►
From YouTube: IETF95-MILE-20160405-1740
Description
MILE meeting session at IETF95
2016/04/05 1740
E
E
D
B
D
A
C
E
So
it's
the
note.
Well,
do
you
think
either
God
knows
well,
so
I
think
you
know
let's
go
this
is
in
dec,
so
we
did
a
start
from
reviewing
the
status
for
the
mile
wharton
draft.
Then
we
would
have
to
invite
sticks,
presentation
regarding
I
Odessa
peace,
draft
implemented
to
draft
Rory
draft
neck
seem
to
be
draft
and
guidance
draft,
and
also
on
discussion
about
security
alerts
or
more
the
thought,
my
draft.
So
this
is
the
status
review
of
the
drugs
for
the
data
model.
E
E
If
Jackie
I-
yes,
but
he
promised
to
come
to
darling
with
a
new
draft,
30
need
transport.
We
have
to
draft.
One
draft
is
Rory
draft.
Today
they
would
be
presenting
on
that
and
also
XMPP
draft.
It's
from
Nancy.
It
already
finished
a
working
group
at
option
call.
So
regarding
guide
right.
We
have
to
draft
why
the
implementation
draft
and
also
other,
is
a
guidance
raft
both
of
the
presentations
this
time.
E
E
D
E
E
G
H
Good
evening,
everyone
Roman
today
they're
talking
about
50-70
this
next
slide,
so
just
quick
summary
if
you're
seeing
it
for
the
first
time,
I.
Oh
def
v2
is
an
XML
representation
to
exchange
computer
security
incident
reports
and
commonly
exchange
indicators.
Next
slide,
please!
So
since
we
last
fit
her
since
we
mass
last
met
in
Yokohama,
there
have
been
three
drafts.
A
substantial
amount
of
Texas
change.
I
would
point
you
to
all
those
different
URLs,
those
reference
that
different
change
logs
and
we
had
a
working
group
last
call
open
and
closed
during
that
time.
H
Next
slide,
please!
So
what
what's
been
closed
as
far
as
we're,
officially
tracking
first
to
be
closed
issue
number
38,
which
was
talking
about
what
should
examples
look
like
and
what
you?
What
you
see
in
the
current
drafted
are
some
examples
and
the
rest
of
those
are
punted
to
the
implementation
draft.
H
We
brought
to
closure
the
related
DNS
discussion,
which
has
been
going
on
for
quite
some
time
about
how
we
do
it
and
the
answer
is
we're
going
to
do
it
as
an
extension,
so
punted
on
that
and
then
the
long-running
issue
of
reorganizing
the
schema.
So
it
looks
a
little
prettier
that
has
always
been
pending
completion
of
the
schema.
So
that's
also
they've
done
during
the
working
group
last
call.
H
We
got
three
items
of
feedback,
so
first
from
David
Waldo
Meyer
gave
again
thank
you
that
was
very
comprehensive
and
great
feedback
and
made
the
document
really
tremendously
better,
and
then
there
was
feedback
from
our
chairs
from
Aleksei
and
talked
a
all
of
that
is
being
integrated
and
if
you've
seen
the
dash
EG
draft,
there
has
been
a
tremendous
amount
of
rewriting,
so
it
reads
roots
link
its
actual
English.
So
it's
been
improved
quite
a
lot.
So
next
slide.
H
Please
so
just
wanted
to
point
out,
as
we've
always
done,
there's
two
places
where
compatibility
got
broken
again
as
part
of
the
review
for
internationalization
some
of
the
classes
related
to
storing
contact
information
or
modified.
So
you
can
see
those
listed
there
next
slide.
Please,
and
if
you
read
the
document,
you'll
notice
that
it
looks
a
little
different
with
regards
to
some
of
the
UML,
that's
represented
there.
A
couple
of
new
data
types
were
created
primarily
at
Dave
suggestion.
H
So
what
you
see
is
now
an
extension
data
type
in
a
software
data
type
that
impacts
quite
a
lot
of
classes
that
you
see
there
and
so
there's
now
one
way
to
do
an
extension
and
it
is
the
extension
time
so
it
should
make
things
simpler
as
well.
So
next
slide.
So
there
you
are
looking
at
the
great
news.
We
are
done
all
working
group
last
call
comments
are
done,
the
issue
tracking
is
empty,
and
this
is
the
last
time
we
should
be
talking
about
the
trap.
E
I
do
not
want
to
provide
any
new
issue,
but
let
me
just
ask
one
question:
when
I
was
writing
a
review
guidance
draft
I
found
one
question
regarding
in
photo
leakage
in
the
iOS
version
1
we
have
this
field
impact
class
whose
type
of
info
League.
How
could
it
express
it
in
vital
to
could
you
give
us
some
navigation.
H
E
I
G
H
E
C
E
C
J
F
I
So
I
have
a
very
short
amount
of
time
and
there's
a
handful
of
issues
that
came
up
based
on
the
feedback
that
we
got
at
the
last
meeting.
