Coordinating Attack Response at Internet Scale 2 (CARIS2) Workshop Report
draft-moriarty-caris2-03

Document Type Active Internet-Draft (individual)
Last updated 2020-05-19
Stream ISE
Intended RFC status Informational
Formats plain text html xml pdf htmlized (tools) htmlized bibtex
Stream ISE state Response to Review Needed
Consensus Boilerplate Unknown
Document shepherd Adrian Farrel
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to Adrian Farrel <rfc-ise@rfc-editor.org>
Internet Engineering Task Force                              K. Moriarty
Internet-Draft                                         Dell Technologies
Intended status: Informational                               19 May 2020
Expires: 20 November 2020

   Coordinating Attack Response at Internet Scale 2 (CARIS2) Workshop
                                 Report
                        draft-moriarty-caris2-03

Abstract

   The Coordinating Attack Response at Internet Scale (CARIS) 2
   workshop, sponsored by the Internet Society, took place 28 February
   and 1 March 2019 in Cambridge, Massachusetts, USA.  Participants
   spanned regional, national, international, and enterprise CSIRTs,
   operators, service providers, network and security operators,
   transport operators and researchers, incident response researchers,
   vendors, and participants from standards communities.  This workshop
   continued the work started at the first CARIS workshop, with a focus
   for CARIS 2 scaling incident prevention and detection as the Internet
   industry moves to a stronger and a more ubiquitous deployment of
   session encryption.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 20 November 2020.

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

Moriarty                Expires 20 November 2020                [Page 1]
Internet-Draft                CARIS2 Report                     May 2020

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Accepted Papers . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  CARIS2 Goals  . . . . . . . . . . . . . . . . . . . . . . . .   4
   4.  Workshop Collaboration  . . . . . . . . . . . . . . . . . . .   5
     4.1.  Breakout 1 Results: Standardization and Adoption  . . . .   5
       4.1.1.  Wide adoption:  . . . . . . . . . . . . . . . . . . .   6
       4.1.2.  Limited Adoption  . . . . . . . . . . . . . . . . . .   6
     4.2.  Breakout 2 Results:Preventative Protocols and Scaling
           Defense . . . . . . . . . . . . . . . . . . . . . . . . .   8
     4.3.  Breakout 3 Results: Incident Response Coordination  . . .   9
     4.4.  Breakout 4 Results: Monitoring and Measurement  . . . . .  11
       4.4.1.  IP Address Reputation . . . . . . . . . . . . . . . .  11
       4.4.2.  Server Name Authentication Reputation C (SNARC) . . .  12
       4.4.3.  Logging . . . . . . . . . . . . . . . . . . . . . . .  12
       4.4.4.  Fingerprinting  . . . . . . . . . . . . . . . . . . .  12
     4.5.  Taxonomy and Gaps Session . . . . . . . . . . . . . . . .  13
   5.  Next Steps  . . . . . . . . . . . . . . . . . . . . . . . . .  14
   6.  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . .  14
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .  15
   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  15
   9.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  15
   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .  15
     10.1.  Informative References . . . . . . . . . . . . . . . . .  15
     10.2.  URL References . . . . . . . . . . . . . . . . . . . . .  17
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  18

1.  Introduction

   The Coordinating Attack Response at Internet Scale (CARIS) 2 workshop
   workshop [CARISEvent], sponsored by the Internet Society, took place
   28 February and 1 March 2019 in Cambridge, Massachusetts, USA.
   Participants spanned regional, national, international, and
   enterprise Computer Security Incident Response Teams (CSIRT),
   operators, service providers, network and security operators,
   transport operators and researchers, incident response researchers,
   vendors, and participants from standards communities.  This workshop
   continued the work started at the first CARIS workshop [RFC8073],
   with a focus for CARIS 2 on scaling incident prevention and detection
Show full document text