idnits 2.17.1 draft-ietf-opsec-efforts-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1290. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1267. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1274. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1280. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (April 19, 2006) is 6553 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 3 errors (**), 0 flaws (~~), 2 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group C. Lonvick 3 Internet-Draft D. Spak 4 Expires: October 21, 2006 Cisco Systems 5 April 19, 2006 7 Security Best Practices Efforts and Documents 8 draft-ietf-opsec-efforts-03.txt 10 Status of this Memo 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on October 21, 2006. 35 Copyright Notice 37 Copyright (C) The Internet Society (2006). 39 Abstract 41 This document provides a snapshot of the current efforts to define or 42 apply security requirements in various Standards Developing 43 Organizations (SDO). 45 Table of Contents 47 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 48 2. Conventions Used in This Document . . . . . . . . . . . . . . 7 49 3. Format of this Document . . . . . . . . . . . . . . . . . . . 8 50 4. Online Security Glossaries . . . . . . . . . . . . . . . . . . 9 51 4.1. ATIS Telecom Glossary 2000 . . . . . . . . . . . . . . . . 9 52 4.2. Critical Infrastructure Glossary of Terms and Acronyms . . 9 53 4.3. Internet Security Glossary - RFC 2828 . . . . . . . . . . 9 54 4.4. Compendium of Approved ITU-T Security Definitions . . . . 10 55 4.5. Microsoft Solutions for Security Glossary . . . . . . . . 10 56 4.6. SANS Glossary of Security Terms . . . . . . . . . . . . . 10 57 4.7. USC InfoSec Glossary . . . . . . . . . . . . . . . . . . . 10 58 5. Standards Developing Organizations . . . . . . . . . . . . . . 11 59 5.1. 3GPP - Third Generation Partnership Project . . . . . . . 11 60 5.2. 3GPP2 - Third Generation Partnership Project 2 . . . . . . 11 61 5.3. ANSI - The American National Standards Institute . . . . . 11 62 5.4. ATIS - Alliance for Telecommunications Industry 63 Solutions . . . . . . . . . . . . . . . . . . . . . . . . 11 64 5.4.1. ATIS Network Performance, Reliability and Quality 65 of Service Committee, formerly T1A1 . . . . . . . . . 12 66 5.4.2. ATIS Network Interface, Power, and Protection 67 Committee, formerly T1E1 . . . . . . . . . . . . . . . 12 68 5.4.3. ATIS Telecom Management and Operations Committee, 69 formerly T1M1 OAM&P . . . . . . . . . . . . . . . . . 12 70 5.4.4. ATIS Ordering and Billing Forum regarding T1M1 O&B . . 12 71 5.4.5. ATIS Wireless Technologies and Systems Committee, 72 formerly T1P1 . . . . . . . . . . . . . . . . . . . . 13 73 5.4.6. ATIS Packet Technologies and Systems Committee, 74 formerly T1S1 . . . . . . . . . . . . . . . . . . . . 13 75 5.4.7. ATIS Protocol Interworking Committee, regarding 76 T1S1 . . . . . . . . . . . . . . . . . . . . . . . . . 13 77 5.4.8. ATIS Optical Transport and Synchronization 78 Committee, formerly T1X1 . . . . . . . . . . . . . . . 13 79 5.5. CC - Common Criteria . . . . . . . . . . . . . . . . . . . 13 80 5.6. DMTF - Distributed Management Task Force, Inc. . . . . . . 14 81 5.7. ETSI - The European Telecommunications Standard 82 Institute . . . . . . . . . . . . . . . . . . . . . . . . 14 83 5.8. GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 14 84 5.9. IEEE - The Institute of Electrical and Electronics 85 Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 14 86 5.10. IETF - The Internet Engineering Task Force . . . . . . . . 14 87 5.11. INCITS - InterNational Committee for Information 88 Technology Standards . . . . . . . . . . . . . . . . . . . 15 89 5.12. INCITS Technical Committee T11 - Fibre Channel 90 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . 15 91 5.13. ISO - The International Organization for 92 Standardization . . . . . . . . . . . . . . . . . . . . . 15 94 5.14. ITU - International Telecommunication Union . . . . . . . 15 95 5.14.1. ITU Telecommunication Standardization Sector - 96 ITU-T . . . . . . . . . . . . . . . . . . . . . . . . 15 97 5.14.2. ITU Radiocommunication Sector - ITU-R . . . . . . . . 16 98 5.14.3. ITU Telecom Development - ITU-D . . . . . . . . . . . 16 99 5.15. OASIS - Organization for the Advancement of 100 Structured Information Standards . . . . . . . . . . . . . 16 101 5.16. OIF - Optical Internetworking Forum . . . . . . . . . . . 16 102 5.17. NRIC - The Network Reliability and Interoperability 103 Council . . . . . . . . . . . . . . . . . . . . . . . . . 16 104 5.18. National Security Telecommunications Advisory 105 Committee (NSTAC) . . . . . . . . . . . . . . . . . . . . 17 106 5.19. TIA - The Telecommunications Industry Association . . . . 17 107 5.20. Web Services Interoperability Organization (WS-I) . . . . 17 108 6. Security Best Practices Efforts and Documents . . . . . . . . 18 109 6.1. 3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 18 110 6.2. 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 18 111 6.3. American National Standard T1.276-2003 - Baseline 112 Security Requirements for the Management Plane . . . . . . 18 113 6.4. DMTF - Security Protection and Management (SPAM) 114 Working Group . . . . . . . . . . . . . . . . . . . . . . 19 115 6.5. DMTF - User and Security Working Group . . . . . . . . . . 19 116 6.6. ATIS Security & Emergency Preparedness Activities . . . . 19 117 6.7. ATIS Work-Plan to Achieve Interoperable, 118 Implementable, End-To-End Standards and Solutions . . . . 19 119 6.7.1. ATIS Work on Packet Filtering . . . . . . . . . . . . 20 120 6.8. ATIS Work on the NGN . . . . . . . . . . . . . . . . . . . 20 121 6.9. Common Criteria . . . . . . . . . . . . . . . . . . . . . 20 122 6.10. ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 123 6.11. GGF Security Area (SEC) . . . . . . . . . . . . . . . . . 21 124 6.12. Information System Security Assurance Architecture . . . . 21 125 6.13. Operational Security Requirements for IP Network 126 Infrastructure : Advanced Requirements . . . . . . . . . . 22 127 6.14. INCITS Technical Committee T4 - Security Techniques . . . 22 128 6.15. INCITS CS1 - Cyber Security . . . . . . . . . . . . . . . 22 129 6.16. ISO Guidelines for the Management of IT Security - 130 GMITS . . . . . . . . . . . . . . . . . . . . . . . . . . 22 131 6.17. ISO JTC 1/SC 27 . . . . . . . . . . . . . . . . . . . . . 23 132 6.18. ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . . 24 133 6.19. ITU-T Recommendation M.3016 . . . . . . . . . . . . . . . 