idnits 2.17.1 draft-ietf-opsec-efforts-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1280. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1257. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1264. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1270. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 7, 2005) is 6839 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: '1' is defined on line 1220, but no explicit reference was found in the text == Unused Reference: '2' is defined on line 1225, but no explicit reference was found in the text Summary: 3 errors (**), 0 flaws (~~), 4 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group C. Lonvick 3 Internet-Draft D. Spak 4 Expires: January 8, 2006 Cisco Systems 5 July 7, 2005 7 Security Best Practices Efforts and Documents 8 draft-ietf-opsec-efforts-01.txt 10 Status of this Memo 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on January 8, 2006. 35 Copyright Notice 37 Copyright (C) The Internet Society (2005). 39 Abstract 41 This document provides a snapshot of the current efforts to define or 42 apply security requirements in various Standards Developing 43 Organizations (SDO). 45 Table of Contents 47 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 48 2. Format of this Document . . . . . . . . . . . . . . . . . . 7 49 3. Online Security Glossaries . . . . . . . . . . . . . . . . . 8 50 3.1 ATIS Telecom Glossary 2000 . . . . . . . . . . . . . . . . 8 51 3.2 Critical Infrastructure Glossary of Terms and Acronyms . . 8 52 3.3 Internet Security Glossary - RFC 2828 . . . . . . . . . . 8 53 3.4 Compendium of Approved ITU-T Security Definitions . . . . 9 54 3.5 Microsoft Solutions for Security Glossary . . . . . . . . 9 55 3.6 SANS Glossary of Security Terms . . . . . . . . . . . . . 9 56 3.7 USC InfoSec Glossary . . . . . . . . . . . . . . . . . . . 9 57 4. Standards Developing Organizations . . . . . . . . . . . . . 10 58 4.1 3GPP - Third Generation Partnership Project . . . . . . . 10 59 4.2 3GPP2 - Third Generation Partnership Project 2 . . . . . . 10 60 4.3 ANSI - The American National Standards Institute . . . . . 10 61 4.4 ATIS - Alliance for Telecommunications Industry 62 Solutions . . . . . . . . . . . . . . . . . . . . . . . . 10 63 4.4.1 ATIS Network Performance, Reliability and Quality 64 of Service Committee, formerly T1A1 . . . . . . . . . 11 65 4.4.2 ATIS Network Interface, Power, and Protection 66 Committee, formerly T1E1 . . . . . . . . . . . . . . . 11 67 4.4.3 ATIS Telecom Management and Operations Committee, 68 formerly T1M1 OAM&P . . . . . . . . . . . . . . . . . 11 69 4.4.4 ATIS Ordering and Billing Forum regarding T1M1 O&B . . 11 70 4.4.5 ATIS Wireless Technologies and Systems Committee, 71 formerly T1P1 . . . . . . . . . . . . . . . . . . . . 12 72 4.4.6 ATIS Packet Technologies and Systems Committee, 73 formerly T1S1 . . . . . . . . . . . . . . . . . . . . 12 74 4.4.7 ATIS Protocol Interworking Committee, regarding T1S1 . 12 75 4.4.8 ATIS Optical Transport and Synchronization 76 Committee, formerly T1X1 . . . . . . . . . . . . . . . 12 77 4.5 CC - Common Criteria . . . . . . . . . . . . . . . . . . . 12 78 4.6 DMTF - Distributed Management Task Force, Inc. . . . . . . 13 79 4.7 ETSI - The European Telecommunications Standard 80 Institute . . . . . . . . . . . . . . . . . . . . . . . . 13 81 4.8 GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 13 82 4.9 IEEE - The Institute of Electrical and Electronics 83 Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 13 84 4.10 IETF - The Internet Engineering Task Force . . . . . . . 14 85 4.11 INCITS - InterNational Committee for Information 86 Technology Standards . . . . . . . . . . . . . . . . . . 14 87 4.12 INCITS Technical Committee T11 - Fibre Channel 88 Interfaces . . . . . . . . . . . . . . . . . . . . . . . 14 89 4.13 ISO - The International Organization for 90 Standardization . . . . . . . . . . . . . . . . . . . . 14 91 4.14 ITU - International Telecommunication Union . . . . . . 14 92 4.14.1 ITU Telecommunication Standardization Sector - 93 ITU-T . . . . . . . . . . . . . . . . . . . . . . . 15 94 4.14.2 ITU Radiocommunication Sector - ITU-R . . . . . . . 15 95 4.14.3 ITU Telecom Development - ITU-D . . . . . . . . . . 15 96 4.15 OASIS - Organization for the Advancement of 97 Structured Information Standards . . . . . . . . . . . . 15 98 4.16 OIF - Optical Internetworking Forum . . . . . . . . . . 15 99 4.17 NRIC - The Network Reliability and Interoperability 100 Council . . . . . . . . . . . . . . . . . . . . . . . . 15 101 4.18 National Security Telecommunications Advisory 102 Committee (NSTAC) . . . . . . . . . . . . . . . . . . . 16 103 4.19 TIA - The Telecommunications Industry Association . . . 16 104 4.20 Web Services Interoperability Organization (WS-I) . . . 16 105 5. Security Best Practices Efforts and Documents . . . . . . . 17 106 5.1 3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 17 107 5.2 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 17 108 5.3 American National Standard T1.276-2003 - Baseline 109 Security Requirements for the Management Plane . . . . . . 17 110 5.4 DMTF - Security Protection and Management (SPAM) 111 Working Group . . . . . . . . . . . . . . . . . . . . . . 18 112 5.5 DMTF - User and Security Working Group . . . . . . . . . . 18 113 5.6 ATIS Security & Emergency Preparedness Activities . . . . 18 114 5.7 ATIS Work-Plan to Achieve Interoperable, Implementable, 115 End-To-End Standards and Solutions . . . . . . . . . . . . 18 116 5.7.1 ATIS Work on Packet Filtering . . . . . . . . . . . . 19 117 5.8 ATIS Work on the NGN . . . . . . . . . . . . . . . . . . . 19 118 5.9 Common Criteria . . . . . . . . . . . . . . . . . . . . . 19 119 5.10 ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . 19 120 5.11 GGF Security Area (SEC) . . . . . . . . . . . . . . . . 20 121 5.12 Information System Security Assurance Architecture . . . 20 122 5.13 Operational Security Requirements for IP Network 123 Infrastructure : Advanced Requirements . . . . . . . . . 20 124 5.14 INCITS Technical Committee T4 - Security Techniques . . 21 125 5.15 INCITS CS1 - Cyber Security . . . . . . . . . . . . . . 21 126 5.16 ISO Guidelines for the Management of IT Security - 127 GMITS . . . . . . . . . . . . . . . . . . . . . . . . . 21 128 5.17 ISO JTC 1/SC 27 . . . . . . . . . . . . . . . . . . . . 22 129 5.18 ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . 23 130 5.19 ITU-T Recommendation M.3016 . . . . . . . . . . . . . . 