Untitled Document

Salsa call 23-August-2007

*Attending*
Mark Poepping, CMU (chair)
Terry Gray, U. Washington
Renee Frost, Internet2
Mike Van Norman, UCLA
Jeff Schiller, MIT
Jack Suess, UMBC
Greg Travis, Indiana
Joe St. Sauver, Internet2/U. Oregon
Ken Klingenstein, Internet2
Chris Misra, U. Mass
Jim Pepin, Clemson

*Discussion*
- Fall Internet2 Member Meeting

KC Claffy is confirmed for the MACE/Salsa dinner. Chris is on the program committee and reviewed security sessions planned:
Security topics update, including REN-ISAC if Doug is available
NetAuth/FWNA WG status update
FWNA Eduroam/Edugain demo (led by Michael Gettes)
Disaster Planning and Recovery WG status update
Another DR session from the community
DNSSEC
Salsa lunch - noon Tuesday

Renee will send out the middleware and security session list to the Salsa list when it is finalized.

- Merger/Org update
A definitive Memorandum of Agreement (MoA) has been completed and distributed to both boards, which will have voted on it by the end of August. See the website for the latest news and announcements: http://internet2-nlr.org/

The new advisory council most relevant to security would be the Applications, Middleware & Services Advisory Council (AMSAC), although it should be noted that they will have a great deal on their plates especially for the first year. http://www.internet2.edu/about/governance/advisorycouncils.html

We anticipate that the chairs of MACE and Salsa will be ex-officio members of AMSAC, as will Ken.

The relationship between REN-ISAC and Salsa/Internet2 will be a subject that we will want to address with AMSAC. Since Salsa is independent from (though supported by) Internet2, we are free to advise other activities as we see fit, such as the Educause/Internet2 Security Task Force (STF).

There are some promising opportunities available to us, given the presence of the research community and the commercial sector among the members of AMSAC. Chief among them is being able to improve the communication and relationships between network engineers and researchers on their respective campuses. E.g. one opportunity would be to brainstorm about ways in which we can ensure that real-world security needs and practices are incorporated into research agendas. There is also a significant amount of engineering perspective that would be useful to researchers. In general there is a gap between the 2 communities, and anything we can do to facilitate communication between researchers and network engineers will be to the benefit of all.

In the Middleware area we hold the annual PKI conference sponsored by NIST and Internet2, which brings together researchers and practitioners and corporate reps, in this case for PKI and trust, and it works well. Researchers may be more amenable to this if NSF and other major funding agencies are participating.

A more active engagement with researchers will hopefully be one of the characteristics of the merged organization moving forward...

- Eduroam Demo at Fall I2MM
Michael Gettes will be coordinating this with Chris, more to come as it develops.

- Tempe Camp - Feb 13-15, 2008
Chris and Jack and Ken are on the program committee. They are working out who the intended audience is, along the lines of security-oriented middleware architects and middleware-oriented security people. This meeting will primarily be aimed at the middleware crowd, toward how they can work better with security staff. Roles and rules may come into play in this context. Web apps have moved higher up in the threat stack, and managing those apps and related privileges is becoming a more important issue.

- ISOC
Ken is working with RL "Bob" Morgan on their CFP "Trust and the Future of the Internet" http://www.isoc.org/isoc/general/trustees/headlines/20070809.shtml

They are planning to submit a position paper, and if it is accepted Bob will be at the upcoming meeting in Toronto in October to present. Mark discussed that trust and reputation is the solid core of infrastructure, and audit and diagnostics come in to play in that it is useful to be able to trace back and determine what trust mechanism is/was being used to support which decisions.

- National Center for Intrusion Response and FCC issues
Joe discussed the recent announcement about the FBI funded incident response effort at NCSA/UIUC: National Center for Digital Intrusion Response (NCDIR) http://www.ncdir.us/

Many have traditionally considered this to be a function of CERT or REN-ISAC, it is not yet clear how this new center will relate to the others underway. This may be related to past SC security incidents. Chris has had discussions with a couple of the NCDIR leaders about RENOIR, and will continue discussions and report as events warrant.

There is some indication that the FBI is pursuing expedited rule-making from the FCC relating to CALEA. It is likely to be several months or perhaps a year or longer before this is clarified. If approved, the practical impacts are unclear but may include being required to report distributions of packets per port, or other new data not previously required. They do not appear to be addressing whether an entity is exempt or not, but rather what needs to be reported.

Q: Does onion-routing break CALEA, in the sense that supporting it makes an entity no longer exempt?
A: Security and legal folks are worried about this, potentially being seen as providing ISP-like services and thus endangering exemptions. It remains to be seen whether this is the case...