Coordinating Attack Response at Internet Scale 2 (CARIS2) Workshop Report
draft-moriarty-caris2-04

(Via drafts-eval@iana.org): IESG/Authors/ISE:

The IANA Functions Operator has reviewed draft-moriarty-caris2-03 and has the following comments:

We understand that this document doesn't require any registry actions.

While it's often helpful for a document's IANA Considerations section to remain in place upon publication even if there are no actions, if the authors strongly prefer to remove it, we do not object.

If this assessment is not accurate, please respond as soon as possible.

Thank you,

Amanda Baber
Lead IANA Services Specialist

draft-moriarty-caris2-03 has been presented to the ISE for publication
as an Informational RFC in the Independent Stream.

The document is a report on the second workshop for Coordinating Attack
Response at Internet Scale (CARIS2) held in February/March 2019.  CARIS
(now CARIS1) was held in 2015 and is documented in RFC 8073 on the IAB
Stream.  CARIS1 was held under the auspices of the IAB and so it was
appropriate to document it in the IAB Stream, however CARIS2 was
convened by ISOC and so the Independent Stream is the most appropriate
venue for publication.  This was double-checked with Ted Hardie when he
was serving as IAB chair.

Reviews of this docuent have focused on clarity and information the
authors believed should also be included. They did not focus on the
technical accuracy of the document or the opinons expressed at the
workshop. Reviews were obtained from Nancy Cam-Winget and from the
ISE. The reviews are included below for information.

There is no IPR disclosed and there are no IANA actions requested.

Nits remaining to be resolved at the time of writing this write-up will
be resolved with the author before publication:

- Be consistent with the use of "CARIS2" versus "(CARIS) 2" and
  "CARIS 2"

- Abstract needs a second paragraph saying what this document is


=== Nancy Cam-Winget ===


Hi Adrian and Kathleen,
I've done a review of the CARIS2 workshop report and I think the content in
general is good, but there were some inconsistencies mainly in working and
formatting that I think can benefit from scrubbing.  I also had a couple of
technical nits I disagreed with and included my rationale.

So here you go:

General:

-Consistancy cleanup as the terms “collaboration”, “teams”, “breakout” and
plain ‘group’ was used which I found a bit confusing.  I think on some
breakouts, further groupings were made but as it is written it is not
always that clear, as some of the sections just general results while
others start with what I think is general but then the next paragraph (or
succeeding ones refer to ‘2nd’ or 3rd or 4th group….)

- Formatting consistancies:  I think sometimes the “*” is meant to be
quotes but others not? I’ve also noted some other inconsistancies and
suggestions below.



Nits:

Abstract:

-      Suggest change in last sentence: “moves to stronger and a more
ubiquitous….” To  “moves to a stronger and a more ubiquitous….”



Introduction:

-      There’s an extraneous  “?” in the 2nd line

-      Typo: “related initiative to from”  the ‘from’ should be ‘form’



Conventions is an empty section?



Section 3: This list has inconsistent formatting and name labeling (or
maybe just Kirsty P. should be Kirsty Paine)



Section 4:

-      I might challenge the first sentence, as I think the challenge is
to both improve attack response by (1) making it more scalable (2) improve
on automation to address both scalability and reduction of response time
(3) address the increased demand for these job skills (which is also viewed
as a lack of qualified professionals).

It would be good to qualify where the 2M person deficit came from as this
is a time relevant figure (the number I see comes from Forbes published in
Mar. 16, 2017)….However
https://www.forbes.com/sites/forbestechcouncil/2018/08/09/the-cybersecurity-talent-gap-is-an-industry-crisis/#343a675ba6b3
projects that number to be at 3.5M by 2021



-      “The chair’s belief….” : who is the chair?

-      The format seems a bit off with “*” and “* -“



Section 5:

-      The Workshop focused in trying to help identify potential areas for
collaboration and advance research.  I would add this to the Section 5
preamble (perhaps as the last sentence?)