24 134 6.20. ITU-T Recommendation X.805 . . . . . . . . . . . . . . . 25 135 6.21. ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . . 25 136 6.22. ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . . 25 137 6.23. Catalogue of ITU-T Recommendations related to 138 Communications System Security . . . . . . . . . . . . . . 25 139 6.24. ITU-T Security Manual . . . . . . . . . . . . . . . . . . 26 140 6.25. ITU-T NGN Effort . . . . . . . . . . . . . . . . . . . . . 26 141 6.26. NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . . 26 142 6.27. OASIS Security Joint Committee . . . . . . . . . . . . . . 27 143 6.28. OASIS Security Services TC . . . . . . . . . . . . . . . . 27 144 6.29. OIF Implementation Agreements . . . . . . . . . . . . . . 27 145 6.30. TIA . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 146 6.31. WS-I Basic Security Profile . . . . . . . . . . . . . . . 28 147 7. Security Considerations . . . . . . . . . . . . . . . . . . . 29 148 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30 149 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 31 150 10. Changes from Prior Drafts . . . . . . . . . . . . . . . . . . 32 151 11. Normative References . . . . . . . . . . . . . . . . . . . . . 33 152 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 34 153 Intellectual Property and Copyright Statements . . . . . . . . . . 35 155 1. Introduction 157 The Internet is being recognized as a critical infrastructure similar 158 in nature to the power grid and a potable water supply. Just like 159 those infrastructures, means are needed to provide resiliency and 160 adaptability to the Internet so that it remains consistently 161 available to the public throughout the world even during times of 162 duress or attack. For this reason, many SDOs are developing 163 standards with hopes of retaining an acceptable level, or even 164 improving this availability, to its users. These SDO efforts usually 165 define themselves as "security" efforts. It is the opinion of the 166 authors that there are many different definitions of the term 167 "security" and it may be applied in many diverse ways. As such, we 168 offer no assurance that the term is applied consistently throughout 169 this document. 171 Many of these SDOs have diverse charters and goals and will take 172 entirely different directions in their efforts to provide standards. 173 However, even with that, there will be overlaps in their produced 174 works. If there are overlaps then there is a potential for conflicts 175 and confusion. This may result in: 177 Vendors of networking equipment who are unsure of which standard 178 to follow. 180 Purchasers of networking equipment who are unsure of which 181 standard will best apply to the needs of their business or 182 ogranization. 184 Network Administrators and Operators unsure of which standard to 185 follow to attain the best security for their network. 187 For these reasons, the authors wish to encourage all SDOs who have an 188 interest in producing or in consuming standards relating to good 189 security practices to be consistent in their approach and their 190 recommendations. In many cases, the authors are aware that the SDOs 191 are making good efforts along these lines. However, the authors do 192 not participate in all SDO efforts and cannot know everything that is 193 happening. 195 The OpSec Working Group met at the 61st IETF and agreed that this 196 document could be a useful reference in producing the documents 197 described in the Working Group Charter. The authors have agreed to 198 keep this document current and request that those who read it will 199 submit corrections or comments. 201 Comments on this document may be addressed to the OpSec Working Group 202 or directly to the authors. 204 opsec@ops.ietf.org 206 2. Conventions Used in This Document 208 This document shall use the keywords "MUST", "MUST NOT", "REQUIRED", 209 "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", 210 and "OPTIONAL" to describe requirements. These keywords are to be 211 interpreted as described in [1]. 213 3. Format of this Document 215 The body of this document has three sections. 217 The first part of the body of this document, Section 4, contains a 218 listing of online glossaries relating to networking and security. It 219 is very important that the definitions of words relating to security 220 and security events be consistent. Inconsistencies between the 221 useage of words on standards is unacceptable as it would prevent a 222 reader of two standards to appropriately relate their 223 recommendations. The authors of this document have not reviewed the 224 definitions of the words in the listed glossaries so can offer no 225 assurance of their alignment. 227 The second part, Section 5, contains a listing of SDOs that appear to 228 be working on security standards. 230 The third part, Section 6, lists the documents which have been found 231 to offer good practices or recommendations for securing networks and 232 networking devices. 234 4. Online Security Glossaries 236 This section contains references to glossaries of network and 237 computer security terms 239 4.1. ATIS Telecom Glossary 2000 241 http://www.atis.org/tg2k/ 243 Under an approved T1 standards project (T1A1-20), an existing 5800- 244 entry, search-enabled hypertext telecommunications glossary titled 245 Federal Standard 1037C, Glossary of Telecommunication Terms was 246 updated and matured into this glossary, T1.523-2001, Telecom Glossary 247 2000. This updated glossary was posted on the Web as a American 248 National Standard (ANS). 250 4.2. Critical Infrastructure Glossary of Terms and Acronyms 252 http://www.ciao.gov/ciao_document_library/glossary/a.htm 254 The Critical Infrastructure Assurance Office (CIAO) was created to 255 coordinate the Federal Government's initiatives on critical 256 infrastructure assurance. While the glossary was not created as a 257 glossary specifically for security terms, it is populated with many 258 security related definitions, abbreviations, organizations, and 259 concepts. 