Security Incident Coordination at the RIPE NCC !? Karrenberg ____________________________________________________ Security Incident Coordination at the RIPE NCC ?! Daniel Karrenberg Document: ripe-149 Date: October 30th 1996 Scope This document describes why the RIPE NCC should pro- vide security incident coordination for the European Internet service providers. It presents the posi- tion of the RIPE NCC. Discussion and comments to the author are very welcome. Summary A TERENA pilot project for security incident coordi- nation is due to start in Q1/1997. After reviewing the description of the pilot service we concluded that the NCC should provide this service because this is in the interest of the European ISPs. The RIPE NCC will submit and publish a proposal to exe- cute the pilot. We call on the ISPs to support this and to commit financial contributions in order to firmly establish their interest in such a service and to help make it a success. Background The need for security incident coordination in Europe has been undisputed for quite some time. Yet no initiative to set up such a service has gathered sufficient momentum to come to fruition. After thorough preparatory work by its CERT task force TERENA has recently issued a closed call for propos- als for a pilot service dubbed SIRCE (Security Inci- dent Response Coordination in Europe). The RIPE NCC is one of the recipients of this call. At their annual meeting the RIPE NCC contributors committee authorised the RIPE NCC to respond to such a call if the service was beneficial to the contributors and ____________________________________________________ ripe-149.txt Page 1 Security Incident Coordination at the RIPE NCC !? Karrenberg ____________________________________________________ this activity was funded separately from NCC core activities. The SIRCE Pilot Project The service described in the call for proposals explicitly excludes the handling of incidents itself. SIRCE is strictly limited to basic incident coordination. The actual handling of incidents is done by incident response teams (IRTs) operated by ISPs and others. Incident coordination includes the setting up of contacts and trusted information chan- nels between IRTs, tracking who is working on a par- ticular incident and keeping the IRTs involved informed about progress. In addition to incident coordination itself, SIRCE will provide support functions for IRTs such as helping new IRTs to start up, organising meetings and publishing general information about incident response. For details about the services see the task force report at ftp://ftp.ripe.net/ripe/misc/cert-eu.ps and the RIPE NCC proposal (to be published). The two things that remain unclear about the pilot project are the funding and the way the project is going to be managed by TERENA. TERENA expects to obtain funding but does not give any particulars. Also the changeover from the pilot to a regular ser- vice is not addressed at present. Time Schedule The call for proposals was received at the NCC on October 4th. Proposals are due by November 1st. Interviews with short-listed candidates are sched- uled for the beginning of December and TERENA expects to decide on the execution of the pilot by December 31st. The pilot is due to start Q1/1997. The Internet Service Providers After considering the description of the pilot ser- vice we believe that the ISPs have an interest to see this pilot executed at the RIPE NCC. ISPs are currently handling incidents within their own infrastructure and possibly customer infrastructures as well. Whether an ISP currently has an IRT as ____________________________________________________ ripe-149.txt Page 2 Security Incident Coordination at the RIPE NCC !? Karrenberg ____________________________________________________ such does not really matter as we expect them to have at least informal structures to deal with secu- rity incidents. We observe that there is a general interest in coordination but no focus as yet. The project will provide such a focus. We also expect that ISPs have an interest in coordination focussed on their needs rather than those of others such as software/hardware vendors, governments, news media and law enforcement agencies. In case of conflicts the RIPE NCC will clearly choose to defend the interests of the ISPs. In addition ISPs also have an interest to have this sensitive function executed by an organisation that is neutral and impartial vis a vis the interests of different ISPs involved. The RIPE NCC The NCC is ideally suited for providing this service for a number of reasons: o we are already serving the ISPs who are the main target group, o we already have relationships of trust with ISPs, o we already have years of coordination experi- ence on the scale required including the knowl- edge and the tools to make it work, o we are already accepted as being neutral and impartial vis a vis different ISPs, o we already maintain the RIPE database which is very frequently used to find contacts for inci- dent coordination, o we have a solid track record of piloting ser- vices and turning them into stable and reliable operational services. Funding We believe that finding the funding of the pilot project should not be left totally to TERENA but ____________________________________________________ ripe-149.txt Page 3 Security Incident Coordination at the RIPE NCC !? Karrenberg ____________________________________________________ rather that as many ISPs as possible should con- tribute from the outset. The main reason is to clearly establish that a real interest exists in the ISP community. Secondary reasons are to establish influence by the target community as early as possi- ble and to facilitate transition to a normal ser- vice. We also believe that the level of resources for the pilot envisioned by TERENA is too low to guarantee a successful service for the size of community we expect. So additional funds will be needed. The NCC has a proven mechanism of running pilot pro- jects funded by interested parties, which can quickly be turned into regular services. Exactly when this would happen and whether the SIRCE service will be either a core service funded by all NCC con- tributors or an additional service funded only by a subset of contributors is to be decided later on. TERENA aims for a pilot taking "no longer than 2.5 years". We will aim for an operational service by Q1/1998. The expected benefits for those funding the pilot are: o preferred service and support, non-contributors will receive service on a time-permitting basis when there are no requests from contributors; o direct channels such as private mailing list for contributors to discuss directions and influence pilot; o public credit for their contribution. In the unlikely case that there will be no signifi- cant funding commitments from the ISP community, we will have to conclude that interest is not suffi- cient and the RIPE NCC will have to withdraw its proposal. TERENA Involvement We believe that TERENA should be involved in manag- ing the pilot project because its CERT task force has outstanding expertise and they have spent ____________________________________________________ ripe-149.txt Page 4 Security Incident Coordination at the RIPE NCC !? Karrenberg ____________________________________________________ significant resources to define SIRCE services in a way that is right and very useful for ISPs. They also have significant support from existing IRTs. With the pilot being executed at the NCC and the ISPs contributing to the funding everyone wins; TER- ENA wins by getting credit for taking the lead and managing the pilot, the ISPs win by getting a ser- vice responsive to their needs and interests earlier than without TERENA's initiative. There will gener- ally be low entropy. The situation is somewhat awkward as the NCC cur- rently is formally part of TERENA. This can be overcome since NCC is managed very independently and the principle of formal separation of the NCC from TERENA by Q1/1998 has already been agreed by all involved parties. TERENA has also taken care that proposal review process is fully independent and neutral. Further Actions Time for further actions is short because of the tight time schedule. The NCC will respond to the call for proposals by November 1st. The proposal will include the poli- cies described above, propose ISP funding to TERENA and request discussions about project management. It will state that we have called for support from our community including financial contributions. It will reserve to withdraw at the interview stage if support should be insufficient at that time. We will publish our proposal on November 4th includ- ing a call for support and funding commitments for the pilot. ISPs should react to the call for funding commit- ments as quickly as possible but before November 27th. We will keep the community informed about further developments. ____________________________________________________ ripe-149.txt Page 5