      “To do this, the workshop included 5 different breakout sessions
focused on:”

1.    Standardization and adoption : identify widely adopted and pervasive
standard protocols and data formats as well as those that failed

2.    Preventative Protocols and Scaling Defense: identify protocols to
address automation at scale

3.    Incident Response Coordination: brainstorm on what potential areas
of research or future workshops could be held to improve on the scalability
of incident response

4.    Monitoring and Measurement: brainstorm on methods to perform
monitoring and measurement with the heightened need and requirement to
address privacy

5.    Taxonomy and Gaps: brainstorm on a way forward for the proposed
SMART group



Section 5.1 The first paragraph has two sentences that could be merged as
they are effectively stating the same thing: the first states “The
collaborative session worked towards…..” followed by “The breakout
teams…”.  My suggestion would be to just have one sentence to read “The
breakout sessions resulted in teams selecting protocols that were
successful as well as those that failed or achieved limited adoption. While
the evaluation results were interesting, it can help advance further work
in these areas. The following are the results:”

-      I may challenge the SNMP description as YANG imho is a data model
not a protocol. The discussion was around the downfalls (lack of security)
in the earlier versions of SNMP and thus lack of adoption.  With new
transport mechanisms and advances in communications (wired vs wireless)
NETCONF and RESTCONF came about to facilitate the configuration and using a
common datamodel (e.g. YANG).

-      I think the formatting of the “Wide adoption” to the “Next each
team evaluated…not wide adoption” needs to be made more consistant.  I
would suggest in breaking these into subsections of 5.1 and  5.1.1 “Wide
adoption”  5.2.1 “Not as widely adopted”

-      Should all of these protocols have references to them? (I think so)

-      What is NREN (e.g. it should be called out as first reference)

-      For IPv6 I’m not sure what “The end user being everyone is too
ambiguous”?



Section 5.2: The 2nd paragraph is very awkward to read.  I would also
challenge that MUD doesn’t shift majority of control management to the
vendor….I think of it more as a very coarse set of controls as MUD,
especially as a device may go thru a set of MUD vendors. While I may not
fully agree with the privacy leak, I’m OK with the writeup detailing it as
such as more review and research is good.

-      Last paragraph typo: ‘fourth’ (not ‘forth’)



Section 5.3: I think the bulleted list is good and were the items that came
out of the breakout, but for someone reading it, I think some brief
elaboration may be needed.  For example: “Trust in incident response teams”
refers to actual personal trust (not trustworthy credentials)



Section 5.4: since this section references Dave’s talk but not a formal
document, it may be good to put that in as a reference somewhere?

-      “IP Reputation”  “….understand address assignment” should qualify
with “….IP address…”

-      “IP Reputation” : intent is good, but I think there are grammatical
issues that can make it more readable? ….Also who is the “we” in the “we
propose”?

Section 6:

-      Call out (or number them) as 2 steps are called out?



Section 7: Would the first sentence benefit from it being split into 2?


=== ISE ===

>> - Formatting consistancies:  I think sometimes the "*" is meant to be
>> quotes but others not? I've also noted some other inconsistancies and
>> suggestions below.
>
>
> The * is what happened when I tried to use bold for v3 formatting. I
> have an open ticket with the tools team.  I thought the format could
> be improved with the v3 options and hope to use them.

If this problem persists, I suggest reverting to XML2RFC v2 for the
moment.

>> Conventions is an empty section?
>
>
> Adrian, this is part of the v3 template.  It's informational and I'm
> not using keywords.  Would you prefer me to delete or to include some
> bioler plate statement that there are none?

Please delete the section. I think the template is just showing you
where you would include the section if you needed it.

> Section 4:
[snip]
> How about the following:
> OLD:
> The goal of each CARIS workshop has been to focus on the challenge of
> scaling attack response because of the overall concern in industry on
> the lack of information security professionals to fill the job gap.
> NEW:
> The goal of each CARIS workshop has been to focus on the challenge of
> improving the overall security posture by identifying intrinsic
> protection capabilities for improved defense, automation, and scaling
> attack response through collaboration and improved architectural
> patterns as it is unlikely training will improve the lack of
> information security professionals to fill the job gap.

It's much better detail, although that is a rather long and convoluted
sentence. Maybe...

The goal of each CARIS workshop has been to focus on the challenge of
improving the overall security posture.  The approach has been to
identify intrinsic protection capabilities for improved defense,
automation, and scaling attack response through collaboration and
improved architectural patterns.  It has been assumed that it is
unlikely that additional training will address the lack of
information security professionals to fill the job gap.

>> -      The chair's belief : who is the chair?
>
> I didn't want to name myself, but maybe should?  I also don't want to
> project my opinion as being shared by everyone, but the program
> committee was on board, hence saying the chair.