23 131 5.20 ITU-T Recommendation X.805 . . . . . . . . . . . . . . 24 132 5.21 ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . 24 133 5.22 ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . 24 134 5.23 Catalogue of ITU-T Recommendations related to 135 Communications System Security . . . . . . . . . . . . . 24 136 5.24 ITU-T Security Manual . . . . . . . . . . . . . . . . . 25 137 5.25 ITU-T NGN Effort . . . . . . . . . . . . . . . . . . . . 25 138 5.26 NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . 25 139 5.27 OASIS Security Joint Committee . . . . . . . . . . . . . 26 140 5.28 OASIS Security Services TC . . . . . . . . . . . . . . . 26 141 5.29 OIF Implementation Agreements . . . . . . . . . . . . . 26 142 5.30 TIA . . . . . . . . . . . . . . . . . . . . . . . . . . 27 143 5.31 WS-I Basic Security Profile . . . . . . . . . . . . . . 27 144 6. Security Considerations . . . . . . . . . . . . . . . . . . 28 145 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . 29 146 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 30 147 9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . 31 148 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 32 149 10.1 Normative References . . . . . . . . . . . . . . . . . . 32 150 10.2 Informative References . . . . . . . . . . . . . . . . . 32 151 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 32 152 Intellectual Property and Copyright Statements . . . . . . . 33 154 1. Introduction 156 The Internet is being recognized as a critical infrastructure similar 157 in nature to the power grid and a potable water supply. Just like 158 those infrastructures, means are needed to provide resiliency and 159 adaptability to the Internet so that it remains consistently 160 available to the public throughout the world even during times of 161 duress or attack. For this reason, many SDOs are developing 162 standards with hopes of retaining an acceptable level, or even 163 improving this availability, to its users. These SDO efforts usually 164 define themselves as "security" efforts. It is the opinion of the 165 authors that there are many different definitions of the term 166 "security" and it may be applied in many diverse ways. As such, we 167 offer no assurance that the term is applied consistently throughout 168 this document. 170 Many of these SDOs have diverse charters and goals and will take 171 entirely different directions in their efforts to provide standards. 172 However, even with that, there will be overlaps in their produced 173 works. If there are overlaps then there is a potential for conflicts 174 and confusion. This may result in: 176 Vendors of networking equipment who are unsure of which standard 177 to follow. 179 Purchasers of networking equipment who are unsure of which 180 standard will best apply to the needs of their business or 181 ogranization. 183 Network Administrators and Operators unsure of which standard to 184 follow to attain the best security for their network. 186 For these reasons, the authors wish to encourage all SDOs who have an 187 interest in producing or in consuming standards relating to good 188 security practices to be consistent in their approach and their 189 recommendations. In many cases, the authors are aware that the SDOs 190 are making good efforts along these lines. However, the authors do 191 not participate in all SDO efforts and cannot know everything that is 192 happening. 194 The OpSec Working Group met at the 61st IETF and agreed that this 195 document could be a useful reference in producing the documents 196 described in the Working Group Charter. The authors have agreed to 197 keep this document current and request that those who read it will 198 submit corrections or comments. 200 Comments on this document may be addressed to the OpSec Working Group 201 or directly to the authors. 203 opsec@ops.ietf.org 205 2. Format of this Document 207 The body of this document has three sections. 209 The first part of the body of this document, Section 3, contains a 210 listing of online glossaries relating to networking and security. It 211 is very important that the definitions of words relating to security 212 and security events be consistent. Inconsistencies between the 213 useage of words on standards is unacceptable as it would prevent a 214 reader of two standards to appropriately relate their 215 recommendations. The authors of this document have not reviewed the 216 definitions of the words in the listed glossaries so can offer no 217 assurance of their alignment. 219 The second part, Section 4, contains a listing of SDOs that appear to 220 be working on security standards. 222 The third part, Section 5, lists the documents which have been found 223 to offer good practices or recommendations for securing networks and 224 networking devices. 226 3. Online Security Glossaries 228 This section contains references to glossaries of network and 229 computer security terms 231 3.1 ATIS Telecom Glossary 2000 233 http://www.atis.org/tg2k/ 235 Under an approved T1 standards project (T1A1-20), an existing 5800- 236 entry, search-enabled hypertext telecommunications glossary titled 237 Federal Standard 1037C, Glossary of Telecommunication Terms was 238 updated and matured into this glossary, T1.523-2001, Telecom Glossary 239 2000. This updated glossary was posted on the Web as a American 240 National Standard (ANS). 242 3.2 Critical Infrastructure Glossary of Terms and Acronyms 244 http://www.ciao.gov/ciao_document_library/glossary/a.htm 246 The Critical Infrastructure Assurance Office (CIAO) was created to 247 coordinate the Federal Government's initiatives on critical 248 infrastructure assurance. While the glossary was not created as a 249 glossary specifically for security terms, it is populated with many 250 security related definitions, abbreviations, organizations, and 251 concepts. 