draft-ietf-mile-rfc6045-bis-07.txt   draft-ietf-mile-rfc6045-bis-08.txt 
MILE Working Group K. Moriarty MILE Working Group K. Moriarty
Internet-Draft EMC Internet-Draft EMC
Obsoletes: 6045 (if approved) January 20, 2012 Obsoletes: 6045 (if approved) January 23, 2012
Intended status: Standards Track Intended status: Standards Track
Expires: July 23, 2012 Expires: July 26, 2012
Real-time Inter-network Defense (RID) Real-time Inter-network Defense (RID)
draft-ietf-mile-rfc6045-bis-07.txt draft-ietf-mile-rfc6045-bis-08.txt
Abstract Abstract
Security incidents, such as system compromises, worms, viruses, Security incidents, such as system compromises, worms, viruses,
phishing incidents, and denial of service, typically result in the phishing incidents, and denial of service, typically result in the
loss of service, data, and resources both human and system. Service loss of service, data, and resources both human and system. Service
providers and Computer Security Incident Response Teams need to be providers and Computer Security Incident Response Teams need to be
equipped and ready to assist in communicating and tracing security equipped and ready to assist in communicating and tracing security
incidents with tools and procedures in place before the occurrence of incidents with tools and procedures in place before the occurrence of
an attack. Real-time Inter-network Defense (RID) outlines a an attack. Real-time Inter-network Defense (RID) outlines a
proactive inter-network communication method to facilitate sharing proactive inter-network communication method to facilitate sharing
incident handling data while integrating existing detection, tracing, incident handling data while integrating existing detection, tracing,
source identification, and mitigation mechanisms for a complete source identification, and mitigation mechanisms for a complete
incident handling solution. Combining these capabilities in a incident handling solution. Combining these capabilities in a
communication system provides a way to achieve higher security levels communication system provides a way to achieve higher security levels
on networks. Policy guidelines for handling incidents are on networks. Policy guidelines for handling incidents are
recommended and can be agreed upon by a consortium using the security recommended and can be agreed upon by a consortium using the security
recommendations and considerations. recommendations and considerations. This document obsoletes RFC6045.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 23, 2012. This Internet-Draft will expire on July 26, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 6, line 25 skipping to change at page 6, line 25
o An option for a star topology has been included in an o An option for a star topology has been included in an
informational section to meet current use case requirements of informational section to meet current use case requirements of
those who provide reports on incident information. those who provide reports on incident information.
o The schema version was incremented. The schema has changed to o The schema version was incremented. The schema has changed to
include IODEF [RFC5070] enveloped in RID in the RIDPolicy class include IODEF [RFC5070] enveloped in RID in the RIDPolicy class
using the new ReportSchema class, to include reported errata, to using the new ReportSchema class, to include reported errata, to
include additional enumerations in the Justification attribute, to include additional enumerations in the Justification attribute, to
remove the AcrossNationalBoundaries region enumeration, to add the remove the AcrossNationalBoundaries region enumeration, to add the
DataWithHandingRequirements enumeration in TrafficTypes, and to DataWithHandlingRequirements enumeration in TrafficTypes, and to
change the name of the RequestAuthorization MsgType to change the name of the RequestAuthorization MsgType to
Acknowledgement. Additional text has been provided to clarify Acknowledgement. Additional text has been provided to clarify
definitions of enumerated values for some attributes. The definitions of enumerated values for some attributes. The
RequestAuthorization name was replaced with Acknowledgement to RequestAuthorization name was replaced with Acknowledgement to
more accurately represent the function of that message type. Text more accurately represent the function of that message type. Text
was clarified to note the possible use of this message in response was clarified to note the possible use of this message in response
to Query and Report messages. The attributes were fixed in the to Query and Report messages. The attributes were fixed in the
schema to add 'lang' at the RID class level for language support. schema to add 'lang' at the RID class level for language support.
o The TraceRequest and Investigation messages have been collapsed o The TraceRequest and Investigation messages have been collapsed
skipping to change at page 20, line 47 skipping to change at page 20, line 47
related to network traffic or routing issues. related to network traffic or routing issues.