261 4.3. Internet Security Glossary - RFC 2828 263 http://www.ietf.org/rfc/rfc2828.txt 265 Created in May 2000, the document defines itself to be, "an 266 internally consistent, complementary set of abbreviations, 267 definitions, explanations, and recommendations for use of terminology 268 related to information system security." The glossary makes the 269 distinction of the listed definitions throughout the document as 270 being: 272 o a recommended Internet definition 274 o a recommended non-Internet definition 276 o not recommended as the first choice for Internet documents but 277 something that an author of an Internet document would need to 278 know 280 o a definition that shouldn't be used in Internet documents 281 o additional commentary or usage guidance 283 4.4. Compendium of Approved ITU-T Security Definitions 285 http://www.itu.int/itudoc/itu-t/com17/activity/def004.html 287 Addendum to the Compendium of the Approved ITU-T Security-related 288 Definitions 289 http://www.itu.int/itudoc/itu-t/com17/activity/add002.html 291 These extensive materials were created from approved ITU-T 292 Recommendations with a view toward establishing a common 293 understanding and use of security terms within ITU-T. 295 4.5. Microsoft Solutions for Security Glossary 297 http://www.microsoft.com/security/glossary/ 299 The Microsoft Solutions for Security Glossary was created to explain 300 the concepts, technologies, and products associated with computer 301 security. This glossary contains several definitions specific to 302 Microsoft proprietary technologies and product solutions. 304 4.6. SANS Glossary of Security Terms 306 http://www.sans.org/resources/glossary.php 308 The SANS Institute (SysAdmin, Audit, Network, Security) was created 309 in 1989 as, "a cooperative research and education organization." 310 Updated in May 2003, SANS cites the NSA for their help in creating 311 the online glossary of security terms. The SANS Institute is also 312 home to many other resources including the SANS Intrusion Detection 313 FAQ and the SANS/FBI Top 20 Vulnerabilities List. 315 4.7. USC InfoSec Glossary 317 http://www.usc.edu/org/infosec/resources/glossary_a.html 319 A glossary of Information Systems security terms compiled by the 320 University of Southern California Office of Information Security. 322 5. Standards Developing Organizations 324 This section of this document lists the SDOs, or organizations that 325 appear to be developing security related standards. These SDOs are 326 listed in alphabetical order. 328 Note: The authors would appreciate corrections and additions. This 329 note will be removed before publication as an RFC. 331 5.1. 3GPP - Third Generation Partnership Project 333 http://www.3gpp.org/ 335 The 3rd Generation Partnership Project (3GPP) is a collaboration 336 agreement formed in December 1998. The collaboration agreement is 337 comprised of several telecommunications standards bodies which are 338 known as "Organizational Partners". The current Organizational 339 Partners involved with 3GPP are ARIB, CCSA, ETSI, ATIS, TTA, and TTC. 341 5.2. 3GPP2 - Third Generation Partnership Project 2 343 http://www.3gpp2.org/ 345 Third Generation Partnership Project 2 (3GPP2) is a collaboration 346 among Organizational Partners much like its sister project 3GPP. The 347 Organizational Partners (OPs) currently involved with 3GPP2 are ARIB, 348 CCSA, TIA, TTA, and TTC. In addition to the OPs, 3GPP2 also welcomes 349 the CDMA Development Group and IPv6 Forum as Market Representation 350 Partners for market advice. 352 5.3. ANSI - The American National Standards Institute 354 http://www.ansi.org/ 356 ANSI is a private, non-profit organization that organizes and 357 oversees the U.S. voluntary standardization and conformity assessment 358 system. ANSI was founded October 19, 1918. 360 5.4. ATIS - Alliance for Telecommunications Industry Solutions 362 http://www.atis.org/ 364 ATIS is a United States based body that is committed to rapidly 365 developing and promoting technical and operations standards for the 366 communications and related information technologies industry 367 worldwide using pragmatic, flexible and open approach. Committee T1 368 as a group no longer exists as a result of the recent ATIS 369 reorganization on January 1, 2004. ATIS has restructured the former 370 T1 technical subcommittees into full ATIS standards committees to 371 easily identify and promote the nature of standards work each 372 committee performs. Due to the reorganization, some groups may have 373 a new mission and scope statement. 375 5.4.1. ATIS Network Performance, Reliability and Quality of Service 376 Committee, formerly T1A1 378 http://www.atis.org/0010/index.asp 380 ATIS Network Performance, Reliability and Quality of Service 381 Committee develops and recommends standards, requirements, and 382 technical reports related to the performance, reliability, and 383 associated security aspects of communications networks, as well as 384 the processing of voice, audio, data, image, and video signals, and 385 their multimedia integration. 387 5.4.2. ATIS Network Interface, Power, and Protection Committee, 388 formerly T1E1 390 http://www.atis.org/0050/index.asp 392 ATIS Network Interface, Power, and Protection Committee develops and 393 recommends standards and technical reports related to power systems, 394 electrical and physical protection for the exchange and interexchange 395 carrier networks, and interfaces associated with user access to 396 telecommunications networks. 398 5.4.3. ATIS Telecom Management and Operations Committee, formerly T1M1 399 OAM&P 401 http://www.atis.org/0130/index.asp 403 ATIS Telecom Management and Operations Committee develops 404 internetwork operations, administration, maintenance and provisioning 405 standards, and technical reports related to interfaces for 406 telecommunications networks. 408 5.4.4. ATIS Ordering and Billing Forum regarding T1M1 O&B 410 http://www.atis.org/obf/index.asp 412 The T1M1 O&B subcommittee has become part of the ATIS Ordering and 413 Billing Forum. 415 The ATIS-sponsored Ordering and Billing Forum (OBF) provides a forum 416 for customers and providers in the telecommunications industry to 417 identify, discuss and resolve national issues which affect ordering, 418 billing, provisioning and exchange of information about access 419 services, other connectivity and related matters. 421 5.4.5. ATIS Wireless Technologies and Systems Committee, formerly T1P1 423 http://www.atis.org/0160/index.asp 425 ATIS Wireless Technologies and Systems Committee develops and 426 recommends standards and technical reports related to wireless and/or 427 mobile services and systems, including service descriptions and 428 wireless technologies. 430 5.4.6. ATIS Packet Technologies and Systems Committee, formerly T1S1 432 T1S1 was split into two separate ATIS committees: the ATIS Packet 433 Technologies and Systems Committee and the ATIS Protocol Interworking 434 Committee. PTSC is responsible for producing standards to secure 435 signalling. 