253 3.3 Internet Security Glossary - RFC 2828 255 http://www.ietf.org/rfc/rfc2828.txt 257 Created in May 2000, the document defines itself to be, "an 258 internally consistent, complementary set of abbreviations, 259 definitions, explanations, and recommendations for use of terminology 260 related to information system security." The glossary makes the 261 distinction of the listed definitions throughout the document as 262 being: 264 o a recommended Internet definition 266 o a recommended non-Internet definition 268 o not recommended as the first choice for Internet documents but 269 something that an author of an Internet document would need to 270 know 272 o a definition that shouldn't be used in Internet documents 273 o additional commentary or usage guidance 275 3.4 Compendium of Approved ITU-T Security Definitions 277 http://www.itu.int/itudoc/itu-t/com17/activity/def004.html 279 Addendum to the Compendium of the Approved ITU-T Security-related 280 Definitions 281 http://www.itu.int/itudoc/itu-t/com17/activity/add002.html 283 These extensive materials were created from approved ITU-T 284 Recommendations with a view toward establishing a common 285 understanding and use of security terms within ITU-T. 287 3.5 Microsoft Solutions for Security Glossary 289 http://www.microsoft.com/security/glossary/ 291 The Microsoft Solutions for Security Glossary was created to explain 292 the concepts, technologies, and products associated with computer 293 security. This glossary contains several definitions specific to 294 Microsoft proprietary technologies and product solutions. 296 3.6 SANS Glossary of Security Terms 298 http://www.sans.org/resources/glossary.php 300 The SANS Institute (SysAdmin, Audit, Network, Security) was created 301 in 1989 as, "a cooperative research and education organization." 302 Updated in May 2003, SANS cites the NSA for their help in creating 303 the online glossary of security terms. The SANS Institute is also 304 home to many other resources including the SANS Intrusion Detection 305 FAQ and the SANS/FBI Top 20 Vulnerabilities List. 307 3.7 USC InfoSec Glossary 309 http://www.usc.edu/org/infosec/resources/glossary_a.html 311 A glossary of Information Systems security terms compiled by the 312 University of Southern California Office of Information Security. 314 4. Standards Developing Organizations 316 This section of this document lists the SDOs, or organizations that 317 appear to be developing security related standards. These SDOs are 318 listed in alphabetical order. 320 Note: The authors would appreciate corrections and additions. This 321 note will be removed before publication as an RFC. 323 4.1 3GPP - Third Generation Partnership Project 325 http://www.3gpp.org 327 The 3rd Generation Partnership Project (3GPP) is a collaboration 328 agreement formed in December 1998. The collaboration agreement is 329 comprised of several telecommunications standards bodies which are 330 known as "Organizational Partners". The current Organizational 331 Partners involved with 3GPP are ARIB, CCSA, ETSI, ATIS, TTA, and TTC. 333 4.2 3GPP2 - Third Generation Partnership Project 2 335 http://www.3gpp2.org 337 Third Generation Partnership Project 2 (3GPP2) is a collaboration 338 among Organizational Partners much like its sister project 3GPP. The 339 Organizational Partners (OPs) currently involved with 3GPP2 are ARIB, 340 CCSA, TIA, TTA, and TTC. In addition to the OPs, 3GPP2 also welcomes 341 the CDMA Development Group and IPv6 Forum as Market Representation 342 Partners for market advice. 344 4.3 ANSI - The American National Standards Institute 346 http://www.ansi.org 348 ANSI is a private, non-profit organization that organizes and 349 oversees the U.S. voluntary standardization and conformity assessment 350 system. ANSI was founded October 19, 1918. 352 4.4 ATIS - Alliance for Telecommunications Industry Solutions 354 http://www.atis.org 356 ATIS is a United States based body that is committed to rapidly 357 developing and promoting technical and operations standards for the 358 communications and related information technologies industry 359 worldwide using pragmatic, flexible and open approach. Committee T1 360 as a group no longer exists as a result of the recent ATIS 361 reorganization on January 1, 2004. ATIS has restructured the former 362 T1 technical subcommittees into full ATIS standards committees to 363 easily identify and promote the nature of standards work each 364 committee performs. Due to the reorganization, some groups may have 365 a new mission and scope statement. 367 4.4.1 ATIS Network Performance, Reliability and Quality of Service 368 Committee, formerly T1A1 370 http://www.atis.org/0010/index.asp 372 ATIS Network Performance, Reliability and Quality of Service 373 Committee develops and recommends standards, requirements, and 374 technical reports related to the performance, reliability, and 375 associated security aspects of communications networks, as well as 376 the processing of voice, audio, data, image, and video signals, and 377 their multimedia integration. 379 4.4.2 ATIS Network Interface, Power, and Protection Committee, formerly 380 T1E1 382 http://www.atis.org/0050/index.asp 384 ATIS Network Interface, Power, and Protection Committee develops and 385 recommends standards and technical reports related to power systems, 386 electrical and physical protection for the exchange and interexchange 387 carrier networks, and interfaces associated with user access to 388 telecommunications networks. 390 4.4.3 ATIS Telecom Management and Operations Committee, formerly T1M1 391 OAM&P 393 http://www.atis.org/0130/index.asp 395 ATIS Telecom Management and Operations Committee develops 396 internetwork operations, administration, maintenance and provisioning 397 standards, and technical reports related to interfaces for 398 telecommunications networks. 400 4.4.4 ATIS Ordering and Billing Forum regarding T1M1 O&B 402 http://www.atis.org/obf/index.asp 404 The T1M1 O&B subcommittee has become part of the ATIS Ordering and 405 Billing Forum. 407 The ATIS-sponsored Ordering and Billing Forum (OBF) provides a forum 408 for customers and providers in the telecommunications industry to 409 identify, discuss and resolve national issues which affect ordering, 410 billing, provisioning and exchange of information about access 411 services, other connectivity and related matters. 413 4.4.5 ATIS Wireless Technologies and Systems Committee, formerly T1P1 415 http://www.atis.org/0160/index.asp 417 ATIS Wireless Technologies and Systems Committee develops and 418 recommends standards and technical reports related to wireless and/or 419 mobile services and systems, including service descriptions and 420 wireless technologies. 422 4.4.6 ATIS Packet Technologies and Systems Committee, formerly T1S1 424 T1S1 was split into two separate ATIS committees: the ATIS Packet 425 Technologies and Systems Committee and the ATIS Protocol Interworking 426 Committee. PTSC is responsible for producing standards to secure 427 signalling. 