3. Content. This category MUST be used only in the case in which 3. Content. This category MUST be used only in the case in which
the request is related to the content and regional the request is related to the content and regional
restrictions on accessing that type of content exist. This is restrictions on accessing that type of content exist. This is
not malicious traffic but may include determining what sources not malicious traffic but may include determining what sources
or destinations accessed certain materials available on the or destinations accessed certain materials available on the
Internet, including, but not limited to, news, technology, or Internet, including, but not limited to, news, technology, or
inappropriate content. inappropriate content.
4. DataWithHandingRequirements. This option is used when data 4. DataWithHandlingRequirements. This option is used when data
shared may have additional restrictions for handling and shared may have additional restrictions for handling,
protection based on the type of data and where it resides. protection, and processing based on the type of data and where
The IODEF document included, as well as any extensions, with it resides. Regulatory or legal restrictions may be imposed
the RID message should indicate the specific restrictions to on specific types of data that could vary based on the
be considered. The national boundary may be defined by location, region or nation, of the data or where it
existing regulations or other legal agreements specific to a originated. The IODEF document included, as well as any
defined region. The use of this enumeration flag is not extensions, with the RID message should indicate the specific
legally binding (out-of-scope for a technical protocol). restrictions to be considered. The use of this enumeration
flag is not legally binding.
5. AudienceRestriction. This option is used to indicate the 5. AudienceRestriction. This option is used to indicate the
message contains data that should be viewed by a restricted message contains data that should be viewed by a restricted
audience. Please note that this setting should not be used audience. This setting should not be used for normal
for normal incidents or reporting as it could slow response incidents or reporting as it could slow response times. The
times. The content may be a business relevant notification or content may be a business relevant notification or request.
request. This option MAY be used by a business partner to This option MAY be used by a business partner to report or
report or request assistance if an incident has effected a request assistance if an incident has effected a supply chain.
supply chain. This option may also be used if the content is This option may also be used if the content is relevant to a
relevant to a regulatory obligations, legal (eDiscovery), or regulatory obligations, legal (eDiscovery), or other use cases
other use cases that require management attention. that require management attention.
6. Other. If this option is selected, a description of the 6. Other. If this option is selected, a description of the
traffic type MUST be provided so that policy decisions can be traffic type MUST be provided so that policy decisions can be
made to continue or stop the investigation. The information made to continue or stop the investigation. The information
should be provided in the IODEF message in the Expectation should be provided in the IODEF message in the Expectation
class or in the History class using a HistoryItem log. This class or in the History class using a HistoryItem log. This
may also be used for incident types other than information may also be used for incident types other than information
security related incidents. security related incidents.
7. ext-value. An escape value used to extend this attribute. 7. ext-value. An escape value used to extend this attribute.
skipping to change at page 29, line 27 skipping to change at page 29, line 27
5.5. Encoding 5.5. Encoding
RID documents MUST begin with an XML declaration, MUST specify the RID documents MUST begin with an XML declaration, MUST specify the
XML version used, and the use of UTF-8 encoding is REQUIRED [RFC3470] XML version used, and the use of UTF-8 encoding is REQUIRED [RFC3470]
Section 4.4. RID conforms to all XML data encoding conventions and Section 4.4. RID conforms to all XML data encoding conventions and
constraints. constraints.
The XML declaration with no character encoding will read as follows: The XML declaration with no character encoding will read as follows:
<?xml version="1.0" ?> <?xml version="1.0" encoding="UTF-8"?>
When a character encoding is specified, the XML declaration will read
as follows:
<?xml version="1.0" encoding="charset" ?>
Where "charset" is the name of the character encoding as registered
with the Internet Assigned Numbers Authority (IANA), see [RFC2978].
The following characters have special meaning in XML and MUST be The following characters have special meaning in XML and MUST be
escaped with their entity reference equivalent: "&", "<", ">", "\"" escaped with their entity reference equivalent: "&", "<", ">", "\""
(double quotation mark), and "'" (apostrophe). These entity (double quotation mark), and "'" (apostrophe). These entity
references are "&amp;", "&lt;", "&gt;", "&quot;", and "&apos;" references are "&amp;", "&lt;", "&gt;", "&quot;", and "&apos;"
respectively. respectively.
