RIPE 41

Archived This content has been archived and is no longer actively maintained.
RIPE Meeting: 41
Working Group: TechSec
Status: Final
Revision Number: 1

Please mail comments/suggestions on:

Minutes of Techsec-WG meeting at RIPE41 (version 0.2)


Chair: Ted Lindgreen
Scribe: Rene Wilhelm
Date: 16-Jan-2002, 14:00

Agenda


A. Administrativia

B. Minutes of previous meeting

C. DISI status update (Olaf Kolkman/RIPE NCC).

D. CSIRT update (Yuri Demschenko/Terena).

E. IRT object (Andrei Robachevsky/RIPE NCC)

F. AOB

- ----------------------------------

A. Administrativia

Rene Wilhelm volunteered as scribe

B. Minutes of previous meeting

Minutes of techsec-wg meeting at RIPE40 were approved

C. DISI Status update (Olaf Kolkman/RIPE NCC)

[slides at http://www.ripe.net/ripe/meetings/ripe-41/presentations/disi-progress/ ]

Olaf starts with explaining what the DISI (Deployment of Internet Security
Infrastructures) project is all about. Though the first activity focusses
on DNSSSEC, the project is broader and expected to take on other activities
as needed.

DNSSEC status:

o Deployment problems, Delegation of authority and Signing of large zones

o IETF solutions: DS (delegation signer) Resource Record and OPT-IN

DS records are published and signed by the parent and will reduce
the number of key exchange interactions.

OPT-IN optionally excludes parts of the zone from signing; will reduce
the final size of the zone, which is important for deployement in
e.g. .com zone. Price paid is a loss of authenticated denial in
parts of the zone on which opt-in is deployed.

DS and OPT-IN documents will go to last call in Februari 2002.
There is broad consensus about DS, the document will likely be
advanced. There is no consensus yet about OPT-IN, but there is
a compromise (from Olaf Kolkman), with which consensus may be
reached.

Updated version of RFC2535 document will go to last call in March.
Deployement of DNSSEC on reverse tree is expected in last quarter of 2002

DNSSEC courses and tutorials:

o Full day course material finalizing
The two workshops held in 2001 provided useful feedback

o 4 day DNS/DNSSEC course at APRICOT planned
half-a-day DNSSEC tutorial at APNIC meeting and SANE
o Waiting for protocol developments before organising more courses
o Budget for +/- 10 courses, schedule expected in March 2002

Other DISI work:

o Host lab/workshop on DNS secure dynamic update and DCHP roaming
(next week)

o Name Server Daemon

Problem with authoritative servers realized: lack of code diversity!
(vast majority of servers run BIND)

Study in collaboration with NLnet Labs led to Name Server Daemon;
robust, high performing, open source software targeted at
authoritative servers. Details and annoucement in tomorrow's
DNS-WG session.


QUESTIONS?

None.


D. TF-CSIRT update (Yuri Demchenko, Terena)

[ slides at http://www.ripe.net/ripe/meetings/ripe-41/presentations/techsec-tf-csirt/ ]

Yuri presented an update of Terena's activity of CSIRT coordination for Europe

No TF-CSIRT meetings were held after previous presentation in RIPE40
(next one scheduled for Jan24-25 in Stockholm), but some new developments
are reported:

TF-CSIRT and relations with European Commission:

Lobbying CSIRT interests is seen as an important function of TF-CSIRT.
New initiative supported by EC: EWIS - Early Warning and Information System
was discussed and criticized at last TF-CSIRT meeting


Trusted Introducer:

purpose: build a web of trust for the CSIRT community
via two intermediate steps ('known team' and 'candidate team') a
new team can be introduced to the Level2 of maintainable trust.

procedure is working, currently 19 teams at level2, 1 at level1.
contract with TERENA has been renewed for one more year;
better PR/promotion needed


Training new CSIRT staff members:

First CSIRT training course to be held immediately before the next
TF-CSIRT meeting. Covers legal, organisational, technical, market
and operational issues.


Incident Object Description and Exchange Format WG:

Webpage and charter http://www.terena.nl/task-forces/tf-csirt/iodef/
mail archive http://hypermail.terena.nl/iodef-list/mail-archive/

o Requirements document published as RFC 3067 - http://www.ietf.org/rfc/rfc3067.txt
o Held INCident Handling (INCH) BOF session at IETF52

draft minutes at http://www.terena.nl/tech/inch/inch-bof-ietf52-minutes-draft.txt
proposed charter http://www.terena.nl/tech/inch/inch-wg-charter-draft.html

o Creation of INCH WG was agreed with IETF Security Area.
Scope:

- Define data formats for communication between
CSIRT and parties involved in an incident investigation
- Information model needed to support the typical, operational
workflow of the incident handling processes


Clearinghouse of Incident Handling Tools (CHIHT):

Goals:

o Creating repository of popular tools used by CSIRTs to collect
incident data/evidence; investigate and track incidents
o Ease setting up work procedure for new CSIRT teams

Further work will be conducted by CHIHT WG
Kick-off meeting at next TF-CSIRT meeting on January 24, 2002 in Stockholm


QUESTIONS

Q. trusted introducer, how does it work in practice for a new team to join?

A. This is described on the website [ http://www.ti.terena.nl/howto.html
and http://www.ti.terena.nl/process.html ]

New team first needs to be recognized as a known (level0) team by
filling in a form, specifying contact details and such. Once added
to the list, can apply for level2. When application is approved,
automatically upgraded to level1. Next, during a two month period,
team will be checked, monitored and might be visited; if fine,
added to the trust level2. Note: commercial ISPs will have to pay
a fee.


E. IRT object (Andrei Robachevsky/RIPE NCC)

[ slides at http://www.ripe.net/ripe/meetings/ripe-41/presentations/database-irt/index.html ]



Andrei presented an update on the status of IRT objects in the RIPE database.

The idea is to provide an easy way to find contact information of a CSIRT
and a means of linking it to registered IP address space (inetnum objects).
Object definition is finished. support for new '-c' query has been added
to the database code. Currently available for public review (beta test) at
test-whois.ripe.net, updates to test-dbm _at_ ripe _dot_ net.


Open issues (for production db):

o IRT objects will be inserted manually by RIPE NCC database operator,
need an authentication procedure

o Adding a reference from a inetnum object is secure, removing a reference
is different

o Need a RIPE document with detailed description, best current practice
and procedures


QUESTIONS

Q. Do you have any idea how authentication would be done?
can it work with the trusted introducer?

A. Andrei: we haven't disucssed this yet.
Yuri: it is a topic for next week's meeting


F. AOB

No other business, meeting closed at 15:00