429 The basic document is PTSC-SEC-2005-059.doc which is in Letter Ballot 430 at this time. It is expected to move to an ANSI standard. 432 4.4.7 ATIS Protocol Interworking Committee, regarding T1S1 434 T1S1 was split into two separate ATIS committees: the ATIS Packet 435 Technologies and Systems Committee and the ATIS Protocol Interworking 436 Committee. As a result of the reorganization of T1S1, these groups 437 will also probably have a new mission and scope. 439 4.4.8 ATIS Optical Transport and Synchronization Committee, formerly 440 T1X1 442 http://www.atis.org/0240/index.asp 444 ATIS Optical Transport and Synchronization Committee develops and 445 recommends standards and prepares technical reports related to 446 telecommunications network technology pertaining to network 447 synchronization interfaces and hierarchical structures including 448 optical technology. 450 4.5 CC - Common Criteria 452 http://csrc.nist.gov/cc/ 454 Note: The URL for the Common Criteria organization was 455 http://www.commoncriteria.org/ however, they have elected to take 456 their web site offline for the time being. It is hoped that the 457 proper URL will be available before this document becomes an RFC. 459 This note will be removed prior to publication as an RFC. 461 In June 1993, the sponsoring organizations of the existing US, 462 Canadian, and European criterias (TCSEC, ITSEC, and similar) started 463 the Common Criteria Project to align their separate criteria into a 464 single set of IT security criteria. 466 4.6 DMTF - Distributed Management Task Force, Inc. 468 http://www.dmtf.org/ 470 Founded in 1992, the DMTF brings the technology industry's customers 471 and top vendors together in a collaborative, working group approach 472 that involves DMTF members in all aspects of specification 473 development and refinement. 475 4.7 ETSI - The European Telecommunications Standard Institute 477 http://www.etsi.org/ 479 ETSI is an independent, non-profit organization which produces 480 telecommunications standards. ETSI is based in Sophia-Antipolis in 481 the south of France and maintains a membership from 55 countries. 483 Joint work between ETSI and ITU-T SG-17 485 http://docbox.etsi.org/OCG/OCG/GSC9/GSC9_JointT%26R/ 486 GSC9_Joint_011_Security_Standardization_in_ITU.ppt 488 4.8 GGF - Global Grid Forum 490 http://www.gridforum.org 492 The Global Grid Forum (GGF) is a community-initiated forum of 493 thousands of individuals from industry and research leading the 494 global standardization effort for grid computing. GGF's primary 495 objectives are to promote and support the development, deployment, 496 and implementation of Grid technologies and applications via the 497 creation and documentation of "best practices" - technical 498 specifications, user experiences, and implementation guidelines. 500 4.9 IEEE - The Institute of Electrical and Electronics Engineers, Inc. 502 http://www.ieee.org 504 IEEE is a non-profit, technical professional association of more than 505 360,000 individual members in approximately 175 countries. The IEEE 506 produces 30 percent of the world's published literature in electrical 507 engineering, computers and control technology through its technical 508 publishing, conferences and consensus-based standards activities. 510 4.10 IETF - The Internet Engineering Task Force 512 http://www.ietf.org 514 IETF is a large, international community open to any interested 515 individual concerned with the evolution of the Internet architecture 516 and the smooth operation of the Internet. 518 4.11 INCITS - InterNational Committee for Information Technology 519 Standards 521 http://www.incits.org 523 INCITS focuses upon standardization in the field of Information and 524 Communications Technologies (ICT), encompassing storage, processing, 525 transfer, display, management, organization, and retrieval of 526 information. 528 4.12 INCITS Technical Committee T11 - Fibre Channel Interfaces 530 http://www.t11.org/index.htm 532 T11 is responsible for standards development in the areas of 533 Intelligent Peripheral Interface (IPI), High-Performance Parallel 534 Interface (HIPPI) and Fibre Channel (FC). T11 has a project called 535 FC-SP to define Security Protocols for Fibre Channel. 537 FC-SP Project Proposal: 538 ftp://ftp.t11.org/t11/admin/project_proposals/02-036v2.pdf 540 4.13 ISO - The International Organization for Standardization 542 http://www.iso.org 544 ISO is a network of the national standards institutes of 148 545 countries, on the basis of one member per country, with a Central 546 Secretariat in Geneva, Switzerland, that coordinates the system. ISO 547 officially began operations on February 23, 1947. 549 4.14 ITU - International Telecommunication Union 551 http://www.itu.int/ 553 The ITU is an international organization within the United Nations 554 System headquartered in Geneva, Switzerland. The ITU is comprised of 555 three sectors: 557 4.14.1 ITU Telecommunication Standardization Sector - ITU-T 559 http://www.itu.int/ITU-T/ 561 ITU-T's mission is to ensure an efficient and on-time production of 562 high quality standards covering all fields of telecommunications. 564 4.14.2 ITU Radiocommunication Sector - ITU-R 566 http://www.itu.int/ITU-R/ 568 The ITU-R plays a vital role in the management of the radio-frequency 569 spectrum and satellite orbits. 571 4.14.3 ITU Telecom Development - ITU-D 573 (also referred as ITU Telecommunication Development Bureau - BDT) 575 http://www.itu.int/ITU-D/ 577 The Telecommunication Development Bureau (BDT) is the executive arm 578 of the Telecommunication Development Sector. Its duties and 579 responsibilities cover a variety of functions ranging from programme 580 supervision and technical advice to the collection, processing and 581 publication of information relevant to telecommunication development. 583 4.15 OASIS - Organization for the Advancement of Structured 584 Information Standards 586 http://www.oasis-open.org/ 588 OASIS is a not-for-profit, international consortium that drives the 589 development, convergence, and adoption of e-business standards. 591 4.16 OIF - Optical Internetworking Forum 593 http://www.oiforum.com/ 595 On April 20, 1998 Cisco Systems and Ciena Corporation announced an 596 industry-wide initiative to create the Optical Internetworking Forum, 597 an open forum focused on accelerating the deployment of optical 598 internetworks. 