IETF Extended Incident Handling (INCH) Working Group

The Extended Incident Handling(INCH) Working Group was part of the Security Area of the Internet Engineering Task Force (IETF). It was chartered to create an exchange format for computer security incident data used by Computer Security Incident Response Teams (CSIRTs).

The working group authored five documents. The requirements for INCH were documented in the Format for Incident Reporting (FINE). A data model, the Incident Object Description Exchange Format (IODEF), for exchanging this incident information was specified. The Real-time Inter-Network Defense (RID) protocol provided a messaging format for IODEF which with an associated binding to SOAP was provided. An initial extension of the core IODEF data model describing phishing information was also authored.

The INCH WG was closed in Oct-2006. Prior to this closure, the requirements and IODEF data model were submitted to the IESG as WG documents. Ultimately, the AD decided not to sponsor the requirements document for publication. The remaining documents were resubmitted as individual drafts on the standards track. The AD has provided guidance on their publication after the publication of the IODEF. The mailing list remains open for discussion of these drafts and implementation issues.

Additional information about the IETF standards process can be found in RFC 2026, RFC 2418, and The Tao of the IETF. Refer to the official INCH charter, and the IETF web-site for information about the organization and the associated standards process

Administrative Contact Information

Former Working Group Chair: Roman Danyliw <rdd - at - cert.org>

Collaboration

Mailing List
Post to inch@nic.surfnet.nl
Archive: http://listserv.surfnet.nl/archives/inch.html

To Subscribe, send to listserv@nic.surfnet.nl with "subscribe inch" in the body

Issue and Request Tracking
(no longer used, for historical purposes only) https://rt.psg.com
username: ietf; password: ietf

inch-dm: data model and requirements issues
inch-implement: implementation draft
inch-extensions: extension drafts

News

May-24-2008: Updated phishing extension (-04): draft-cain-post-inch-phishingextns-04.txt
Apr-15-2008: Updated RID draft (-06): draft-moriarty-post-inch-rid-06.txt
Feb-25-2008: Updated RID/SOAP draft (-05): draft-moriarty-post-inch-rid-soap-05.txt
Dec-2007: RFC 5070: The Incident Object Description Exchange Format: published
Dec-27-2007: Updated RID draft (-02): draft-moriarty-post-inch-rid-02
Dec-27-2007: Updated RID/SOAP draft (-02): draft-moriarty-post-inch-rid-soap-02
Oct-24-2007: Updated Phishing draft (-03): draft-cain-post-inch-phishingextns-03
Oct-10-2007: draft-ietf-inch-iodef-14 accepted for RFC publication
Jul-31-2007: Updated IODEF draft (-14): draft-ietf-inch-iodef-14 (addresses IESG DISCUSS comments)
Jun-27-2007: Updated phishing extension (-1): draft-cain-post-inch-phishingextns-01
Jun-17-2007: Updated IODEF draft (-13): draft-ietf-inch-iodef-13 (addresses IESG DISCUSS comments)
Apr-26-2007: Updated IODEF draft (-12): draft-ietf-inch-iodef-12 (addresses comments from IETF last call, will be submitted to the IESG)
Apr-09-2007: Updated RID draft (-01, per closure of WG): draft-moriarty-post-inch-rid-01
Apr-09-2007: Updated RID/SOAP draft (-01, per closure of WG): draft-moriarty-post-inch-rid-soap-01
Apr-05-2007: IETF last call on draft-ietf-inch-iodef-11
Mar-15-2007: Updated IODEF draft (-11): draft-ietf-inch-iodef-11
Mar-14-2007: Updated diagrams for v110 of the IODEF schema
Oct-24-2007: Updated Phishing extension (-00, per closure of WG): draft-cain-post-inch-phishingextns-00
Oct-02-2006: draft-ietf-inch-requirements-08 submitted to the IESG as Informational

