined for specifying "profiles", 769 which are collections of requirements applicable to certain network 770 topology contexts (all, core-only, edge-only...). The goal is to 771 provide network operators a clear, concise way of communicating their 772 security requirements to vendors. 774 Documents: 775 http://www.ietf.org/internet-drafts/draft-jones-opsec-06.txt 777 5.13 INCITS Technical Committee T4 - Security Techniques 779 http://www.incits.org/tc_home/t4.htm 781 Technical Committee T4, Security Techniques, participates in the 782 standardization of generic methods for information technology 783 security. This includes development of: security techniques and 784 mechanisms; security guidelines; security evaluation criteria; and 785 identification of generic requirements for information technology 786 system security services. 788 5.14 INCITS Technical Committee T11 - Fibre Channel Interfaces 790 http://www.t11.org/index.htm 792 T11 is responsible for standards development in the areas of 793 Intelligent Peripheral Interface (IPI), High-Performance Parallel 794 Interface (HIPPI) and Fibre Channel (FC). T11 has a project called 795 FC-SP to define Security Protocols for Fibre Channel. 797 FC-SP Project Proposal: 798 ftp://ftp.t11.org/t11/admin/project_proposals/02-036v2.pdf 800 5.15 ISO Guidelines for the Management of IT Security - GMITS 802 Guidelines for the Management of IT Security -- Part 1: Concepts and 803 models for IT Security 805 http://www.iso.ch/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER 806 =21733&ICS1=35 808 Guidelines for the Management of IT Security -- Part 2: Managing and 809 planning IT Security 811 http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBE 812 R=21755&ICS1=35&ICS2=40&ICS3= 814 Guidelines for the Management of IT Security -- Part 3: Techniques 815 for the management of IT Security 817 http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBE 818 R=21756&ICS1=35&ICS2=40&ICS3= 820 Guidelines for the Management of IT Security -- Part 4: Selection of 821 safeguards 823 http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBE 824 R=29240&ICS1=35&ICS2=40&ICS3= 826 Guidelines for the Management of IT Security - Part 5: Management 827 guidance on network security 829 http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBE 830 R=31142&ICS1=35&ICS2=40&ICS3= 832 Open Systems Interconnection -- Network layer security protocol 834 http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBE 835 R=22084&ICS1=35&ICS2=100&ICS3=30 837 5.16 ISO JTC 1/SC 27 839 http://www.iso.ch/iso/en/stdsdevelopment/techprog/workprog/TechnicalP 840 rogrammeSCDetailPage.TechnicalProgrammeSCDetail?COMMID=143 841 Several security related ISO projects under JTC 1/SC 27 are listed 842 here such as: 843 IT security techniques -- Entity authentication 844 Security techniques -- Key management 845 Security techniques -- Evaluation criteria for IT security 846 Security techniques -- A framework for IT security assurance 847 IT Security techniques -- Code of practice for information 848 security management 849 Security techniques -- IT network security 850 Guidelines for the implementation, operation and management of 851 Intrusion Detection Systems (IDS) 852 International Security, Trust, and Privacy Alliance -- Privacy 853 Framework 855 5.17 ITU-T Study Group 2 857 http://www.itu.int/ITU-T/studygroups/com02/index.asp 859 Security related recommendations currently under study: 860 E.408 Telecommunication networks security requirements Q.5/2 861 (was E.sec1) 862 E.409 Incident Organisation and Security Incident Handling 863 Q.5/2 (was E.sec2) 865 Note: Access requires TIES account. 867 5.18 ITU-T Recommendation M.3016 869 http://www.itu.int/itudoc/itu-t/com4/contr/068.html 871 This recommendation provides an overview and framework that 872 identifies the security requirements of a TMN and outlines how 873 available security services and mechanisms can be applied within the 874 context of the TMN functional architecture. 876 Question 18 of Study Group 3 is revising Recommendation M.3016. They 877 have taken the original document and are incorporating thoughts from 878 ITU-T Recommendation X.805 and from ANSI T1.276-2003. This will 879 produce a series of documents. 880 Overview 881 Requirements 882 Services 883 Mechanisms 884 Profiles 886 This document will be discussed at the ITU meetings in February 2005. 888 5.19 ITU-T Recommendation X.805 890 http://www.itu.int/itudoc/itu-t/aap/sg17aap/history/x805/x805.html 892 This Recommendation defines the general security-related 893 architectural elements that, when appropriately applied, can provide 894 end-to-end network security. 896 5.20 ITU-T Study Group 16 898 http://www.itu.int/ITU-T/studygroups/com16/index.asp 900 Security of Multimedia Systems and Services - Question G/16 902 http://www.itu.int/ITU-T/studygroups/com16/sg16-qg.html 904 5.21 ITU-T Study Group 17 906 http://www.itu.int/ITU-T/studygroups/com17/index.asp 908 ITU-T Study Group 17 is the Lead Study Group on Communication System 909 Security 911 http://www.itu.int/ITU-T/studygroups/com17/cssecurity.html 913 Study Group 17 Security Project: 915 http://www.itu.int/ITU-T/studygroups/com17/security/index.html 917 During its November 2002 meeting, Study Group 17 agreed to establish 918 a new project entitled "Security Project" under the leadership of 919 Q.10/17 to coordinate the ITU-T standardization effort on security. 