437 The basic document is PTSC-SEC-2005-059.doc which is in Letter Ballot 438 at this time. It is expected to move to an ANSI standard. 440 5.4.7. ATIS Protocol Interworking Committee, regarding T1S1 442 T1S1 was split into two separate ATIS committees: the ATIS Packet 443 Technologies and Systems Committee and the ATIS Protocol Interworking 444 Committee. As a result of the reorganization of T1S1, these groups 445 will also probably have a new mission and scope. 447 5.4.8. ATIS Optical Transport and Synchronization Committee, formerly 448 T1X1 450 http://www.atis.org/0240/index.asp 452 ATIS Optical Transport and Synchronization Committee develops and 453 recommends standards and prepares technical reports related to 454 telecommunications network technology pertaining to network 455 synchronization interfaces and hierarchical structures including 456 optical technology. 458 5.5. CC - Common Criteria 460 http://www.commoncriteriaportal.org/ 462 In June 1993, the sponsoring organizations of the existing US, 463 Canadian, and European criterias (TCSEC, ITSEC, and similar) started 464 the Common Criteria Project to align their separate criteria into a 465 single set of IT security criteria. 467 5.6. DMTF - Distributed Management Task Force, Inc. 469 http://www.dmtf.org/ 471 Founded in 1992, the DMTF brings the technology industry's customers 472 and top vendors together in a collaborative, working group approach 473 that involves DMTF members in all aspects of specification 474 development and refinement. 476 5.7. ETSI - The European Telecommunications Standard Institute 478 http://www.etsi.org/ 480 ETSI is an independent, non-profit organization which produces 481 telecommunications standards. ETSI is based in Sophia-Antipolis in 482 the south of France and maintains a membership from 55 countries. 484 Joint work between ETSI and ITU-T SG-17 486 http://docbox.etsi.org/OCG/OCG/GSC9/GSC9_JointT%26R/ 487 GSC9_Joint_011_Security_Standardization_in_ITU.ppt 489 5.8. GGF - Global Grid Forum 491 http://www.gridforum.org/ 493 The Global Grid Forum (GGF) is a community-initiated forum of 494 thousands of individuals from industry and research leading the 495 global standardization effort for grid computing. GGF's primary 496 objectives are to promote and support the development, deployment, 497 and implementation of Grid technologies and applications via the 498 creation and documentation of "best practices" - technical 499 specifications, user experiences, and implementation guidelines. 501 5.9. IEEE - The Institute of Electrical and Electronics Engineers, Inc. 503 http://www.ieee.org/ 505 IEEE is a non-profit, technical professional association of more than 506 360,000 individual members in approximately 175 countries. The IEEE 507 produces 30 percent of the world's published literature in electrical 508 engineering, computers and control technology through its technical 509 publishing, conferences and consensus-based standards activities. 511 5.10. IETF - The Internet Engineering Task Force 513 http://www.ietf.org/ 514 IETF is a large, international community open to any interested 515 individual concerned with the evolution of the Internet architecture 516 and the smooth operation of the Internet. 518 5.11. INCITS - InterNational Committee for Information Technology 519 Standards 521 http://www.incits.org/ 523 INCITS focuses upon standardization in the field of Information and 524 Communications Technologies (ICT), encompassing storage, processing, 525 transfer, display, management, organization, and retrieval of 526 information. 528 5.12. INCITS Technical Committee T11 - Fibre Channel Interfaces 530 http://www.t11.org/index.htm 532 T11 is responsible for standards development in the areas of 533 Intelligent Peripheral Interface (IPI), High-Performance Parallel 534 Interface (HIPPI) and Fibre Channel (FC). T11 has a project called 535 FC-SP to define Security Protocols for Fibre Channel. 537 FC-SP Project Proposal: 538 ftp://ftp.t11.org/t11/admin/project_proposals/02-036v2.pdf 540 5.13. ISO - The International Organization for Standardization 542 http://www.iso.org/ 544 ISO is a network of the national standards institutes of 148 545 countries, on the basis of one member per country, with a Central 546 Secretariat in Geneva, Switzerland, that coordinates the system. ISO 547 officially began operations on February 23, 1947. 549 5.14. ITU - International Telecommunication Union 551 http://www.itu.int/ 553 The ITU is an international organization within the United Nations 554 System headquartered in Geneva, Switzerland. The ITU is comprised of 555 three sectors: 557 5.14.1. ITU Telecommunication Standardization Sector - ITU-T 559 http://www.itu.int/ITU-T/ 561 ITU-T's mission is to ensure an efficient and on-time production of 562 high quality standards covering all fields of telecommunications. 564 5.14.2. ITU Radiocommunication Sector - ITU-R 566 http://www.itu.int/ITU-R/ 568 The ITU-R plays a vital role in the management of the radio-frequency 569 spectrum and satellite orbits. 571 5.14.3. ITU Telecom Development - ITU-D 573 (also referred as ITU Telecommunication Development Bureau - BDT) 575 http://www.itu.int/ITU-D/ 577 The Telecommunication Development Bureau (BDT) is the executive arm 578 of the Telecommunication Development Sector. Its duties and 579 responsibilities cover a variety of functions ranging from programme 580 supervision and technical advice to the collection, processing and 581 publication of information relevant to telecommunication development. 583 5.15. OASIS - Organization for the Advancement of Structured 584 Information Standards 586 http://www.oasis-open.org/ 588 OASIS is a not-for-profit, international consortium that drives the 589 development, convergence, and adoption of e-business standards. 591 5.16. OIF - Optical Internetworking Forum 593 http://www.oiforum.com/ 595 On April 20, 1998 Cisco Systems and Ciena Corporation announced an 596 industry-wide initiative to create the Optical Internetworking Forum, 597 an open forum focused on accelerating the deployment of optical 598 internetworks. 600 5.17. NRIC - The Network Reliability and Interoperability Council 602 http://www.nric.org/ 604 The purposes of the Committee are to give telecommunications industry 605 leaders the opportunity to provide recommendations to the FCC and to 606 the industry that assure optimal reliability and interoperability of 607 telecommunications networks. The Committee addresses topics in the 608 area of Homeland Security, reliability, interoperability, and 609 broadband deployment. 