Document	Type (Name)¹	Version	Published	Track³
Requirements for the Format for INcident information Exchange (FINE)	I-D (draft-ietf-inch-requirements-08)	08	-- Apr-05-2007: rejected by AD -- Oct-02-2007: submitted to AD -- Jun-25-2006: published	Won't be published
The Incident Object Description Exchange Format (IODEF)	RFC 5070 (xsd)		Dec-2007	Standards
Incident Handling: Real-Time Inter-Network Defense	I-D (draft-moriarty-post-inch-rid-06)	06	Apr-15-2008	Individual draft as Standards⁴
The Incident Object Description Exchange Format (IODEF) Implementation Guide	I-D (draft-ietf-inch-implement-01)	01	Nov-09-2004	Expired draft. Volunteers are considering an update
Extension to IODEF-Document Class for Phishing, Fraud, and Other Non-Network Layer Reports	I-D (draft-cain-post-inch-phishingextns-04)	04	May-24-2008	Individual draft as Standards⁴
IODEF/RID over SOAP	I-D (draft-moriarty-post-inch-rid-soap-05)	05	Feb-25-2008	Individual draft as Standards⁴

¹ Draft file name
² Publish date is the release date of the document; Last-Call date is the projected date when the WG will submit the draft to the IESG
³ IETF document track (see Section 4 of RFC 2026)
⁴Not submitted to the IESG at the time of the closure of the WG. These WG documents were resubmitted as individual drafts for publications. The AD's has provided instructions for publication of these documents.

Additional status about all the working group documents can be found in the Draft Tracker maintained by the IETF Secretariat.

Additional documents not charted by the WG

Document	Type (Name)	Version	Published	Track³
Sharing Transaction Fraud Data	I-D (draft-mraihi-inch-thraud-06)	06	May-2008	Info

Additional Documentation

Diagrams of the -120 schema.

/ (full)

/IODEF-Document

/IODEF-Document/Incident

/IODEF-Document/Incident/EventData/Flow

Meeting Proceedings

Jul-2006	IETF 66	Montreal, Canada
Mar-2006	IETF 65	Dallas, USA
Nov-09-2005 (summary)	IETF 64	Vancouver, Canada
Aug-03-2005 (summary)	IETF 63	Paris, France
Mar-09-2005 (summary)	IETF 62	Minneapolis, USA
Nov-11-2004 (summary )	IETF 61	Washington DC, USA
Aug-05-2004	IETF 60	San Diego, USA
Jun-13-2004	Interim Meeting	Budapest, Hungary
Mar-4-2004	IETF 59	Seoul, Korea
Nov-13-2003	IETF 58	Minneapolis, USA
Jul-16-2003	IETF 57	Vienna, Austria
Mar-19-2003	IETF 56	San Francisco, USA
Feb-8-2003	Interim Meeting	Uppsala, Sweden
Sep-21-2002	IETF 55	Atlanta, USA
Jul-??-2002	IETF 54	Yokohama, Japan
Mar-21-2002	IETF 53	Minneapolis, USA
Dec-10-2001	IETF 52	Salt Lake City, USA

Implementations

The following implementation reports have been made at various IETF meetings:

(IETF 66) IODEF Interoperability report
(IETF 66) IODEF Implementation: DFLabs report
(IETF 66) IODEF Implementation: MIT Lincoln Laboratory report
(IETF 65) IODEF and RID Implementation: Cyber Solutions report
(IETF 61) RID Implementation: MEW report
(IETF 59) IODEF Implementation: JPCERT/CC and Cyber Solutions report
(IETF 58) IODEF Implementation: JPCERT/CC report
(IETF 58) IODEF Implementation: eCSIRT.net report
(IETF 58) IODEF Implementation: CERT report
(IETF 55) IODEF Implementation: CERT/CC report

The following are a list of the known, publicly available software libraries and applications making using of the IODEF.

Tool	Version	License
IODEF application http://www.cysols.com/research/iodef/IODEFApp.html IODEF and RID implementation	??	??
IODEF.pm http://search.cpan.org/~johng/XML-IODEF-0.06/ XML::IODEF is a perl module for easily creating/parsing IODEF Documents. It is a wrapper around XML::Simple, providing an interface designed to simplify the parsing and creation of IODEF documents.	0.06	BSD
SIRIOS http://www.cert-verbund.de/sirios/ s. It is a wrapper around XML::Simple, providing an interface designed to simplify the parsing and creation of IODEF documents.	0.06	BSD
Phishing Reports using XForm http://coopercain.com/incidents/index.htm A XML XForms web page to let a user enter test information and generate an IETF INCH compliant XML report.

Additional, there are several active projects making use of the IODEF.

CERT/CC: AirCERT
JPCERT/CC: Internet Scan Data Acquisition System (ISDAS)
eCSIRT.net: The European CSIRT Network

If you have an implementation or project using IODEF and would like to be listed, please contact rdd@cert.org.

Last Updated: July 15, 2008