920 An analysis of the status on ITU-T Study Group action on information 921 and communication network security may be found in TSB Circular 147 922 of 14 February 2003. 924 5.22 Catalogue of ITU-T Recommendations related to Communications 925 System Security 927 http://www.itu.int/itudoc/itu-t/com17/activity/cat004.html 929 The Catalogue of the approved security Recommendations include those, 930 designed for security purposes and those, which describe or use of 931 functions of security interest and need. Although some of the 932 security related Recommendations includes the phrase "Open Systems 933 Interconnection", much of the information contained in them is 934 pertinent to the establishment of security functionality in any 935 communicating system. 937 5.23 ITU-T Security Manual 939 http://www.itu.int/ITU-T/edh/files/security-manual.pdf 941 TSB is preparing an "ITU-T Security Manual" to provide an overview on 942 security in telecommunications and information technologies, describe 943 practical issues, and indicate how the different aspects of security 944 in today's applications are addressed by ITU-T Recommendations. This 945 manual has a tutorial character: it collects security related 946 material from ITU-T Recommendations into one place and explains the 947 respective relationships. The intended audience for this manual is 948 engineers and product managers, students and academia, as well as 949 regulators who want to better understand security aspects in 950 practical applications. 952 5.24 NRIC VI Focus Groups 954 http://www.nric.org/fg/index.html 956 The Network Reliability and Interoperability Council (NRIC) was 957 formed with the purpose to provide recommendations to the FCC and to 958 the industry to assure the reliability and interoperability of 959 wireless, wireline, satellite, and cable public telecommunications 960 networks. These documents provide general information and guidance 961 on NRIC Focus Group 1B (Cybersecurity) Best Practices for the 962 prevention of cyberattack and for restoration following a 963 cyberattack. 965 Documents: 966 Homeland Defense - Recommendations Published 14-Mar-03 967 Preventative Best Practices - Recommendations Published 14-Mar-03 968 Recovery Best Practices - Recommendations Published 14-Mar-03 969 Best Practice Appendices - Recommendations Published 14-Mar-03 971 5.25 OASIS Security Joint Committee 973 http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security-j 974 c 976 The purpose of the Security JC is to coordinate the technical 977 activities of multiple security related TCs. The SJC is advisory 978 only, and has no deliverables. The Security JC will promote the use 979 of consistent terms, promote re-use, champion an OASIS security 980 standards model, provide consistent PR, and promote mutuality, 981 operational independence and ethics. 983 5.26 OASIS Security Services TC 985 http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security 987 The Security Services TC is working to advance the Security Assertion 988 Markup Language (SAML) as an OASIS standard. SAML is an XML 989 framework for exchanging authentication and authorization 990 information. 992 5.27 OIF Implementation Agreements 994 The OIF has 2 approved Implementation Agreements (IAs) relating to 995 security. They are: 997 OIF-SMI-01.0 - Security Management Interfaces to Network Elements 999 This Implementation Agreement lists objectives for securing OAM&P 1000 interfaces to a Network Element and then specifies ways of using 1001 security systems (e.g., IPsec or TLS) for securing these interfaces. 1002 It summarizes how well each of the systems, used as specified, 1003 satisfies the objectives. 1005 OIF - SEP - 01.1 - Security Extension for UNI and NNI 1007 This Implementation Agreement defines a common Security Extension for 1008 securing the protocols used in UNI 1.0, UNI 2.0, and NNI. 1010 Documents: http://www.oiforum.com/public/documents/Security-IA.pdf 1012 5.28 TIA 1014 The TIA has produced the "Compendium of Emergency Communications and 1015 Communications Network Security-related Work Activities". This 1016 document identifies standards, or other technical documents and 1017 ongoing Emergency/Public Safety Communications and Communications 1018 Network Security-related work activities within TIA and it's 1019 Engineering Committees. Many P25 documents are specifically 1020 detailed. This "living document" is presented for information, 1021 coordination and reference. 1023 Documents: http://www.tiaonline.org/standards/cip/EMTEL_sec.pdf 1025 5.29 WS-I Basic Security Profile 1027 http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html 1029 The WS-I Basic Security Profile 1.0 consists of a set of 1030 non-proprietary Web services specifications, along with 1031 clarifications and amendments to those specifications which promote 1032 interoperability. 