611 5.18. National Security Telecommunications Advisory Committee (NSTAC) 613 http://www.ncs.gov/nstac/nstac.html 615 President Ronald Reagan created the National Security 616 Telecommunications Advisory Committee (NSTAC) by Executive Order 617 12382 in September 1982. Since then, the NSTAC has served four 618 presidents. Composed of up to 30 industry chief executives 619 representing the major communications and network service providers 620 and information technology, finance, and aerospace companies, the 621 NSTAC provides industry-based advice and expertise to the President 622 on issues and problems related to implementing national security and 623 emergency preparedness (NS/EP) communications policy. Since its 624 inception, the NSTAC has addressed a wide range of policy and 625 technical issues regarding communications, information systems, 626 information assurance, critical infrastructure protection, and other 627 NS/EP communications concerns. 629 5.19. TIA - The Telecommunications Industry Association 631 http://www.tiaonline.org/ 633 TIA is accredited by ANSI to develop voluntary industry standards for 634 a wide variety of telecommunications products. TIA's Standards and 635 Technology Department is composed of five divisions: Fiber Optics, 636 User Premises Equipment, Network Equipment, Wireless Communications 637 and Satellite Communications. 639 5.20. Web Services Interoperability Organization (WS-I) 641 http://www.ws-i.org/ 643 WS-I is an open, industry organization chartered to promote Web 644 services interoperability across platforms, operating systems, and 645 programming languages. The organization works across the industry 646 and standards organizations to respond to customer needs by providing 647 guidance, best practices, and resources for developing Web services 648 solutions. 650 6. Security Best Practices Efforts and Documents 652 This section lists the works produced by the SDOs. 654 6.1. 3GPP - TSG SA WG3 (Security) 656 http://www.3gpp.org/TB/SA/SA3/SA3.htm 658 TSG SA WG3 Security is responsible for the security of the 3GPP 659 system, performing analyses of potential security threats to the 660 system, considering the new threats introduced by the IP based 661 services and systems and setting the security requirements for the 662 overall 3GPP system. 664 Specifications: 665 http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--S3.htm 667 Work Items: 668 http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--s3--wis.htm 670 3GPP Confidentiality and Integrity algorithms: 671 http://www.3gpp.org/TB/Other/algorithms.htm 673 6.2. 3GPP2 - TSG-S Working Group 4 (Security) 675 http://www.3gpp2.org/Public_html/S/index.cfm 677 The Services and Systems Aspects TSG (TSG-S) is responsible for the 678 development of service capability requirements for systems based on 679 3GPP2 specifications. Among its responsibilities TSG-S is addressing 680 management, technical coordination, as well as architectural and 681 requirements development associated with all end-to-end features, 682 services and system capabilities including, but not limited to, 683 security and QoS. 685 TSG-S Specifications: 686 http://www.3gpp2.org/Public_html/specs/index.cfm#tsgs 688 6.3. American National Standard T1.276-2003 - Baseline Security 689 Requirements for the Management Plane 691 Abstract: This standard contains a set of baseline security 692 requirements for the management plane. The President's National 693 Security Telecommunications Advisory Committee Network Security 694 Information Exchange (NSIE) and Government NSIE jointly established a 695 Security Requirements Working Group (SRWG) to examine the security 696 requirements for controlling access to the public switched network, 697 in particular with respect to the emerging next generation network. 699 In the telecommunications industry, this access incorporates 700 operation, administration, maintenance, and provisioning for network 701 elements and various supporting systems and databases. Members of 702 the SRWG, from a cross-section of telecommunications carriers and 703 vendors, developed an initial list of security requirements that 704 would allow vendors, government departments and agencies, and service 705 providers to implement a secure telecommunications network management 706 infrastructure. This initial list of security requirements was 707 submitted as a contribution to Committee T1 - Telecommunications, 708 Working Group T1M1.5 for consideration as a standard. The 709 requirements outlined in this document will allow vendors, government 710 departments and agencies, and service providers to implement a secure 711 telecommunications network management infrastructure. 713 Documents: 714 http://webstore.ansi.org/ansidocstore/product.asp?sku=T1%2E276%2D2003 716 6.4. DMTF - Security Protection and Management (SPAM) Working Group 718 http://www.dmtf.org/about/committees/spamWGCharter.pdf 720 The Working Group will define a CIM Common Model that addresses 721 security protection and detection technologies, which may include 722 devices and services, and classifies security information, attacks 723 and responses. 725 6.5. DMTF - User and Security Working Group 727 http://www.dmtf.org/about/committees/userWGCharter.pdf 729 The User and Security Working Group defines objects and access 730 methods required for principals - where principals include users, 731 groups, software agents, systems, and organizations. 733 6.6. ATIS Security & Emergency Preparedness Activities 735 http://www.atis.org/atis/atisinfo/emergency/ 736 security_committee_activities_T1.htm 738 The link above contains the description of the ATIS Communications 739 Security Model, the scopes of the Technical Subcommittees in relation 740 to the security model, and a list of published documents produced by 741 ATIS addressed to various aspects of network security. 743 6.7. ATIS Work-Plan to Achieve Interoperable, Implementable, End-To-End 744 Standards and Solutions 746 ftp://ftp.t1.org/T1M1/NEW-T1M1.0/3M101940.pdf 747 The ATIS TOPS Security Focus Group has made recommendations on work 748 items needed to be performed by other SDOs. 750 6.7.1. ATIS Work on Packet Filtering 752 A part of the ATIS Work Plan was to define how disruptions may be 753 prevented by filtering unwanted traffic at the edges of the network. 