draft-ietf-mile-rfc6045-bis-02.txt   draft-ietf-mile-rfc6045-bis-03.txt 
MILE Working Group K. Moriarty MILE Working Group K. Moriarty
Internet-Draft EMC Internet-Draft EMC
Obsoletes: 6045 (if approved) December 6, 2011 Obsoletes: 6045 (if approved) December 7, 2011
Intended status: Standards Track Intended status: Standards Track
Expires: June 8, 2012 Expires: June 9, 2012
Real-time Inter-network Defense (RID) Real-time Inter-network Defense (RID)
draft-ietf-mile-rfc6045-bis-02.txt draft-ietf-mile-rfc6045-bis-03.txt
Abstract Abstract
Security incidents, such as system compromises, worms, viruses, Security incidents, such as system compromises, worms, viruses,
phishing incidents, and denial of service, typically result in the phishing incidents, and denial of service, typically result in the
loss of service, data, and resources both human and system. Service loss of service, data, and resources both human and system. Service
providers and Computer Security Incident Response Teams need to be providers and Computer Security Incident Response Teams need to be
equipped and ready to assist in communicating and tracing security equipped and ready to assist in communicating and tracing security
incidents with tools and procedures in place before the occurrence of incidents with tools and procedures in place before the occurrence of
an attack. Real-time Inter-network Defense (RID) outlines a an attack. Real-time Inter-network Defense (RID) outlines a
skipping to change at page 1, line 44 skipping to change at page 1, line 44
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 8, 2012. This Internet-Draft will expire on June 9, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 26 skipping to change at page 2, line 26
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Normative and Informative . . . . . . . . . . . . . . . . 6 1.1. Normative and Informative . . . . . . . . . . . . . . . . 6
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6
2. Characteristics of Incidents . . . . . . . . . . . . . . . . . 6 2. Characteristics of Incidents . . . . . . . . . . . . . . . . . 6
3. Communication between CSIRTs and Service Providers . . . . . . 8 3. Communication between CSIRTs and Service Providers . . . . . . 8
3.1. Inter-network Provider RID Messaging . . . . . . . . . . . 10 3.1. Inter-network Provider RID Messaging . . . . . . . . . . . 10
3.2. RID Communication Topology . . . . . . . . . . . . . . . . 12 3.2. RID Communication Topology . . . . . . . . . . . . . . . . 12
3.3. Message Formats . . . . . . . . . . . . . . . . . . . . . 13 3.3. Message Formats . . . . . . . . . . . . . . . . . . . . . 13
3.4. RID Data Types . . . . . . . . . . . . . . . . . . . . . . 13 3.4. RID Data Types . . . . . . . . . . . . . . . . . . . . . . 14
3.4.1. Boolean . . . . . . . . . . . . . . . . . . . . . . . 14 3.4.1. Boolean . . . . . . . . . . . . . . . . . . . . . . . 14
3.5. RID Message Types . . . . . . . . . . . . . . . . . . . . 14 3.5. RID Message Types . . . . . . . . . . . . . . . . . . . . 14
4. IODEF-RID Schema . . . . . . . . . . . . . . . . . . . . . . . 15 4. IODEF-RID Schema . . . . . . . . . . . . . . . . . . . . . . . 15
4.1. RIDPolicy Class . . . . . . . . . . . . . . . . . . . . . 17 4.1. RIDPolicy Class . . . . . . . . . . . . . . . . . . . . . 17
4.2. RequestStatus . . . . . . . . . . . . . . . . . . . . . . 23 4.2. RequestStatus . . . . . . . . . . . . . . . . . . . . . . 23
4.3. IncidentSource . . . . . . . . . . . . . . . . . . . . . . 25 4.3. IncidentSource . . . . . . . . . . . . . . . . . . . . . . 25
4.4. RID Name Spaces . . . . . . . . . . . . . . . . . . . . . 26 4.4. RID Name Spaces . . . . . . . . . . . . . . . . . . . . . 26
5. RID Messages . . . . . . . . . . . . . . . . . . . . . . . . . 26 5. RID Messages . . . . . . . . . . . . . . . . . . . . . . . . . 26