600 4.17 NRIC - The Network Reliability and Interoperability Council 602 http://www.nric.org/ 603 The purposes of the Committee are to give telecommunications industry 604 leaders the opportunity to provide recommendations to the FCC and to 605 the industry that assure optimal reliability and interoperability of 606 telecommunications networks. The Committee addresses topics in the 607 area of Homeland Security, reliability, interoperability, and 608 broadband deployment. 610 4.18 National Security Telecommunications Advisory Committee (NSTAC) 612 http://www.ncs.gov/nstac/nstac.html 614 President Ronald Reagan created the National Security 615 Telecommunications Advisory Committee (NSTAC) by Executive Order 616 12382 in September 1982. Since then, the NSTAC has served four 617 presidents. Composed of up to 30 industry chief executives 618 representing the major communications and network service providers 619 and information technology, finance, and aerospace companies, the 620 NSTAC provides industry-based advice and expertise to the President 621 on issues and problems related to implementing national security and 622 emergency preparedness (NS/EP) communications policy. Since its 623 inception, the NSTAC has addressed a wide range of policy and 624 technical issues regarding communications, information systems, 625 information assurance, critical infrastructure protection, and other 626 NS/EP communications concerns. 628 4.19 TIA - The Telecommunications Industry Association 630 http://www.tiaonline.org 632 TIA is accredited by ANSI to develop voluntary industry standards for 633 a wide variety of telecommunications products. TIA's Standards and 634 Technology Department is composed of five divisions: Fiber Optics, 635 User Premises Equipment, Network Equipment, Wireless Communications 636 and Satellite Communications. 638 4.20 Web Services Interoperability Organization (WS-I) 640 http://www.ws-i.org/ 642 WS-I is an open, industry organization chartered to promote Web 643 services interoperability across platforms, operating systems, and 644 programming languages. The organization works across the industry 645 and standards organizations to respond to customer needs by providing 646 guidance, best practices, and resources for developing Web services 647 solutions. 649 5. Security Best Practices Efforts and Documents 651 This section lists the works produced by the SDOs. 653 5.1 3GPP - TSG SA WG3 (Security) 655 http://www.3gpp.org/TB/SA/SA3/SA3.htm 657 TSG SA WG3 Security is responsible for the security of the 3GPP 658 system, performing analyses of potential security threats to the 659 system, considering the new threats introduced by the IP based 660 services and systems and setting the security requirements for the 661 overall 3GPP system. 663 Specifications: 664 http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--S3.htm 666 Work Items: 667 http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--s3--wis.htm 669 3GPP Confidentiality and Integrity algorithms: 670 http://www.3gpp.org/TB/Other/algorithms.htm 672 5.2 3GPP2 - TSG-S Working Group 4 (Security) 674 http://www.3gpp2.org/Public_html/S/index.cfm 676 The Services and Systems Aspects TSG (TSG-S) is responsible for the 677 development of service capability requirements for systems based on 678 3GPP2 specifications. Among its responsibilities TSG-S is addressing 679 management, technical coordination, as well as architectural and 680 requirements development associated with all end-to-end features, 681 services and system capabilities including, but not limited to, 682 security and QoS. 684 TSG-S Specifications: 685 http://www.3gpp2.org/Public_html/specs/index.cfm#tsgs 687 5.3 American National Standard T1.276-2003 - Baseline Security 688 Requirements for the Management Plane 690 Abstract: This standard contains a set of baseline security 691 requirements for the management plane. The President's National 692 Security Telecommunications Advisory Committee Network Security 693 Information Exchange (NSIE) and Government NSIE jointly established a 694 Security Requirements Working Group (SRWG) to examine the security 695 requirements for controlling access to the public switched network, 696 in particular with respect to the emerging next generation network. 698 In the telecommunications industry, this access incorporates 699 operation, administration, maintenance, and provisioning for network 700 elements and various supporting systems and databases. Members of 701 the SRWG, from a cross-section of telecommunications carriers and 702 vendors, developed an initial list of security requirements that 703 would allow vendors, government departments and agencies, and service 704 providers to implement a secure telecommunications network management 705 infrastructure. This initial list of security requirements was 706 submitted as a contribution to Committee T1 - Telecommunications, 707 Working Group T1M1.5 for consideration as a standard. The 708 requirements outlined in this document will allow vendors, government 709 departments and agencies, and service providers to implement a secure 710 telecommunications network management infrastructure. 712 Documents: 713 http://webstore.ansi.org/ansidocstore/product.asp?sku=T1%2E276%2D2003 715 5.4 DMTF - Security Protection and Management (SPAM) Working Group 717 http://www.dmtf.org/about/committees/spamWGCharter.pdf 719 The Working Group will define a CIM Common Model that addresses 720 security protection and detection technologies, which may include 721 devices and services, and classifies security information, attacks 722 and responses. 724 5.5 DMTF - User and Security Working Group 726 http://www.dmtf.org/about/committees/userWGCharter.pdf 728 The User and Security Working Group defines objects and access 729 methods required for principals - where principals include users, 730 groups, software agents, systems, and organizations. 732 5.6 ATIS Security & Emergency Preparedness Activities 734 http://www.atis.org/atis/atisinfo/emergency/ 735 security_committee_activities_T1.htm 737 The link above contains the description of the ATIS Communications 738 Security Model, the scopes of the Technical Subcommittees in relation 739 to the security model, and a list of published documents produced by 740 ATIS addressed to various aspects of network security. 742 5.7 ATIS Work-Plan to Achieve Interoperable, Implementable, End-To-End 743 Standards and Solutions 745 ftp://ftp.t1.org/T1M1/NEW-T1M1.0/3M101940.pdf 746 The ATIS TOPS Security Focus Group has made recommendations on work 747 items needed to be performed by other SDOs. 749 5.7.1 ATIS Work on Packet Filtering 751 A part of the ATIS Work Plan was to define how disruptions may be 752 prevented by filtering unwanted traffic at the edges of the network. 