Minutes for MILE at IETF-92
minutes-92-mile-1

Wednesday Morning Session
0900-1130 - Continental

Take & Alexey chairing with Dave
Note taker: Sean Turner
Jabber scribe: Chris Inacio

Agenda Bash

--------------------------------
Updates
--------------------------------

http://www.ietf.org/proceedings/92/slides/slides-92-mile-0.pdf

5070-bis - WGLC before next meeting.  Maybe having an (virtual) interim to
address any LC comments. Enum reference about to be published. Implementation
draft is the next target of opportunity.  Will need Apps review Darknet draft -
not many updates but. Guidance draft - time to get famous if you want to author
talk to the chairs.

--------------------------------
Guidance Draft
--------------------------------

http://www.ietf.org/proceedings/92/slides/slides-92-mile-1.pdf

Time to pay attention to this draft now that we're about done with 5070-bis.
Basic idea is to profile the use of IODEF to those fields that are actually
used. Draft is still in eary stages so bring on the comments!!

Kathleen - Author is looking for more than just comments they're looking for
contributions.

--------------------------------
5070-bis
--------------------------------

http://www.ietf.org/proceedings/92/slides/slides-92-mile-3.pdf

This draft about exchaing infor CSIRTS (computer security incident reports &
cyber security indicators) One draft since Hawaii. Use the tracker to drive the
draft to closure. If you think we missed something need to speak up: either
tell list, author, or chairs. There are differences between v1 and v2 but the
draft explicitly calls these out. Language tags are going to be something we
need to figure out. Why not just use XML:lang - decided to just switch to the
standard mechanism. Translations - support multiple transcriptions and then
magic would happen to figure out which was the translation - added explicit
identier to indicate hich is the translation and they all share the same
translation identifer. ALso needed: MLString was abused and certain classes it
didn't make sense so they got switched back to xs:string. All places where the
MLStringType is used also needed to support multiple values.

Extending Attributes was a big topic of discussion in Hawaii
Just gonna use IANA registries?
Decided we want both public and private extension - now the -11 language
supports.

Alexey: What happens if somebody does a private extension and then decide to
make it more popular do you need to update the schema? Kathleen: Private means
it's just not published. Daisuke: This will help when we transition from v1 to
v2. Kathleen: Use the same language but if you see a problem speak up. Adam: Is
there a way they'd go about sharing it? Roman: How do we deal with collisions?
Bob: Please don't use standard vs non-standard!  Could use IANA vs vendor-id
that's just fine. Kathlen: Did some examples with format id and she's willing
to share. Eric: Bob's right.

Need some text to address this and maybe we could use the format attribute?
New attribute for workflow support i.e., status.
Why can't we use media type reqistry? Not sure so just added that.
Outstanding issues:
Exmplaes need work, but that makes sense because doing the examples before
we're done would have been a total waste of time. RelatedDNS Missing stuff
iodef:SoftwareType Some activity on the list about this topic: SWID vs CPE Time
to pick OVAL SWID Do nothing Support multiple

Sean explained his thinking from the list.
Kathleen & Dave + John Field: + 1 to what Sean said at the mic
Adam: It'll be useful for SACM as well
Dave: Are we talkign a new registry or a new registry?
Roman: Looking at a different registry.
Adam: Thinking it could other way.
Taking it to the list.
Take: What's the rationale for a new registry?
Roman: Each one of the enum classes uses a new registry - so we'd need to
define a new registry. Dave: Regardless of what we do - we're going to need a
draft to instruct IANA on what to do. Take: If it's expert review do we need a
draft? Alexey: No need for draft if there's nothing to do.

Looking for input on final presentation of things like schema.
Kathleen: Can we get some volunteers to comb the UML and the scema.
RelatedDNS
describe for lack of better description are A records
What we don't have is what is the representation of the different DNS fields
Not on the list is just the dig out
Should we do this or punt.
punt on #3: AddiitonalData.

Sean: What's the status of the json draft:
Roman: It's experimental.
Chris: Isn't option 4 the way to go we're just being lazy to do the work. 
Somebody tell me I'm wrong. Kathleen: Operators are using this stuff we can't
just leave it out! Chris: Agreed do the work to make the XML representation

Cause of incident:
Is weakness sufficient?  Do we want anything different.
Alexey: Roman made a compelling case to use the reference approach.
Take: Maybe we should use CWE through ENUM.

No interest in defining our own dictionaries.
Not on slides but on the mailing list
Need 10s of 10Ks not excitied to wrap each one - can't we have one tag for the
big list? Maybe bulk observables? Counter is particular rates - would nice to
carry pgates and averages? Can observe the protocol port # but not the actual
protocol being used? Alexey: Is there an unpublished version? Romain: Yes
Alexey: Will look to do WGLC before Prague maybe in April.

--------------------------------
MILE Implementation Report:
--------------------------------

http://www.ietf.org/proceedings/92/slides/slides-92-mile-2.pdf

Got input from some implementations
iodeflib - open source modules written in Python - designed as simple as
possible iodef.pm - open source perl ns6dk - another open source implementation
eCRISP - being using IODEF REN-ISAC - supported

Sean: Cool! Just don't wait for everyone on the planet to try to respond at
some point decide to just publish.

--------------------------------
ROLIE - draft-ietf-mile-rolie:
--------------------------------

http://www.ietf.org/proceedings/92/slides/slides-92-mile-4.pdf

Motivated by a POC implementation and the key lesson learned was do a
REST-based solution: Makes it easier to share. avoid operational consideration
between sharing parties. Leverages IdM solutions. Avoids requirements for
distributed policy enforcement. Loose coupling, scalability. Not intended to
replace what we have rather augment it.

Bob: How many thigns can he post to fill up your database.  How do you mitigate
the DDoS attack. John: Rely on IdM solutions: client's will be authorized.
Kathleen: REST was the most common interface - maybe because they didn't know
about. SEan: At NANOG there's ton of requests for something that's easier.
John: This might be a way to get people in the door because it's easier and
then get them to do more later.

Wrapping up an hour early.