We
talked
about
working
to
a
lion
Rolly
so
that
it
can
satisfy
both
the
needs
of
a
mile
to
transmit
indicator
information,
but
also
some
of
the
needs
of
sockem
to
transmit
that
there
are
other
kinds
of
security
related
information.
There's
a
lot
of
overlap
between
the
needs
of
mile
and
sockem
vulnerability.
Class
information
is
one
of
those
overlaps.
I
Sockem
is
currently
considering
work
relating
to
a
vulnerability
assessment,
so
getting
some
additional
alignment
with
the
drafts
would
actually
be
I
think
beneficial
to
both
working
groups.
So
this
presentation
is
largely
focused
around
what
we
would
need
to
do
to
actually
accomplish
that
alignment.
I
Moment
on
that,
on
that
topic,
John
is
actually
quite
busy
with
other
things
outside
the
ietf,
so
it
would
be
good
to
get
a
second
co-editor
for
the
for
the
draft.
If,
if
there's
someone
else,
that's
that's
interested
but
we'll
get
to
that
in
a
little
bit.
So
so
I
want
to
talk
briefly
about
the
applicability
of
this
work
to
the
to
the
sockem
use
cases.
I
So,
within
our
our
use
cases
document,
we
define
a
use
case
that
is
focused
around
defining
publishing,
querying
and
retrieving
security,
automation
data,
so
we're
looking
for
a
way
to
organize
things.
Like
vulnerability
alerts,
we
have
some
individual
drafts
in
sac
I'm
around
the
open,
vulnerability
and
assessment
language,
which
has
essentially
definitions
that
enable
you
to
automatically
assess
the
configuration
state
of
a
device
to
determine
if
it's
vulnerable.
If
it's
misconfigured
things
like
that,
this
is
actually
a
way
of
generating
indicator
information
from
from
a
device.
I
We
need
to
be
able
to
cross-reference
between
various
data
sources,
so
we
need
to
be
able
to
say
that
you
know
one
bit
of
information
that
one
organization
has
relates
to
a
bit
of
information
that
another
organization
have,
which
is
something
that
really
does,
and
we
need
effectively
internet
accessible,
persistent
resource
identifier,
which
really
uses
a
demand
URLs,
basically
to
satisfy
that
need.
So
it's
it's
actually
a
really
good
fit
for
what
both
working
groups
need
next
slide.
I
Please
it's
also
applicable
to
a
couple
of
other
use
cases,
so
we
need
to
be
able
to
define
and
publish
checklists
and
support
the
identification
and
retrieval
of
what
we're
calling
guidance,
which
are
all
the
things
I've
just
talked
about.
We
all
say
to
be
able
to
detect
when
guidance
changes
so
metadata,
that's
included
an
atom
pub
can
be
used
to
determine
if
there's
a
change
to
a
given
entry.
Next
slide,
please.
I
So
next
I
wanted
to
talk
a
little
bit
about
some
of
the
challenges
with
how
rowley
is
currently
expressed.
So
enrollee
every
there's
a
lot.
It's
very
C
cert
focused
in
general
I'm,
a
lot
of
the
requirements
and
the
normative
portions
of
the
of
the
draft
include
the
word
see
cert
and
most
of
the
requirements.
So
it's
basically
targeting
what
C
certs
need
to
do
so
in
the
sack
of
context,
rowley
would
be
used
by
non
SI,
cert
organizations.
It
could
be
used
by
piece
suits
or
just
by
organizations
that
are
trying
to
provide
security.
I
Automation.
Data
now
interesting
enough.
Most
of
the
requirements
that
are
targeted
towards
p
sorts
are
also
equally
applicable
to
these
other
kinds
of
organizations,
so
we
simply
remove
t-shirt
from
a
lot
of
the
requirements
and
targeted
more
towards
just
general
implementations
of
rowley.
We
solve
this
problem
next
slide,
please
the
other
problem.
H
I
Great
yeah
we
would
want
to
do
something
similar.
Another
issue
is
anonymous.
Access
to
a
repository
is
not
something
that's
allowed
by
Rowley.
Currently,
it
basically
requires
user
authentication
and
there
are
plenty
of
types
of
guidance
that
may
be
provided
that
that
don't
necessarily
require
any
authentication,
because
organizations
generally
want
to
give
that
information
away.
I
Things
like
configuration,
checklists
reports
about
vulnerabilities
and
sweet
tags
are
an
example
of
that.
So
one
of
the
things
that
we
might
want
to
do
is
effectively
require
that
implementations
be
able
to
support
user
authentication,
but
not
necessarily
require
that
all
transactions
be
user
authenticated.
Essentially,
so
then
it
becomes
more
of
a
configuration
option.
If
you
want
a
specific
collection
to
be
to
require
authentication,
you
could
basically
require
user
authentication
for
that
collection,
but
not
for
others.
I
Next
slide,
please
and
other
issues
around
server
discovery.
So
there's
some
really
loose.