753 ATIS is developing this work in a document titled, "Traffic Filtering 754 for the Prevention of Unwanted Traffic". 756 5.8 ATIS Work on the NGN 758 http://www.atis.org/tops/WebsiteDocuments/ NGN/Working%20Docs/ 759 Part%20I/ATIS_NGN_Part_1_Issue1.pdf 761 In November 2004, ATIS released Part I of the ATIS NGN-FG efforts 762 entitled, "ATIS Next Generation Network (NGN) Framework Part I: NGN 763 Definitions, Requirements, and Architecture, Issue 1.0, November 764 2004." 766 5.9 Common Criteria 768 http://csrc.nist.gov/cc/ 770 Version 1.0 of the CC was completed in January 1996. Based on a 771 number of trial evaluations and an extensive public review, Version 772 1.0 was extensively revised and CC Version 2.0 was produced in April 773 of 1998. This became ISO International Standard 15408 in 1999. The 774 CC Project subsequently incorporated the minor changes that had 775 resulted in the ISO process, producing CC version 2.1 in August 1999. 777 Common Criteria v2.1 contains: 779 Part 1 - Intro & General Model 781 Part 2 - Functional Requirements (including Annexes) 783 Part 3 - Assurance Requirements 785 Documents: Common Criteria V2.1 786 http://csrc.nist.gov/cc/CC-v2.1.html 788 5.10 ETSI 790 http://www.etsi.org 792 The ETSI hosted the ETSI Global Security Conference in late November, 793 2003, which could lead to a standard. 795 Groups related to security located from the ETSI Groups Portal: 797 OCG Security 799 3GPP SA3 801 TISPAN WG7 803 5.11 GGF Security Area (SEC) 805 https://forge.gridforum.org/projects/sec/ 807 The Security Area (SEC) is concerned with various issues relating to 808 authentication and authorization in Grid environments. 810 Working groups: 812 Authorization Frameworks and Mechanisms WG (AuthZ-WG) - 813 https://forge.gridforum.org/projects/authz-wg 815 Certificate Authority Operations Working Group (CAOPS-WG) - 816 https://forge.gridforum.org/projects/caops-wg 818 OGSA Authorization Working Group (OGSA-AUTHZ) - 819 https://forge.gridforum.org/projects/ogsa-authz 821 Grid Security Infrastructure (GSI-WG) - 822 https://forge.gridforum.org/projects/gsi-wg 824 5.12 Information System Security Assurance Architecture 826 IEEE Working Group - http://issaa.org/ 828 Formerly the Security Certification and Accreditation of Information 829 Systems (SCAISWG), IEEE Project 1700's purpose is to develop a draft 830 Standard for Information System Security Assurance Architecture for 831 ballot and during the process begin development of a suite of 832 associated standards for components of that architecture. 834 Documents: http://issaa.org/documents/index.html 836 5.13 Operational Security Requirements for IP Network Infrastructure : 837 Advanced Requirements 839 IETF Internet-Draft 840 Abstract: This document defines a list of operational security 841 requirements for the infrastructure of large ISP IP networks (routers 842 and switches). A framework is defined for specifying "profiles", 843 which are collections of requirements applicable to certain network 844 topology contexts (all, core-only, edge-only...). The goal is to 845 provide network operators a clear, concise way of communicating their 846 security requirements to vendors. 848 Documents: 850 http://www.ietf.org/internet-drafts/draft-jones-opsec-06.txt 852 5.14 INCITS Technical Committee T4 - Security Techniques 854 http://www.incits.org/tc_home/t4.htm 856 Technical Committee T4, Security Techniques, participates in the 857 standardization of generic methods for information technology 858 security. This includes development of: security techniques and 859 mechanisms; security guidelines; security evaluation criteria; and 860 identification of generic requirements for information technology 861 system security services. 863 5.15 INCITS CS1 - Cyber Security 865 http://www.incits.org/tc_home/cs1.htm 867 INCITS/CS1 was established in April 2005 to serve as the US TAG for 868 ISO/IEC JTC 1/SC 27 and all SC 27 Working Groups except WG 2 869 (INCITS/T4 serves as the US TAG to SC 27/WG 2). 871 The scope of CS1 explicitly excludes the areas of work on cyber 872 security standardization presently underway in INCITS B10, M1 and T3; 873 as well as other standard groups, such as ATIS, IEEE, IETF, TIA, and 874 X9. INCITS T4's area of work would be narrowed to cryptography 875 projects in ISO/IEC JTC 1/SC 27 WG 2 (Security techniques and 876 mechanisms). 878 5.16 ISO Guidelines for the Management of IT Security - GMITS 880 Guidelines for the Management of IT Security -- Part 1: Concepts and 881 models for IT Security 883 http://www.iso.ch/iso/en/ 884 CatalogueDetailPage.CatalogueDetail?CSNUMBER=21733&ICS1=35 886 Guidelines for the Management of IT Security -- Part 2: Managing and 887 planning IT Security 889 http://www.iso.org/iso/en/ 890 CatalogueDetailPage.CatalogueDetail?CSNUMBER=21755&ICS1=35&ICS2=40& 891 ICS3= 893 Guidelines for the Management of IT Security -- Part 3: Techniques 894 for the management of IT Security 896 http://www.iso.org/iso/en/ 897 CatalogueDetailPage.CatalogueDetail?CSNUMBER=21756&ICS1=35&ICS2=40& 898 ICS3= 900 Guidelines for the Management of IT Security -- Part 4: Selection of 901 safeguards 903 http://www.iso.org/iso/en/ 904 CatalogueDetailPage.CatalogueDetail?CSNUMBER=29240&ICS1=35&ICS2=40& 905 ICS3= 907 Guidelines for the Management of IT Security - Part 5: Management 908 guidance on network security 910 http://www.iso.org/iso/en/ 911 CatalogueDetailPage.CatalogueDetail?CSNUMBER=31142&ICS1=35&ICS2=40& 912 ICS3= 914 Open Systems Interconnection -- Network layer security protocol 916 http://www.iso.org/iso/en/ 917 CatalogueDetailPage.CatalogueDetail?CSNUMBER=22084&ICS1=35&ICS2=100& 918 ICS3=30 920 5.17 ISO JTC 1/SC 27 922 http://www.iso.ch/iso/en/stdsdevelopment/techprog/workprog/ 923 TechnicalProgrammeSCDetailPage.TechnicalProgrammeSCDetail?COMMID=143 925 Several security related ISO projects under JTC 1/SC 27 are listed 926 here such as: 928 IT security techniques -- Entity authentication 930 Security techniques -- Key management 932 Security techniques -- Evaluation criteria for IT security 933 Security techniques -- A framework for IT security assurance 935 IT Security techniques -- Code of practice for information 936 security management 938 Security techniques -- IT network security 940 Guidelines for the implementation, operation and management of 941 Intrusion Detection Systems (IDS) 943 International Security, Trust, and Privacy Alliance -- Privacy 944 Framework 946 5.18 ITU-T Study Group 2 948 http://www.itu.int/ITU-T/studygroups/com02/index.asp 950 Security related recommendations currently under study: 952 E.408 Telecommunication networks security requirements Q.5/2 953 (was E.sec1) 955 E.409 Incident Organisation and Security Incident Handling 956 Q.5/2 (was E.sec2) 958 Note: Access requires TIES account. 