5.1. TraceRequest . . . . . . . . . . . . . . . . . . . . . . . 26 5.1. TraceRequest . . . . . . . . . . . . . . . . . . . . . . . 26
5.2. RequestAuthorization . . . . . . . . . . . . . . . . . . . 27 5.2. RequestAuthorization . . . . . . . . . . . . . . . . . . . 28
5.3. Result . . . . . . . . . . . . . . . . . . . . . . . . . . 28 5.3. Result . . . . . . . . . . . . . . . . . . . . . . . . . . 28
5.4. Investigation Request . . . . . . . . . . . . . . . . . . 30 5.4. Investigation Request . . . . . . . . . . . . . . . . . . 31
5.5. Report . . . . . . . . . . . . . . . . . . . . . . . . . . 32 5.5. Report . . . . . . . . . . . . . . . . . . . . . . . . . . 32
5.6. IncidentQuery . . . . . . . . . . . . . . . . . . . . . . 33 5.6. IncidentQuery . . . . . . . . . . . . . . . . . . . . . . 33
6. RID Communication Exchanges . . . . . . . . . . . . . . . . . 35 6. RID Communication Exchanges . . . . . . . . . . . . . . . . . 35
6.1. Upstream Trace Communication Flow . . . . . . . . . . . . 35 6.1. Upstream Trace Communication Flow . . . . . . . . . . . . 35
6.1.1. RID TraceRequest Example . . . . . . . . . . . . . . . 37 6.1.1. RID TraceRequest Example . . . . . . . . . . . . . . . 37
6.1.2. RequestAuthorization Message Example . . . . . . . . . 41 6.1.2. RequestAuthorization Message Example . . . . . . . . . 41
6.1.3. Result Message Example . . . . . . . . . . . . . . . . 42 6.1.3. Result Message Example . . . . . . . . . . . . . . . . 42
6.2. Investigation Request Communication Flow . . . . . . . . . 45 6.2. Investigation Request Communication Flow . . . . . . . . . 45
6.2.1. Investigation Request Example . . . . . . . . . . . . 46 6.2.1. Investigation Request Example . . . . . . . . . . . . 46
6.2.2. RequestAuthorization Message Example . . . . . . . . . 48 6.2.2. RequestAuthorization Message Example . . . . . . . . . 48
skipping to change at page 6, line 28 skipping to change at page 6, line 28
and IODEF-RID schemas. The attribute may also be present in IODEF and IODEF-RID schemas. The attribute may also be present in IODEF
extension schemas, where the guidance also applies. extension schemas, where the guidance also applies.
o All of the normative text from the Security Considerations Section o All of the normative text from the Security Considerations Section
has been moved to a new Section, Security Requirements. has been moved to a new Section, Security Requirements.
o The order in which the RID Schema is presented in Section 4 has o The order in which the RID Schema is presented in Section 4 has
been changed to match the order in the IODEF-RID schema. been changed to match the order in the IODEF-RID schema.
o Additional text has been provided to explain the content and o Additional text has been provided to explain the content and
interactions between entities within the examples. interactions between entities in the examples.
1.1. Normative and Informative 1.1. Normative and Informative
The XML schema [XMLschema] and transport requirements contained in The XML schema [XMLschema] and transport requirements contained in
this document are normative; all other information provided is this document are normative; all other information provided is
intended as informative. More specifically, the following sections intended as informative. More specifically, the following sections
of this document are intended as informative: Sections 1 and 2; and of this document are intended as informative: Sections 1, 2, and 9;
the sub-sections of 3 including the introduction to 3, 3.1, and 3.2. and the sub-sections of 3 including the introduction to 3, 3.1, and
The following sections of this document are normative: The sub- 3.2. The following sections of this document are normative: The sub-
sections of 3 including 3.3, 3.4, and 3.5; Sections 5, 6, 7, and 8. sections of 3 including 3.3, 3.4, and 3.5; Sections 5, 6, 7, 8, 10,
and 11.