754 ATIS is developing this work in a document titled, "Traffic Filtering 755 for the Prevention of Unwanted Traffic". 757 6.8. ATIS Work on the NGN 759 http://www.atis.org/tops/WebsiteDocuments/ NGN/Working%20Docs/ 760 Part%20I/ATIS_NGN_Part_1_Issue1.pdf 762 In November 2004, ATIS released Part I of the ATIS NGN-FG efforts 763 entitled, "ATIS Next Generation Network (NGN) Framework Part I: NGN 764 Definitions, Requirements, and Architecture, Issue 1.0, November 765 2004." 767 6.9. Common Criteria 769 http://www.commoncriteriaportal.org/ 771 Version 1.0 of the CC was completed in January 1996. Based on a 772 number of trial evaluations and an extensive public review, Version 773 1.0 was extensively revised and CC Version 2.0 was produced in April 774 of 1998. This became ISO International Standard 15408 in 1999. The 775 CC Project subsequently incorporated the minor changes that had 776 resulted in the ISO process, producing CC version 2.1 in August 1999. 777 Version 3.0 was published in June 2005 and is available for comment. 779 The official version of the Common Criteria and of the Common 780 Evaluation Methodology is v2.3 which was published in August 2005. 782 All Common Criteria publications contain: 784 Part 1: Introduction and general model 786 Part 2: Security functional components 788 Part 3: Security assurance components 790 Documents: Common Criteria V2.3 791 http://www.commoncriteriaportal.org/public/expert/index.php?menu=2 793 6.10. ETSI 795 http://www.etsi.org/ 797 The ETSI hosted the ETSI Global Security Conference in late November, 798 2003, which could lead to a standard. 800 Groups related to security located from the ETSI Groups Portal: 802 OCG Security 804 3GPP SA3 806 TISPAN WG7 808 6.11. GGF Security Area (SEC) 810 https://forge.gridforum.org/projects/sec/ 812 The Security Area (SEC) is concerned with various issues relating to 813 authentication and authorization in Grid environments. 815 Working groups: 817 Authorization Frameworks and Mechanisms WG (AuthZ-WG) - 818 https://forge.gridforum.org/projects/authz-wg 820 Certificate Authority Operations Working Group (CAOPS-WG) - 821 https://forge.gridforum.org/projects/caops-wg 823 OGSA Authorization Working Group (OGSA-AUTHZ) - 824 https://forge.gridforum.org/projects/ogsa-authz 826 Grid Security Infrastructure (GSI-WG) - 827 https://forge.gridforum.org/projects/gsi-wg 829 6.12. Information System Security Assurance Architecture 831 IEEE Working Group - http://issaa.org/ 833 Formerly the Security Certification and Accreditation of Information 834 Systems (SCAISWG), IEEE Project 1700's purpose is to develop a draft 835 Standard for Information System Security Assurance Architecture for 836 ballot and during the process begin development of a suite of 837 associated standards for components of that architecture. 839 Documents: http://issaa.org/documents/index.html 841 6.13. Operational Security Requirements for IP Network Infrastructure : 842 Advanced Requirements 844 IETF RFC 3871 846 Abstract: This document defines a list of operational security 847 requirements for the infrastructure of large ISP IP networks (routers 848 and switches). A framework is defined for specifying "profiles", 849 which are collections of requirements applicable to certain network 850 topology contexts (all, core-only, edge-only...). The goal is to 851 provide network operators a clear, concise way of communicating their 852 security requirements to vendors. 854 Documents: 856 ftp://ftp.rfc-editor.org/in-notes/rfc3871.txt 858 6.14. INCITS Technical Committee T4 - Security Techniques 860 http://www.incits.org/tc_home/t4.htm 862 Technical Committee T4, Security Techniques, participates in the 863 standardization of generic methods for information technology 864 security. This includes development of: security techniques and 865 mechanisms; security guidelines; security evaluation criteria; and 866 identification of generic requirements for information technology 867 system security services. 869 6.15. INCITS CS1 - Cyber Security 871 http://www.incits.org/tc_home/cs1.htm 873 INCITS/CS1 was established in April 2005 to serve as the US TAG for 874 ISO/IEC JTC 1/SC 27 and all SC 27 Working Groups except WG 2 875 (INCITS/T4 serves as the US TAG to SC 27/WG 2). 877 The scope of CS1 explicitly excludes the areas of work on cyber 878 security standardization presently underway in INCITS B10, M1 and T3; 879 as well as other standard groups, such as ATIS, IEEE, IETF, TIA, and 880 X9. INCITS T4's area of work would be narrowed to cryptography 881 projects in ISO/IEC JTC 1/SC 27 WG 2 (Security techniques and 882 mechanisms). 884 6.16. ISO Guidelines for the Management of IT Security - GMITS 886 Guidelines for the Management of IT Security -- Part 1: Concepts and 887 models for IT Security 888 http://www.iso.ch/iso/en/ 889 CatalogueDetailPage.CatalogueDetail?CSNUMBER=21733&ICS1=35 891 Guidelines for the Management of IT Security -- Part 2: Managing and 892 planning IT Security 894 http://www.iso.org/iso/en/ 895 CatalogueDetailPage.CatalogueDetail?CSNUMBER=21755&ICS1=35&ICS2=40& 896 ICS3= 898 Guidelines for the Management of IT Security -- Part 3: Techniques 899 for the management of IT Security 901 http://www.iso.org/iso/en/ 902 CatalogueDetailPage.CatalogueDetail?CSNUMBER=21756&ICS1=35&ICS2=40& 903 ICS3= 905 Guidelines for the Management of IT Security -- Part 4: Selection of 906 safeguards 908 http://www.iso.org/iso/en/ 909 CatalogueDetailPage.CatalogueDetail?CSNUMBER=29240&ICS1=35&ICS2=40& 910 ICS3= 912 Guidelines for the Management of IT Security - Part 5: Management 913 guidance on network security 915 http://www.iso.org/iso/en/ 916 CatalogueDetailPage.CatalogueDetail?CSNUMBER=31142&ICS1=35&ICS2=40& 917 ICS3= 919 Open Systems Interconnection -- Network layer security protocol 921 http://www.iso.org/iso/en/ 922 CatalogueDetailPage.CatalogueDetail?CSNUMBER=22084&ICS1=35&ICS2=100& 923 ICS3=30 925 6.17. ISO JTC 1/SC 27 927 http://www.iso.ch/iso/en/stdsdevelopment/techprog/workprog/ 928 TechnicalProgrammeSCDetailPage.TechnicalProgrammeSCDetail?COMMID=143 930 Several security related ISO projects under JTC 1/SC 27 are listed 931 here such as: 933 IT security techniques -- Entity authentication 934 Security techniques -- Key management 936 Security techniques -- Evaluation criteria for IT security 938 Security techniques -- A framework for IT security assurance 940 IT Security techniques -- Code of practice for information 941 security management 943 Security techniques -- IT network security 945 Guidelines for the implementation, operation and management of 946 Intrusion Detection Systems (IDS) 948 International Security, Trust, and Privacy Alliance -- Privacy 949 Framework 951 6.18. ITU-T Study Group 2 953 http://www.itu.int/ITU-T/studygroups/com02/index.asp 955 Security related recommendations currently under study: 957 E.408 Telecommunication networks security requirements Q.5/2 (was 958 E.sec1) 960 E.409 Incident Organisation and Security Incident Handling Q.5/2 961 (was E.sec2) 963 Note: Access requires TIES account. 