1034 6. Security Considerations 1036 This document describes efforts to standardize security practices and 1037 documents. As such this document offers no security guidance 1038 whatsoever. 1040 Readers of this document should be aware of the date of publication 1041 of this document. It is feared that they may assume that the 1042 efforts, on-line material, and documents are current whereas they may 1043 not be. Please consider this when reading this document. 1045 7. IANA Considerations 1047 This Internet Draft does not propose a standard but is trying to pull 1048 together information about the security related efforts of all 1049 Standards Developing Organizations and some other efforts which 1050 provide good secuirty methods, practices or recommendations. 1052 8. Acknowledgments 1054 The following people have contributed to this document. Listing 1055 their names here does not mean that they endorse the document, but 1056 that they have contributed to its substance. 1058 David Black, Mark Ellison, George Jones, Keith McCloghrie, John 1059 McDonough, Art Reilly, Chip Sharp, Dane Skow, Michael Hammer. 1061 9. Changes from Prior Drafts 1063 -00 : Initial draft published as draft-lonvick-sec-efforts-01.txt 1065 -01 : Security Glossaries: 1067 Added ATIS Telecom Glossary 2000, Critical Infrastructure 1068 Glossary of Terms and Acronyms, Microsoft Solutions for 1069 Security Glossary, and USC InfoSec Glossary. 1070 Standards Developing Organizations: 1071 Added DMTF, GGF, INCITS, OASIS, and WS-I 1072 Removal of Committee T1 and modifications to ATIS and former T1 1073 technical subcommittees due to the recent ATIS reorganization. 1074 Efforts and Documents: 1075 Added DMTF User and Security WG, DMTF SPAM WG, GGF Security 1076 Area (SEC), INCITS Technical Committee T4 - Security 1077 Techniques, INCITS Technical Committee T11 - Fibre Channel 1078 Interfaces, ISO JTC 1/SC 27 projects, OASIS Security Joint 1079 Committee, OASIS Security Services TC, and WS-I Basic Security 1080 Profile. 1081 Updated Operational Security Requirements for IP Network 1082 Infrastructure : Advanced Requirements. 1084 -00 : as the WG ID 1085 Added more information about the ITU-T SG3 Q18 effort to modify 1086 ITU-T Recommendation M.3016. 1088 Note: This section will be removed before publication as an RFC. 1090 10. References 1092 10.1 Normative References 1094 [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement 1095 Levels", RFC 2119, STD 14, March 1997. 1097 10.2 Informative References 1099 [2] Narten, T. and H. Alvestrand, "Guidelines for writing an IANA 1100 Considerations Section in RFCs", RFC 2869, BCP 26, October 1998. 1102 Authors' Addresses 1104 Chris Lonvick 1105 Cisco Systems 1106 12515 Research Blvd. 1107 Austin, Texas 78759 1108 US 1110 Phone: +1 512 378 1182 1111 EMail: clonvick@cisco.com 1113 David Spak 1114 Cisco Systems 1115 12515 Research Blvd. 1116 Austin, Texas 78759 1117 US 1119 Phone: +1 512 378 1720 1120 EMail: dspak@cisco.com 1122 Intellectual Property Statement 1124 The IETF takes no position regarding the validity or scope of any 1125 Intellectual Property Rights or other rights that might be claimed to 1126 pertain to the implementation or use of the technology described in 1127 this document or the extent to which any license under such rights 1128 might or might not be available; nor does it represent that it has 1129 made any independent effort to identify any such rights. Information 1130 on the procedures with respect to rights in RFC documents can be 1131 found in BCP 78 and BCP 79. 1133 Copies of IPR disclosures made to the IETF Secretariat and any 1134 assurances of licenses to be made available, or the result of an 1135 attempt made to obtain a general license or permission for the use of 1136 such proprietary rights by implementers or users of this 1137 specification can be obtained from the IETF on-line IPR repository at 1138 http://www.ietf.org/ipr. 1140 The IETF invites any interested party to bring to its attention any 1141 copyrights, patents or patent applications, or other proprietary 1142 rights that may cover technology that may be required to implement 1143 this standard. Please address the information to the IETF at 1144 ietf-ipr@ietf.org. 1146 Disclaimer of Validity 1148 This document and the information contained herein are provided on an 1149 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1150 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1151 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1152 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1153 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1154 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1156 Copyright Statement 1158 Copyright (C) The Internet Society (2005). This document is subject 1159 to the rights, licenses and restrictions contained in BCP 78, and 1160 except as set forth therein, the authors retain all their rights. 1162 Acknowledgment 1164 Funding for the RFC Editor function is currently provided by the 1165 Internet Society.