Did you express this opinion during the meeting? If so...

  During the meeting, the chair expressed the opinion
  that this gap cannot be filled through training, but the
  gap requires measures to reduce the number of information security
  professionals needed through new architectures and research towards
  attack prevention.

Or is this your conclusion based on the meeting (i.e., an opinion
provided as commentary)? If so then it might be a bit of a stretch for
you to include it in the report of the meeting, but you could say...

  A possible interpretation (shared by the chair of the meeting)
  is that this gap cannot be filled through training, but the
  gap requires measures to reduce the number of information security
  professionals needed through new architectures and research towards
  attack prevention.

Or, lastly, if this a planning consideration for the workshop, then...

  In preparing for the workshop, the chair and programme committee
  considered that this gap cannot be filled through training, but the
  gap requires measures to reduce the number of information security
  professionals needed through new architectures and research towards
  attack prevention.

---

>> - I may challenge the SNMP description as YANG imho is a data model
>> not a protocol. The discussion was around the downfalls (lack of
>> security) in the earlier versions of SNMP and thus lack of adoption.
>> With new transport mechanisms and advances in communications (wired
>> vs wireless) NETCONF and RESTCONF came about to facilitate the
>> configuration and using a common datamodel (e.g. YANG).
>
> Yes, of course.  That was a slip, thanks for catching it.

As you update (depending on what your update is)...
YANG is a "data modelling language"

>> -  Should all of these protocols have references to them? (I think
>>    so)
>
> Adrian - are any of them considered well known enough?  If needed,
> I'll add all the references.

"well known enough" is, I think very rare. A good guide would be that if
the abbreviation is accepted as well-known (present in
http://www.rfc-editor.org/materials/abbrev.expansion.txt) then you don't
need to provide a reference; otherwise you should. But, as a hint, if
you hope that your reader might look further than your document and try
to understand the workings or relevance of the protocols you mention,
then references are always good.

>> Section 5.4: since this section references Dave's talk but not a
>> formal document, it may be good to put that in as a reference
>> somewhere?
>
> Hmm, odd, the reference is in my v3 xml file.

I am starting to think you are very brave to be trying to use v3 :-)

Anyway, can you please use idnits on the text file.

---

Abstract

Please don't use citations in the Abstract.

---

Introduction

OTOH, you can cite [CARISEvent] in the Introduction.

---

Section 3

Could you add a note that these papers can be found at [CARISEvent] (if
that is true!).  Presumably also the presentations?

---

Section 5

  Both CARIS workshops have brought together a unique set of
  individuals who have not previously had the chance to be in the same
  room or collaborate toward the goals of scaling attack response.

Pedant alert!
They have had lots of opportunities to be in the same room and to
collaborate, they just chose not to take their vacations in DisneyWorld
at the same time. Maybe...

  Both CARIS workshops brought together a set of individuals who had
  not previously collaborated toward the goals of scaling attack
  response.

---

5.1

Oh, dear. SNMP was no way first to market. Good grief! Who said that?

Anyway, the report is what happened in the meeting, so nothing to change
here unless you plan to provide commentary.

---

I'm seeing a good number of unexpanded abbreviations. Can you hunt them
down and expand them on first use.

---

5.1 has an interesting statement on IPv6 deployment. Again, if that is
what the meeting decided, then that's what you should say.

---

5.3

  *  FEAR provides an initially a burst of wind, but eventually leads
      to complacency

que?

- Is "FEAR" an abbreviation?
- "a burst of wind"? Maybe "activity"
- "provides an initially"? Maybe "initially provides"

---

5.5

  *  RFC4949 was briefly discussed as a possibility, however there is a

Why is 4949 not considered as a citation?

---

6.

  The next steps from the CARIS workshop are twofold.  The research

Is that CARIS 2?

---

6.

  This is likely to be coupled with the FIRST Conference in 2020 geared

Got a reference for FIRST?

---

10.

The Contributors section is, I think, reserved for document contributors
(as removed from front page authors).  I think what you have here is
a classic Acknowledgements section.

---

11.1

  [PlonkaBergerCARIS2]
              CARIS2, "CARIS2 Paper Submission,", May 2019.

This is not wholly useful as a reference!

---

The headings of 11.1 and 11.2 seem to be snafu

---

You can remove the two Appendixes yourself.