Incident Handling (INCH) BoF Minutes IETF54 - Thursday 13.00-15.00 July 18, 2002, Yokohama Chair: Roman Danyliw Agenda: O Status Report of INCH (Roman Danyliw) O Data Model draft review and discussion (Jan Meijer) O Requirements draft introduction (Glenn Keeni) O JPCERT sharing initiatives (Hiroyuki Ohno) =========================================================================== Status Report of INCH The meeting in Yokohama is the third INCH BOF that has been held. The charter awaits approval by the IESG (it is promised imminently by the AD). There have been two individual drafts submitted (since no working group officially exists) since IETF 53: o data model: draft-meijer-inch-iodef-00 o requirements: draft-glenn-inch-req-00 (Note: this I-D was submitted after the deadline for IETF54, therefore it has not yet made it to the archive. Temporarily, it can be accessed at http://www.cysol.co.jp/contrib/draft-glenn-inch-req-00.txt) The status of all deliverables of the group stands as follows: o Requirements draft: The submission of the initial draft has slipped from the 04/2002 deadline originally proposed in the Charter. However, it appears to be on track for a WG last-call in 12/2022. o Data Model: There is healthy development of the draft whose WG last-call still appears to be on track from 12/2002 o Implementation guide: The charter proposed an initial draft by 07/2002, but this was overly ambitious. A delivery of this document may still be possible by 01/2003, but an editor and volunteers to work on this need to be found. In news related to implementation, an open-source LGPL-ed library to manipulate IODEF and IDMEF messages was released: libih (http://aircert.sourceforge.net/libih). This library provides primitives to create IODEF (and IDMEF) documents, as well as, the ability to parse, validate and extract data elements from these types of documents. =========================================================================== Open Issues with the Data Model Jan Meijer Jan presented a review of the changes and open issues related to the data model draft (draft-meijer-inch-iodef-00). There was little resolution on the issues, and the discussion was deferred to the mailing list. Discussion: 1. Sanitization Some initial discussion on how to support sanitization was begun. Gleen Keeni noted that techniques exist for sanitizing network data, but little exists for incident data. Furthermore, it was noted that as IODEF documents are shared with others, this process must be tied to an ACL database which would store what type of data can get sent to other organizations. The current proposal for supporting sanitization involves adding an attribute to all elements to indicate whether they have been sanitized on or not. 2. History class change proposal Roman Danyliw questioned the necessity of the inheritance relationship between the History and HistoryDataItem in the proposed change to the history class. Jan Meijer, author of the proposed changed, agreed. 3. Draft formatting and style Glenn Keeni was concerned about the length and readability of the current version of the draft. The following suggestions were made to that end: o Move (or eliminate) much of the UML related material in the beginning of the draft to an appendix. o Identify which IDMEF classes have been reused in IODEF, and substitute the current description of these classes to be merely references to the IDMEF data model draft. Roman Danyliw pointed out that references to the IDMEF description of re-used classes is not adequate in some cases because the semantic meaning has changed. Keeni will review these classes and identify the classes for which it is appropriate to refer to the IDMEF data model. =========================================================================== Requirements Glenn Keeni Glenn presented the summary of the new requirements document, and highlighted areas that might need additional work. A working copy of this draft can be found at: http://www.cysol.co.jp/contrib/draft-glenn-inch-req-00.txt =========================================================================== JP-CERT/CC initiatives Hiroyuki Ohno Hiroyuki spoke about incident data sharing initiatives through JPCERT/CC in the Asia region. Discussion Jan Meijer and Claudio Allocchio spoke about European CSIRT initiative to share incident data. Further information can be found at o http://www.terena.nl/task-forces/tf-csirt/tf-csirt6th020524minutes-draft00.html#5.1 o http://www.eCSIRT.net