RFC 3067 (rfc3067) - Page 2 of 17


TERENA'S Incident Object Description and Exchange Format Requirements



Alternative Format: Original Text Document



RFC 3067                   IODEF Requirements              February 2001


2. Introduction

   This document defines requirements for the Incident object
   Description and Exchange Format (IODEF), which is the intended
   product of the Incident Taxonomy Working Group (ITDWG) at TERENA [2].
   IODEF is planned to be a standard format which allows CSIRTs to
   exchange operational and statistical information; it may also provide
   a basis for the development of compatible and inter-operable tools
   for Incident recording, tracking and exchange.

   Another aim is to extend the work of IETF IDWG (currently focused on
   Intrusion Detection exchange format and communication protocol) to
   the description of incidents as higher level elements in Network
   Security.  This will involve CSIRTs and their constituency related
   issues.

   The IODEF set of documents of which this document is the first will
   contain IODEF Data Model and XML DTD specification.  Further
   discussion of this document will take place in the ITDWG mailing
   lists [email protected]> or [email protected]>, archives
   are available correspondently at
   http://hypermail.terena.nl/incident-taxonomy-list/mail-archive/ and
   http://hypermail.terena.nl/iodef-list/mail-archive/

2.1. Rationale

   This work is based on attempts to establish cooperation and
   information exchange between leading/advanced CSIRTs in Europe and
   among the FIRST community.  These CSIRTs understand the advantages of
   information exchange and cooperation in processing, tracking and
   investigating security incidents.

   Computer Incidents are becoming distributed and International and
   involve many CSIRTs across borders, languages and cultures.  Post-
   Incident information and statistics exchange is important for future
   Incident prevention and Internet security improvement.  The key
   element for information exchange in all these cases is a common
   format for Incident (Object) description.

   It is probable that in further development or implementation the
   IODEF might be used for forensic purposes, and this means that
   Incident description must be unambiguous and allow for future custody
   (archiving/documentation) features.








Arvidsson, et al.            Informational