INTRUSION DETECTION EXCHANGE FORMAT (IDEF) Working Group Meeting Minutes, 49th IETF The IDWG met at 0900 on both Thursday and Friday of the 49th IETF meeting in San Diego CA. First meeting - 14 December 2000 The first presentation was on the Intrusion Alert Protocol (IAP). It was presented by Roy Pollock, using slides prepared by Dipankar Gupta. Some changes have been made to the protocol, partly to align it more closely with HTTP1.1. The changes include: 1. Changed content-type to "application/xml" (from application/x-idef-alert). 2. The initiator of the TCP connection must now also initiate the TLS handshake 3. A RESPONSE message may now contain a body 4. A Host: header has been added, to support a virtual hostname. The following issues were identified: 1. The IDWG's relationship with the work being done by the SYSLOG WG needs to be determined. 2. Interoperability between implementations has not been tested. 3. A port number has not been requested from IANA. 4. IANA OID's for the desired key extensions are needed. A new draft of the IAP document was sent to the mailing list, and will be properly submitted when possible. Darren New made a presentation on BEEP, the Block Extensible Exchange Protocol. BEEP (née BXXP) provides a framework for an application protocol, and is being used by the SYSLOG WG, whose requirements are very similar to those of the IDWG. The draft BEEP document is currently in "last call" status. BEEP is asynchronous, bi-directional, and multi-channel. It uses SASL and TLS to establish a session's security properties. A profile defines the properties of a channel. Several interoperable implementations of the previous version of BEEP exist, in multiple languages including Python, PERL, Java, and Tcl; several of these will be updated to the current BEEP specification within the next couple of months. One issue mentioned was that TLS pass-through (a firewall) is not precisely specified, but this is not thought to be a problem. The question of whether we should use BEEP, and if not why not, was raised. The group's consensus was that we should explore BEEP further, even though it will delay our moving ahead with IAP. Paul Osterwald, John White, and the Aerospace group from Harvey Mudd took on the task of examining BEEP prior to the next IWDG meeting. Stuart Staniford presented some remaining Data Model and XML Representation issues. Issue: It has been proposed that the fields of an IP packet be broken out, and also that some stream information be included for context. This is clearly just one example of many technical issues that could be dealt with by XML extension. Action: David Curry will study the issue of XML extensibility in general. The need for packet breakout should be explored on the mailing list. Issue: The revised format is in the model, not yet in the XML. Resolution: Use the revised format in both. Issue: Addresses can be ambiguous in private address spaces. Propose to add optional VLAN number and VLAN name attributes to
, and "interface" to and . Resolution: Make the change to both model and XML. Issue: and add unnecessary nesting and should be eliminated. Resolution: OK Issue: The "unknown" type in is meaningless and should be eliminated. Resolution: OK Issue: Time representation in the XML is verbose and somewhat inconsistent. It is proposed that we use the IEEE-8601 standard, change from an element to an attribute, eliminate