960 5.19 ITU-T Recommendation M.3016 962 http://www.itu.int/itudoc/itu-t/com4/contr/068.html 964 This recommendation provides an overview and framework that 965 identifies the security requirements of a TMN and outlines how 966 available security services and mechanisms can be applied within the 967 context of the TMN functional architecture. 969 Question 18 of Study Group 3 is revising Recommendation M.3016. They 970 have taken the original document and are incorporating thoughts from 971 ITU-T Recommendation X.805 and from ANSI T1.276-2003. The group has 972 produced a new series of documents. 974 M.3016.0 - Overview 976 M.3016.1 - Requirements 978 M.3016.2 - Services 979 M.3016.3 - Mechanisms 981 M.3016.4 - Profiles 983 5.20 ITU-T Recommendation X.805 985 http://www.itu.int/itudoc/itu-t/aap/sg17aap/history/x805/x805.html 987 This Recommendation defines the general security-related 988 architectural elements that, when appropriately applied, can provide 989 end-to-end network security. 991 5.21 ITU-T Study Group 16 993 http://www.itu.int/ITU-T/studygroups/com16/index.asp 995 Security of Multimedia Systems and Services - Question G/16 997 http://www.itu.int/ITU-T/studygroups/com16/sg16-qg.html 999 5.22 ITU-T Study Group 17 1001 http://www.itu.int/ITU-T/studygroups/com17/index.asp 1003 ITU-T Study Group 17 is the Lead Study Group on Communication System 1004 Security 1006 http://www.itu.int/ITU-T/studygroups/com17/cssecurity.html 1008 Study Group 17 Security Project: 1010 http://www.itu.int/ITU-T/studygroups/com17/security/index.html 1012 During its November 2002 meeting, Study Group 17 agreed to establish 1013 a new project entitled "Security Project" under the leadership of 1014 Q.10/17 to coordinate the ITU-T standardization effort on security. 1015 An analysis of the status on ITU-T Study Group action on information 1016 and communication network security may be found in TSB Circular 147 1017 of 14 February 2003. 1019 5.23 Catalogue of ITU-T Recommendations related to Communications 1020 System Security 1022 http://www.itu.int/itudoc/itu-t/com17/activity/cat004.html 1024 The Catalogue of the approved security Recommendations include those, 1025 designed for security purposes and those, which describe or use of 1026 functions of security interest and need. Although some of the 1027 security related Recommendations includes the phrase "Open Systems 1028 Interconnection", much of the information contained in them is 1029 pertinent to the establishment of security functionality in any 1030 communicating system. 1032 5.24 ITU-T Security Manual 1034 http://www.itu.int/ITU-T/edh/files/security-manual.pdf 1036 TSB is preparing an "ITU-T Security Manual" to provide an overview on 1037 security in telecommunications and information technologies, describe 1038 practical issues, and indicate how the different aspects of security 1039 in today's applications are addressed by ITU-T Recommendations. This 1040 manual has a tutorial character: it collects security related 1041 material from ITU-T Recommendations into one place and explains the 1042 respective relationships. The intended audience for this manual is 1043 engineers and product managers, students and academia, as well as 1044 regulators who want to better understand security aspects in 1045 practical applications. 1047 5.25 ITU-T NGN Effort 1049 http://www.itu.int/ITU-T/2001-2004/com13/ngn2004/index.html 1051 During its January 2002 meeting, SG13 decided to undertake the 1052 preparation of a new ITU-T Project entitled "NGN 2004 Project". At 1053 the November 2002 SG13 meeting, a preliminary description of the 1054 Project was achieved and endorsed by SG13 with the goal to launch the 1055 Project. It is regularly updated since then. 1057 The role of the NGN 2004 Project is to organize and to coordinate 1058 ITU-T activities on Next Generation Networks. Its target is to 1059 produce a first set of Recommendations on NGN by the end of this 1060 study period, i.e. mid-2004. 1062 5.26 NRIC VI Focus Groups 1064 http://www.nric.org/fg/index.html 1066 The Network Reliability and Interoperability Council (NRIC) was 1067 formed with the purpose to provide recommendations to the FCC and to 1068 the industry to assure the reliability and interoperability of 1069 wireless, wireline, satellite, and cable public telecommunications 1070 networks. These documents provide general information and guidance 1071 on NRIC Focus Group 1B (Cybersecurity) Best Practices for the 1072 prevention of cyberattack and for restoration following a 1073 cyberattack. 1075 Documents: 1077 Homeland Defense - Recommendations Published 14-Mar-03 1079 Preventative Best Practices - Recommendations Published 14-Mar-03 1081 Recovery Best Practices - Recommendations Published 14-Mar-03 1083 Best Practice Appendices - Recommendations Published 14-Mar-03 1085 5.27 OASIS Security Joint Committee 1087 http://www.oasis-open.org/committees/ 1088 tc_home.php?wg_abbrev=security-jc 1090 The purpose of the Security JC is to coordinate the technical 1091 activities of multiple security related TCs. The SJC is advisory 1092 only, and has no deliverables. The Security JC will promote the use 1093 of consistent terms, promote re-use, champion an OASIS security 1094 standards model, provide consistent PR, and promote mutuality, 1095 operational independence and ethics. 1097 5.28 OASIS Security Services TC 1099 http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security 1101 The Security Services TC is working to advance the Security Assertion 1102 Markup Language (SAML) as an OASIS standard. SAML is an XML 1103 framework for exchanging authentication and authorization 1104 information. 1106 5.29 OIF Implementation Agreements 1108 The OIF has 2 approved Implementation Agreements (IAs) relating to 1109 security. They are: 1111 OIF-SMI-01.0 - Security Management Interfaces to Network Elements 1113 This Implementation Agreement lists objectives for securing OAM&P 1114 interfaces to a Network Element and then specifies ways of using 1115 security systems (e.g., IPsec or TLS) for securing these interfaces. 