965 6.19. ITU-T Recommendation M.3016 967 http://www.itu.int/itudoc/itu-t/com4/contr/068.html 969 This recommendation provides an overview and framework that 970 identifies the security requirements of a TMN and outlines how 971 available security services and mechanisms can be applied within the 972 context of the TMN functional architecture. 974 Question 18 of Study Group 3 is revising Recommendation M.3016. They 975 have taken the original document and are incorporating thoughts from 976 ITU-T Recommendation X.805 and from ANSI T1.276-2003. The group has 977 produced a new series of documents. 979 M.3016.0 - Overview 980 M.3016.1 - Requirements 982 M.3016.2 - Services 984 M.3016.3 - Mechanisms 986 M.3016.4 - Profiles 988 6.20. ITU-T Recommendation X.805 990 http://www.itu.int/itudoc/itu-t/aap/sg17aap/history/x805/x805.html 992 This Recommendation defines the general security-related 993 architectural elements that, when appropriately applied, can provide 994 end-to-end network security. 996 6.21. ITU-T Study Group 16 998 http://www.itu.int/ITU-T/studygroups/com16/index.asp 1000 Security of Multimedia Systems and Services - Question G/16 1002 http://www.itu.int/ITU-T/studygroups/com16/sg16-qg.html 1004 6.22. ITU-T Study Group 17 1006 http://www.itu.int/ITU-T/studygroups/com17/index.asp 1008 ITU-T Study Group 17 is the Lead Study Group on Communication System 1009 Security 1011 http://www.itu.int/ITU-T/studygroups/com17/cssecurity.html 1013 Study Group 17 Security Project: 1015 http://www.itu.int/ITU-T/studygroups/com17/security/index.html 1017 During its November 2002 meeting, Study Group 17 agreed to establish 1018 a new project entitled "Security Project" under the leadership of 1019 Q.10/17 to coordinate the ITU-T standardization effort on security. 1020 An analysis of the status on ITU-T Study Group action on information 1021 and communication network security may be found in TSB Circular 147 1022 of 14 February 2003. 1024 6.23. Catalogue of ITU-T Recommendations related to Communications 1025 System Security 1027 http://www.itu.int/itudoc/itu-t/com17/activity/cat004.html 1028 The Catalogue of the approved security Recommendations include those, 1029 designed for security purposes and those, which describe or use of 1030 functions of security interest and need. Although some of the 1031 security related Recommendations includes the phrase "Open Systems 1032 Interconnection", much of the information contained in them is 1033 pertinent to the establishment of security functionality in any 1034 communicating system. 1036 6.24. ITU-T Security Manual 1038 http://www.itu.int/ITU-T/edh/files/security-manual.pdf 1040 TSB is preparing an "ITU-T Security Manual" to provide an overview on 1041 security in telecommunications and information technologies, describe 1042 practical issues, and indicate how the different aspects of security 1043 in today's applications are addressed by ITU-T Recommendations. This 1044 manual has a tutorial character: it collects security related 1045 material from ITU-T Recommendations into one place and explains the 1046 respective relationships. The intended audience for this manual is 1047 engineers and product managers, students and academia, as well as 1048 regulators who want to better understand security aspects in 1049 practical applications. 1051 6.25. ITU-T NGN Effort 1053 http://www.itu.int/ITU-T/2001-2004/com13/ngn2004/index.html 1055 During its January 2002 meeting, SG13 decided to undertake the 1056 preparation of a new ITU-T Project entitled "NGN 2004 Project". At 1057 the November 2002 SG13 meeting, a preliminary description of the 1058 Project was achieved and endorsed by SG13 with the goal to launch the 1059 Project. It is regularly updated since then. 1061 The role of the NGN 2004 Project is to organize and to coordinate 1062 ITU-T activities on Next Generation Networks. Its target is to 1063 produce a first set of Recommendations on NGN by the end of this 1064 study period, i.e. mid-2004. 1066 6.26. NRIC VI Focus Groups 1068 http://www.nric.org/fg/index.html 1070 The Network Reliability and Interoperability Council (NRIC) was 1071 formed with the purpose to provide recommendations to the FCC and to 1072 the industry to assure the reliability and interoperability of 1073 wireless, wireline, satellite, and cable public telecommunications 1074 networks. These documents provide general information and guidance 1075 on NRIC Focus Group 1B (Cybersecurity) Best Practices for the 1076 prevention of cyberattack and for restoration following a 1077 cyberattack. 1079 Documents: 1081 Homeland Defense - Recommendations Published 14-Mar-03 1083 Preventative Best Practices - Recommendations Published 14-Mar-03 1085 Recovery Best Practices - Recommendations Published 14-Mar-03 1087 Best Practice Appendices - Recommendations Published 14-Mar-03 1089 6.27. OASIS Security Joint Committee 1091 http://www.oasis-open.org/committees/ 1092 tc_home.php?wg_abbrev=security-jc 1094 The purpose of the Security JC is to coordinate the technical 1095 activities of multiple security related TCs. The SJC is advisory 1096 only, and has no deliverables. The Security JC will promote the use 1097 of consistent terms, promote re-use, champion an OASIS security 1098 standards model, provide consistent PR, and promote mutuality, 1099 operational independence and ethics. 1101 6.28. OASIS Security Services TC 1103 http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security 1105 The Security Services TC is working to advance the Security Assertion 1106 Markup Language (SAML) as an OASIS standard. SAML is an XML 1107 framework for exchanging authentication and authorization 1108 information. 1110 6.29. OIF Implementation Agreements 1112 The OIF has 2 approved Implementation Agreements (IAs) relating to 1113 security. They are: 1115 OIF-SMI-01.0 - Security Management Interfaces to Network Elements 1117 This Implementation Agreement lists objectives for securing OAM&P 1118 interfaces to a Network Element and then specifies ways of using 1119 security systems (e.g., IPsec or TLS) for securing these interfaces. 