Technical Security Working Group
you are here: RIPE -> RIPE Working Groups -> Technical Security
	RIPE Meeting Minutes
	RIPE Meeting Presentations
Minutes from RIPE 41

RIPE Meeting:	41
Working Group:	TechSec
Status:	Final
Revision Number:	1
Please mail comments/suggestions on:
content to the Chair of the working group.
format to webmaster@ripe.net.

Minutes of Techsec-WG meeting at RIPE41   (version 0.2)
=======================================================

Chair:  Ted Lindgreen
Scribe: Rene Wilhelm
Date:   16-Jan-2002, 14:00

Agenda
- ------

A. Administrativia

B. Minutes of previous meeting

C. DISI status update (Olaf Kolkman/RIPE NCC).

D. CSIRT update (Yuri Demschenko/Terena).

E. IRT object (Andrei Robachevsky/RIPE NCC)

F. AOB

- ----------------------------------

A. Administrativia

   Rene Wilhelm volunteered as scribe

B. Minutes of previous meeting 

   Minutes of techsec-wg meeting at RIPE40 were approved

C. DISI Status update (Olaf Kolkman/RIPE NCC)

  [slides at http://www.ripe.net/ripe/meetings/ripe-41/presentations/disi-progress/ ]

   Olaf starts with explaining what the DISI (Deployment of Internet Security
   Infrastructures) project is all about. Though the first activity focusses
   on DNSSSEC, the project is broader and expected to take on other activities
   as needed.

   DNSSEC status:

   o Deployment problems, Delegation of authority and Signing of large zones

   o IETF solutions: DS (delegation signer) Resource Record and OPT-IN 

     DS records are published and signed by the parent and will reduce
     the number of key exchange interactions.

     OPT-IN optionally excludes parts of the zone from signing; will reduce
     the final size of the zone, which is important for deployement in
     e.g. .com zone.  Price paid is a loss of authenticated denial in
     parts of the zone on which opt-in is deployed.

     DS and OPT-IN documents will go to last call in Februari 2002.
     There is broad consensus about DS, the document will likely be
     advanced. There is no consensus yet about OPT-IN, but there is
     a compromise (from Olaf Kolkman), with which consensus may be
     reached.

     Updated version of RFC2535 document will go to last call in March.
     Deployement of DNSSEC on reverse tree is expected in last quarter of 2002

   DNSSEC courses and tutorials:

   o Full day course material finalizing
     The two workshops held in 2001 provided useful feedback

   o 4 day DNS/DNSSEC course at APRICOT planned
     half-a-day DNSSEC tutorial at APNIC meeting and SANE
   o Waiting for protocol developments before organising more courses
   o Budget for +/- 10 courses, schedule expected in March 2002

   Other DISI work:

   o Host lab/workshop on DNS secure dynamic update and DCHP roaming
     (next week)

   o Name Server Daemon

     Problem with authoritative servers realized: lack of code diversity!
     (vast majority of servers run BIND)

     Study in collaboration with NLnet Labs led to Name Server Daemon;
     robust, high performing, open source software targeted at 
     authoritative servers. Details and annoucement in tomorrow's
     DNS-WG session.


   QUESTIONS?

   None.


D. TF-CSIRT update (Yuri Demchenko, Terena)

[ slides at http://www.ripe.net/ripe/meetings/ripe-41/presentations/techsec-tf-csirt/ ]

  Yuri presented an update of Terena's activity of CSIRT coordination for Europe

  No TF-CSIRT meetings were held after previous presentation in RIPE40 
  (next one scheduled for Jan24-25 in Stockholm), but some new developments
  are reported:

  TF-CSIRT and relations with European Commission:

  Lobbying CSIRT interests is seen as an important function of TF-CSIRT.
  New initiative supported by EC: EWIS - Early Warning and Information System
  was discussed and criticized at last TF-CSIRT meeting


  Trusted Introducer:

  purpose: build a web of trust for the CSIRT community
  via two intermediate steps ('known team' and 'candidate team') a
  new team can be introduced to the Level2 of maintainable trust.

  procedure is working, currently 19 teams at level2, 1 at level1.
  contract with TERENA has been renewed for one more year;
  better PR/promotion needed


  Training new CSIRT staff members:

  First CSIRT training course to be held immediately before the next
  TF-CSIRT meeting.  Covers legal, organisational, technical, market
  and operational issues.
 

  Incident Object Description and Exchange Format WG:

    Webpage and charter   http://www.terena.nl/task-forces/tf-csirt/iodef/ 
    mail archive          http://hypermail.terena.nl/iodef-list/mail-archive/  

  o Requirements document published as RFC 3067 - http://www.ietf.org/rfc/rfc3067.txt  
  o Held INCident Handling (INCH) BOF session at IETF52

    draft minutes at http://www.terena.nl/tech/inch/inch-bof-ietf52-minutes-draft.txt 
    proposed charter http://www.terena.nl/tech/inch/inch-wg-charter-draft.html  

  o Creation of INCH WG was agreed with IETF Security Area.
    Scope: 

    - Define data formats for communication between
      CSIRT and parties involved in an incident investigation
    - Information model needed to support the typical, operational
      workflow of the incident handling processes 


  Clearinghouse of Incident Handling Tools (CHIHT):

  Goals:
 
  o Creating repository of popular tools used by CSIRTs to collect
    incident data/evidence; investigate and track incidents
  o Ease setting up work procedure for new CSIRT teams

  Further work will be conducted by CHIHT WG
  Kick-off meeting at next TF-CSIRT meeting on January 24, 2002 in Stockholm


  QUESTIONS

  Q. trusted introducer, how does it work in practice for a new team to join?

  A. This is described on the website [ http://www.ti.terena.nl/howto.html
     and http://www.ti.terena.nl/process.html ]
     
     New team first needs to be recognized as a known (level0) team by
     filling in a form, specifying contact details and such. Once added
     to the list, can apply for level2. When application is approved,
     automatically upgraded to level1. Next, during a two month period,
     team will be checked, monitored and might be visited; if fine,
     added to the trust level2. Note: commercial ISPs will have to pay
     a fee.


E. IRT object (Andrei Robachevsky/RIPE NCC)

[ slides at http://www.ripe.net/ripe/meetings/ripe-41/presentations/database-irt/index.html ]


  
  Andrei presented an update on the status of IRT objects in the RIPE database.

  The idea is to provide an easy way to find contact information of a CSIRT
  and a means of linking it to registered IP address space (inetnum objects).
  Object definition is finished. support for new '-c' query has been added
  to the database code. Currently available for public review (beta test) at
  test-whois.ripe.net, updates to test-dbm@ripe.net.


  Open issues (for production db):

  o IRT objects will be inserted manually by RIPE NCC database operator,
    need an authentication procedure 

  o Adding a reference from a inetnum object is secure, removing a reference
    is different

  o Need a RIPE document with detailed description, best current practice
    and procedures
  
   
  QUESTIONS

  Q. Do you have any idea how authentication would be done?
     can it work with the trusted introducer?

  A. Andrei: we haven't disucssed this yet.
     Yuri: it is a topic for next week's meeting


F. AOB

   No other business, meeting closed at 15:00

=============================================================================

	About RIPE \| Site Map \| LIR Portal \| About the RIPE NCC \| Contact \| © RIPE Community. All rights reserved.