1116 It summarizes how well each of the systems, used as specified, 1117 satisfies the objectives. 1119 OIF - SEP - 01.1 - Security Extension for UNI and NNI 1121 This Implementation Agreement defines a common Security Extension for 1122 securing the protocols used in UNI 1.0, UNI 2.0, and NNI. 1124 Documents: http://www.oiforum.com/public/documents/Security-IA.pdf 1126 5.30 TIA 1128 The TIA has produced the "Compendium of Emergency Communications and 1129 Communications Network Security-related Work Activities". This 1130 document identifies standards, or other technical documents and 1131 ongoing Emergency/Public Safety Communications and Communications 1132 Network Security-related work activities within TIA and it's 1133 Engineering Committees. Many P25 documents are specifically 1134 detailed. This "living document" is presented for information, 1135 coordination and reference. 1137 Documents: http://www.tiaonline.org/standards/cip/EMTEL_sec.pdf 1139 5.31 WS-I Basic Security Profile 1141 http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html 1143 The WS-I Basic Security Profile 1.0 consists of a set of non- 1144 proprietary Web services specifications, along with clarifications 1145 and amendments to those specifications which promote 1146 interoperability. 1148 6. Security Considerations 1150 This document describes efforts to standardize security practices and 1151 documents. As such this document offers no security guidance 1152 whatsoever. 1154 Readers of this document should be aware of the date of publication 1155 of this document. It is feared that they may assume that the 1156 efforts, on-line material, and documents are current whereas they may 1157 not be. Please consider this when reading this document. 1159 7. IANA Considerations 1161 This Internet Draft does not propose a standard but is trying to pull 1162 together information about the security related efforts of all 1163 Standards Developing Organizations and some other efforts which 1164 provide good secuirty methods, practices or recommendations. 1166 8. Acknowledgments 1168 The following people have contributed to this document. Listing 1169 their names here does not mean that they endorse the document, but 1170 that they have contributed to its substance. 1172 David Black, Mark Ellison, George Jones, Keith McCloghrie, John 1173 McDonough, Art Reilly, Chip Sharp, Dane Skow, Michael Hammer. 1175 9. Changes from Prior Drafts 1177 -00 : Initial draft published as draft-lonvick-sec-efforts-01.txt 1179 -01 : Security Glossaries: 1181 Added ATIS Telecom Glossary 2000, Critical Infrastructure 1182 Glossary of Terms and Acronyms, Microsoft Solutions for 1183 Security Glossary, and USC InfoSec Glossary. 1185 Standards Developing Organizations: 1187 Added DMTF, GGF, INCITS, OASIS, and WS-I 1189 Removal of Committee T1 and modifications to ATIS and former T1 1190 technical subcommittees due to the recent ATIS reorganization. 1192 Efforts and Documents: 1194 Added DMTF User and Security WG, DMTF SPAM WG, GGF Security 1195 Area (SEC), INCITS Technical Committee T4 - Security 1196 Techniques, INCITS Technical Committee T11 - Fibre Channel 1197 Interfaces, ISO JTC 1/SC 27 projects, OASIS Security Joint 1198 Committee, OASIS Security Services TC, and WS-I Basic Security 1199 Profile. 1201 Updated Operational Security Requirements for IP Network 1202 Infrastructure : Advanced Requirements. 1204 -00 : as the WG ID 1206 Added more information about the ITU-T SG3 Q18 effort to modify 1207 ITU-T Recommendation M.3016. 1209 -01 : First revision as the WG ID. 1211 Added information about the NGN in the sections about ATIS, the 1212 NSTAC, and ITU-T. 1214 Note: This section will be removed before publication as an RFC. 1216 10. References 1218 10.1 Normative References 1220 [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement 1221 Levels", RFC 2119, STD 14, March 1997. 1223 10.2 Informative References 1225 [2] Narten, T. and H. Alvestrand, "Guidelines for writing an IANA 1226 Considerations Section in RFCs", RFC 2869, BCP 26, October 1998. 1228 Authors' Addresses 1230 Chris Lonvick 1231 Cisco Systems 1232 12515 Research Blvd. 1233 Austin, Texas 78759 1234 US 1236 Phone: +1 512 378 1182 1237 Email: clonvick@cisco.com 1239 David Spak 1240 Cisco Systems 1241 12515 Research Blvd. 1242 Austin, Texas 78759 1243 US 1245 Phone: +1 512 378 1720 1246 Email: dspak@cisco.com 1248 Intellectual Property Statement 1250 The IETF takes no position regarding the validity or scope of any 1251 Intellectual Property Rights or other rights that might be claimed to 1252 pertain to the implementation or use of the technology described in 1253 this document or the extent to which any license under such rights 1254 might or might not be available; nor does it represent that it has 1255 made any independent effort to identify any such rights. Information 1256 on the procedures with respect to rights in RFC documents can be 1257 found in BCP 78 and BCP 79. 1259 Copies of IPR disclosures made to the IETF Secretariat and any 1260 assurances of licenses to be made available, or the result of an 1261 attempt made to obtain a general license or permission for the use of 1262 such proprietary rights by implementers or users of this 1263 specification can be obtained from the IETF on-line IPR repository at 1264 http://www.ietf.org/ipr. 1266 The IETF invites any interested party to bring to its attention any 1267 copyrights, patents or patent applications, or other proprietary 1268 rights that may cover technology that may be required to implement 1269 this standard. Please address the information to the IETF at 1270 ietf-ipr@ietf.org. 1272 Disclaimer of Validity 1274 This document and the information contained herein are provided on an 1275 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1276 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1277 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1278 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1279 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1280 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1282 Copyright Statement 1284 Copyright (C) The Internet Society (2005). This document is subject 1285 to the rights, licenses and restrictions contained in BCP 78, and 1286 except as set forth therein, the authors retain all their rights. 1288 Acknowledgment 1290 Funding for the RFC Editor function is currently provided by the 1291 Internet Society.