Real-time Inter-network Defense (RID) (RFC6045)
Original Publication Date: 2010-Nov-01
Included in the Prior Art Database: 2010-Nov-09
Internet Society Requests For Comment (RFCs)
Incident handling involves the detection, reporting, identification, and mitigation of an attack, whether it be a system compromise, socially engineered phishing attack, or a denial-of-service (DoS) attack. When an attack is detected, the response may include simply filing a report, notification to the source of the attack, a request for mitigation, or the request to locate the source. One of the more difficult cases is that in which the source of an attack is unknown, requiring the ability to trace the attack traffic iteratively upstream through the network for the possibility of any further actions to take place. In cases when accurate records of an active session between the victim system and the attacker or source system are available, the source is easy to identify. The problem of tracing incidents becomes more difficult when the source is obscured or spoofed, logs are deleted, and the number of sources is overwhelming. If the source of an attack is known or identified, it may be desirable to request actions be taken to stop or mitigate the effects of the attack.
Internet Engineering Task Force (IETF) K. Moriarty Request for Comments: 6045 EMC Category: Informational November 2010 ISSN: 2070-1721
Real-time Inter-network Defense (RID)
Network security incidents, such as system compromises, worms,
viruses, phishing incidents, and denial of service, typically result
in the loss of service, data, and resources both human and system.
Network providers and Computer Security Incident Response Teams need
to be equipped and ready to assist in communicating and tracing
security incidents with tools and procedures in place before the
occurrence of an attack. Real-time Inter-network Defense (RID)
outlines a proactive inter-network communication method to facilitate
sharing incident handling data while integrating existing detection,
tracing, source identification, and mitigation mechanisms for a
complete incident handling solution. Combining these capabilities in
a communication system provides a way to achieve higher security
levels on networks. Policy guidelines for handling incidents are
recommended and can be agreed upon by a consortium using the security
recommendations and considerations.
RID has found use within the international research communities, but has not been widely adopted in other sectors. This publication provides the specification to those communities that have adopted it, and communities currently considering solutions for real-time inter- network defense. The specification may also accelerate development of solutions where different transports or message formats are required by leveraging the data elements and structures specified here.
Moriarty Informational [Page 1]
RFC 6045 RID November 2010
Status of This Memo
This document is not an Internet Standards Track specification; it is published for informational purposes.
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6045.
Copyright (c) 2010 IETF Trust...