1.2. Terminology 1.2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. Characteristics of Incidents 2. Characteristics of Incidents
The goal of tracing a security incident may be to identify the source The goal of tracing a security incident may be to identify the source
skipping to change at page 42, line 19 skipping to change at page 42, line 19
<iodef-rid:PolicyRegion region="IntraConsortium"/> <iodef-rid:PolicyRegion region="IntraConsortium"/>
<iodef:Node> <iodef:Node>
<iodef:Address category="ipv4-addr">192.0.2.67</iodef:Address> <iodef:Address category="ipv4-addr">192.0.2.67</iodef:Address>
</iodef:Node> </iodef:Node>
<iodef-rid:TrafficType type="Attack"/> <iodef-rid:TrafficType type="Attack"/>
<iodef:IncidentID name="CERT-FOR-OUR-DOMAIN"> <iodef:IncidentID name="CERT-FOR-OUR-DOMAIN">
CERT-FOR-OUR-DOMAIN#207-1 CERT-FOR-OUR-DOMAIN#207-1
</iodef:IncidentID> </iodef:IncidentID>
</iodef-rid:RIDPolicy> </iodef-rid:RIDPolicy>
<iodef-rid:RequestStatus AuthorizationStatus="Approved"/> <iodef-rid:RequestStatus AuthorizationStatus="Approved"/>
</iodef-rid:RID></section> </iodef-rid:RID>
6.1.3. Result Message Example 6.1.3. Result Message Example
The example Result message is in response to the TraceRequest listed The example Result message is in response to the TraceRequest listed
above. This message type only comes after a RequestAuthorization above. This message type only comes after a RequestAuthorization
within the TraceRequest flow of messages. It may be a direct within the TraceRequest flow of messages. It may be a direct
response to an Investigation request. This message provides response to an Investigation request. This message provides
information about the source of the attack and the actions taken to information about the source of the attack and the actions taken to
mitigate the traffic. mitigate the traffic.
skipping to change at page 72, line 31 skipping to change at page 72, line 31
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008. (CRL) Profile", RFC 5280, May 2008.
[RFC5755] Farrell, S., Housley, R., and S. Turner, "An Internet [RFC5755] Farrell, S., Housley, R., and S. Turner, "An Internet
Attribute Certificate Profile for Authorization", Attribute Certificate Profile for Authorization",
RFC 5755, January 2010. RFC 5755, January 2010.
[RFC6046-bis] [RFC6046-bis]
Trammell, B., "Transport of Real-time Inter-network Trammell, B., "Transport of Real-time Inter-network
Defense (RID) Messages", September 2011, <http:// Defense (RID) Messages", December 2011, <http://
tools.ietf.org/html/draft-trammell-mile-rfc6046-bis-01>. tools.ietf.org/html/draft-ietf-mile-rfc6046-bis-02>.
[XML1.0] Bray, T., Maler, E., Paoli, J., Sperberg-McQueen, C., and [XML1.0] Bray, T., Maler, E., Paoli, J., Sperberg-McQueen, C., and
F. Yergeau, "Extensible Markup Language (XML) 1.0", W3C F. Yergeau, "Extensible Markup Language (XML) 1.0", W3C
Recommendation XML 1.0, November 2008, Recommendation XML 1.0, November 2008,
<http://www.w3.org/TR/xml/>. <http://www.w3.org/TR/xml/>.
[XMLNames] [XMLNames]
Bray, T., Hollander, D., Layman, A., Tobin, R., and H. Bray, T., Hollander, D., Layman, A., Tobin, R., and H.
Thomson, "Namespaces in XML 1.0 (Third Edition)", W3C Thomson, "Namespaces in XML 1.0 (Third Edition)", W3C
Recommendation , December 2009, Recommendation , December 2009,
 End of changes. 11 change blocks. 
15 lines changed or deleted 16 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/