Operational Security Requirements BOF (opsec)

Thursday, July 17 at 1300-1500
===============================

CHAIR:	George M. Jones <gmjones@mitre.org>

AGENDA:

* Welcome and discussion of agenda (Jones, 10 min)
* History and Current Status (Jones, 10 min)
* Goals (Jones, 10 minutes)
* Related Work/Relationships (Jones, et al., 10 min)
* Overview of draft (Jones, 30 minutes)
* Discuss Contents of the draft (all, 30 minutes) 
* Define Next Steps, Work Areas, Milestones (Jones, et al., 10 minutes)
* Adjourn


Mailing Lists:
  General Discussion: opsec@ops.ietf.org
  To Subscribe: majordomo@ops.ietf.org, "subscribe opsec" in body.
  Archive: http://ops.ietf.org/lists/opsec/


Purpose:


   The primary purposes of this BOF are to


      1. Discuss the draft


      2. To determine appropriate next steps.


   From the draft:


   This document defines a list of security requirements for devices
   that implement the Internet Protocol (IP).  These requirements apply
   to devices that makeup the network core infrastructure (such as
   routers and switches) as well other devices that implement IP (e.g.,
   cable modems, personal firewalls,hosts). A framework is defined for
   specifying "profiles", which are collections of devices applicable to


   certain classes of devices. The goal is to provide consumers of
   network equipment a clear, concise way of communicating their
   security requirements to vendors of such equipment.


Current Status:


  The initial draft has been published.   Comments are being solicited,
  both online and via a BOF.  The intent is to go through one to three
  rounds as an Internet Draft and then re-evaluate the proper course
  of action.  Some possibilities include:


    * Proceed towards a single individual submission informational RFC
    * Split into several drafts (BCP vs. non-BCP, functional vs.
      assurance, etc.)
    * Collaborate with ANSI on updates to T1.276-200x
    * Form a working group


  Some of the work that needs to get done includes:


    * Breaking down compound requirements (global)
    * Creating "profiles" of requirements appropriate to
      different classes of devices (Edge, Core, Wireless, SOHO...)

Background Information:

  See http://www.port111.com/opsec/ for the latest rev, a list
  of meta issues, to-dos, etc.