5.6. Including IODEF or other XML Documents 5.6. Including IODEF or other XML Documents
In order to support the changing activity of CSIRTS, the RID schema In order to support the changing activity of CSIRTS, the RID schema
skipping to change at page 61, line 33 skipping to change at page 61, line 33
</xs:element> </xs:element>
<xs:element name="TrafficType"> <xs:element name="TrafficType">
<xs:complexType> <xs:complexType>
<xs:attribute name="type" use="required"> <xs:attribute name="type" use="required">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:whiteSpace value="collapse"/> <xs:whiteSpace value="collapse"/>
<xs:enumeration value="Attack"/> <xs:enumeration value="Attack"/>
<xs:enumeration value="Network"/> <xs:enumeration value="Network"/>
<xs:enumeration value="Content"/> <xs:enumeration value="Content"/>
<xs:enumeration value="DataWithHandingRequirements"/> <xs:enumeration value="DataWithHandlingRequirements"/>
<xs:enumeration value="AudienceRestriction"/> <xs:enumeration value="AudienceRestriction"/>
<xs:enumeration value="Other"/> <xs:enumeration value="Other"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-type" <xs:attribute name="ext-type"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
skipping to change at page 71, line 46 skipping to change at page 71, line 46
o Privacy of data monitored and stored on systems used to trace o Privacy of data monitored and stored on systems used to trace
traffic across a single network. traffic across a single network.
o Privacy of incident information stored on incident management o Privacy of incident information stored on incident management
systems participating in RID communications. systems participating in RID communications.
Customer Attached Networks Participating in RID with SP: Customer Attached Networks Participating in RID with SP:
o Customer networks may include an enterprise, educational, o Customer networks may include an enterprise, educational,
government, or other attached networks to an SP participating in government, or other attached networks to an SP participating in
RID. Customers should review data handing policies to understand RID. Customers should review data handling policies to understand
how data will be protected by a service provider. This how data will be protected by a service provider. This
information will enable customers to decide what types of data at information will enable customers to decide what types of data at
what sensitivity level can be shared with service providers. This what sensitivity level can be shared with service providers. This
information could be used at the application layer to establish information could be used at the application layer to establish
sharing profiles for entities and groups, see Section 9.6. sharing profiles for entities and groups, see Section 9.6.
o Customers should request information on the security and privacy o Customers should request information on the security and privacy
considerations in place by their SP and the consortium of which considerations in place by their SP and the consortium of which
the SP is a member. Customers should understand if their data the SP is a member. Customers should understand if their data
were to be forwarded, how might it be sanitized and how will it be were to be forwarded, how might it be sanitized and how will it be
skipping to change at page 81, line 49 skipping to change at page 81, line 49
[RFC5890] Klensin, J., "Internationalized Domain Names for [RFC5890] Klensin, J., "Internationalized Domain Names for
Applications (IDNA): Definitions and Document Framework", Applications (IDNA): Definitions and Document Framework",
RFC 5890, August 2010. RFC 5890, August 2010.
[RFC5891] Klensin, J., "Internationalized Domain Names in [RFC5891] Klensin, J., "Internationalized Domain Names in
Applications (IDNA): Protocol", RFC 5891, August 2010. Applications (IDNA): Protocol", RFC 5891, August 2010.
[RFC6046-bis] [RFC6046-bis]
Trammell, B., "Transport of Real-time Inter-network Trammell, B., "Transport of Real-time Inter-network
Defense (RID) Messages", January 2012, <http:// Defense (RID) Messages", January 2012, <http://
tools.ietf.org/html/draft-ietf-mile-rfc6046-bis-07>. tools.ietf.org/html/draft-ietf-mile-rfc6046-bis-05>.
[XML1.0] Bray, T., Maler, E., Paoli, J., Sperberg-McQueen, C., and [XML1.0] Bray, T., Maler, E., Paoli, J., Sperberg-McQueen, C., and
F. Yergeau, "Extensible Markup Language (XML) 1.0", W3C F. Yergeau, "Extensible Markup Language (XML) 1.0", W3C
Recommendation XML 1.0, November 2008, Recommendation XML 1.0, November 2008,
<http://www.w3.org/TR/xml/>. <http://www.w3.org/TR/xml/>.
[XMLCanon] [XMLCanon]
Boyer, J., "Canonical XML 1.0", W3C Recommendation 1.0, Boyer, J., "Canonical XML 1.0", W3C Recommendation 1.0,
December 2001, <http://www.w3.org/TR/xml-c14n>. December 2001, <http://www.w3.org/TR/xml-c14n>.
 End of changes. 12 change blocks. 
35 lines changed or deleted 28 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/