1120 It summarizes how well each of the systems, used as specified, 1121 satisfies the objectives. 1123 OIF - SEP - 01.1 - Security Extension for UNI and NNI 1124 This Implementation Agreement defines a common Security Extension for 1125 securing the protocols used in UNI 1.0, UNI 2.0, and NNI. 1127 Documents: http://www.oiforum.com/public/documents/Security-IA.pdf 1129 6.30. TIA 1131 The TIA has produced the "Compendium of Emergency Communications and 1132 Communications Network Security-related Work Activities". This 1133 document identifies standards, or other technical documents and 1134 ongoing Emergency/Public Safety Communications and Communications 1135 Network Security-related work activities within TIA and it's 1136 Engineering Committees. Many P25 documents are specifically 1137 detailed. This "living document" is presented for information, 1138 coordination and reference. 1140 Documents: http://www.tiaonline.org/standards/cip/EMTEL_sec.pdf 1142 6.31. WS-I Basic Security Profile 1144 http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html 1146 The WS-I Basic Security Profile 1.0 consists of a set of non- 1147 proprietary Web services specifications, along with clarifications 1148 and amendments to those specifications which promote 1149 interoperability. 1151 7. Security Considerations 1153 This document describes efforts to standardize security practices and 1154 documents. As such this document offers no security guidance 1155 whatsoever. 1157 Readers of this document should be aware of the date of publication 1158 of this document. It is feared that they may assume that the 1159 efforts, on-line material, and documents are current whereas they may 1160 not be. Please consider this when reading this document. 1162 8. IANA Considerations 1164 This document does not propose a standard and does not require the 1165 IANA to do anything. 1167 9. Acknowledgments 1169 The following people have contributed to this document. Listing 1170 their names here does not mean that they endorse the document, but 1171 that they have contributed to its substance. 1173 David Black, Mark Ellison, George Jones, Keith McCloghrie, John 1174 McDonough, Art Reilly, Chip Sharp, Dane Skow, Michael Hammer, Bruce 1175 Moon. 1177 10. Changes from Prior Drafts 1179 -00 : Initial draft published as draft-lonvick-sec-efforts-01.txt 1181 -01 : Security Glossaries: 1183 Added ATIS Telecom Glossary 2000, Critical Infrastructure 1184 Glossary of Terms and Acronyms, Microsoft Solutions for 1185 Security Glossary, and USC InfoSec Glossary. 1187 Standards Developing Organizations: 1189 Added DMTF, GGF, INCITS, OASIS, and WS-I 1191 Removal of Committee T1 and modifications to ATIS and former T1 1192 technical subcommittees due to the recent ATIS reorganization. 1194 Efforts and Documents: 1196 Added DMTF User and Security WG, DMTF SPAM WG, GGF Security 1197 Area (SEC), INCITS Technical Committee T4 - Security 1198 Techniques, INCITS Technical Committee T11 - Fibre Channel 1199 Interfaces, ISO JTC 1/SC 27 projects, OASIS Security Joint 1200 Committee, OASIS Security Services TC, and WS-I Basic Security 1201 Profile. 1203 Updated Operational Security Requirements for IP Network 1204 Infrastructure : Advanced Requirements. 1206 -00 : as the WG ID 1208 Added more information about the ITU-T SG3 Q18 effort to modify 1209 ITU-T Recommendation M.3016. 1211 -01 : First revision as the WG ID. 1213 Added information about the NGN in the sections about ATIS, the 1214 NSTAC, and ITU-T. 1216 -02 : Second revision as the WG ID. 1218 Updated the date. 1220 Corrected some url's and the reference to George's RFC. 1222 -03 : Third revision of the WG ID. 1224 Updated the date. 1226 Updated the information about the CC 1228 Added a Conventions section (not sure how this document got to 1229 where it is without that) 1231 Note: This section will be removed before publication as an RFC. 1233 11. Normative References 1235 [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement 1236 Levels", RFC 2119, STD 14, March 1997. 1238 Authors' Addresses 1240 Chris Lonvick 1241 Cisco Systems 1242 12515 Research Blvd. 1243 Austin, Texas 78759 1244 US 1246 Phone: +1 512 378 1182 1247 Email: clonvick@cisco.com 1249 David Spak 1250 Cisco Systems 1251 12515 Research Blvd. 1252 Austin, Texas 78759 1253 US 1255 Phone: +1 512 378 1720 1256 Email: dspak@cisco.com 1258 Intellectual Property Statement 1260 The IETF takes no position regarding the validity or scope of any 1261 Intellectual Property Rights or other rights that might be claimed to 1262 pertain to the implementation or use of the technology described in 1263 this document or the extent to which any license under such rights 1264 might or might not be available; nor does it represent that it has 1265 made any independent effort to identify any such rights. Information 1266 on the procedures with respect to rights in RFC documents can be 1267 found in BCP 78 and BCP 79. 1269 Copies of IPR disclosures made to the IETF Secretariat and any 1270 assurances of licenses to be made available, or the result of an 1271 attempt made to obtain a general license or permission for the use of 1272 such proprietary rights by implementers or users of this 1273 specification can be obtained from the IETF on-line IPR repository at 1274 http://www.ietf.org/ipr. 1276 The IETF invites any interested party to bring to its attention any 1277 copyrights, patents or patent applications, or other proprietary 1278 rights that may cover technology that may be required to implement 1279 this standard. Please address the information to the IETF at 1280 ietf-ipr@ietf.org. 1282 Disclaimer of Validity 1284 This document and the information contained herein are provided on an 1285 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1286 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1287 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1288 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1289 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1290 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1292 Copyright Statement 1294 Copyright (C) The Internet Society (2006). This document is subject 1295 to the rights, licenses and restrictions contained in BCP 78, and 1296 except as set forth therein, the authors retain all their rights. 1298 Acknowledgment 1300 Funding for the RFC Editor function is currently provided by the 1301 Internet Society.