You
know
generalized
requirements
around
server
discovery
and
the
current
rowley
draft.
We
basically
say
that
the
service
document,
which
describes
all
of
the
collections
available
within
a
rolly
implementation,
that
it
should
be
discoverable.
H
I
apologize,
I
misspoke
I
thought
we
were
talking
about
the
newly-created
incident
category,
but
the
system
impact
class
still
does
have
a
type
attribute.
Okay,
the
enumerated
values
are
not
what's
in
v1,
they
have
been
completely
changed
to
be
v2,
but
there
is
an
extensible
attribute.
That's
there.
Okay,
look.
I
The
challenge
I
think
we
have
with
these
categories
is.
It
certainly
applies
to
some
classes
of
information
like
incident
data,
but
it
doesn't
apply
generally
to
all
classes
of
information,
even
ones
that
are
mentioned
in
rowley,
like
vulnerability
information
as
an
example,
so
we're
probably
going
to
want
to
do
some
scoping
about
how
this
categorization
is
used
for
different
kinds
of
information,
instead
of
requiring
that
it
be
provided
for
all
information,
because
it
doesn't
always
apply
to
all
of
the
information
that
we
would
want
to
include
using
rolling
next
slide.
I
Please
so
next
steps
I
plan
to
be
driving
some
mailing
list
conversation.
Some
discussion
around
around
these
open
issues,
try
to
solicit
some
recommendations
on
on
how
we
can
update
the
draft
propose
some
ideas
as
far
as
that's
concerned,
but
I
want
to
drive
some
working
group
consensus
around
how
we're
going
to
address
that
and
plan
to
be
producing
an
updated
draft
to
address
these
issues
as
soon
as
we
can
close
out
some
of
those
questions,
I.
C
F
E
K
K
We're
back
so
this
is
over
be
open,
a
mile
information
report,
so
this
working
group
draft
is
going
to
be
determinated,
and
so
the
burden
is
on
a
0.6
that
has
submitted
for
than
is
94
and
the
status.
So
in
idea,
merciful,
meeting
and
I
was
relatively
email
relisted
if
there
are
other
implementation
rated
to
I
ODF
that
we
are
not
but
not
received
on
this
truck,
please
in
home
them
as
a
mailing
list,
so
result
no
updates,
so
I.
K
If
I
may,
I
would
like
to
propose
this
one
goodra
fees
and
daily
for
determined.
That
is
everything
in
this
idea.
38
meeting.
E
Everybody
did
okay,
I
think
everybody
is
happy
to
go
for
the
Waterloo
last
call
for
this
trap
because
we
discussed
on
this
internet
weeding
and
if
we
don't
have
any
modification,
we
did
have
decided
to
do
the
last
call
this
time.
So
if
nobody
objects
here,
I
will
just
post
email
asking
for
the
locking
of
good
last
call.
L
Hi
everyone-
this
is
mean
secam
widget,
so
I'm
not
going
to
go
over
the
XMPP
overview
again.
So
this
is
just
a
very
quick
update,
since
we've
now
confirmed
that
this
is
going
to
be
adopted
as
a
working
group
draft.
L
The
next
steps
is
for
me
to
convert
it
into
that,
so
that
I
won't
make
any
updates
just
so
that
we
have
the
pristine
draft.
We
really
do
need
to
get
more
comments
and
feedback
to
the
draft
and
then
obviously
the
next
steps
would
be
to
provide
an
update.
L
J
A
C
A
G
G
G
G
G
G
G
C
M
Hello,
I'm
Bob
maths,
quiz
with
a
chic,
insulting
working
under
contract
to
wally
and
I'm
new
to
this
group,
I
came
here
a
year
ago
and
I
was
confused
at
the
beginning.
Sup
like
a
my
first
slide
here,
and
that
was
weird
did
mild.
M
Get
us
information
to
act
on
I
didn't
see
that
and
after
talking
to
Notre
people
being
new
here,
what
I
was
told
was
well
its
proprietary
management
systems
where
the
operators
cut
and
paste
and
move
to
my
environment
accompany
me
tell
me
say:
go
overlooked,
a
taxi
which
I'm
still
looking
over
a
taxi
on,
and
there
was
nowhere
in
the
ietf.
Any
information
that
I
was
finding
a
year
ago
about
where
was
the
security
alerts
being
collected
and
analyzed
and
fed
into
Maya?
So
it
took
me
a
little
bit.
M
Time
took
me
a
lot
of
time
to
finally
come
to
some
ideas
here
and
so
I.
Look
at
how
what
is
this
first
mile
of
the
reporting
events
in
into
the
mountain
vironment,
how
the
analysis
gets
done?
Other
information
gets
there
whether
you
can
then
have
actionable
communication
between
the
administrators.
So
I
don't
know
this
work
when
I
we
did.
This
is
really
part
of
mile
or
someplace
else,
but
it's
hot.
Where
does
mile
gets
information
and
the
other
thing
that
I
looked
at
this
out?
M
That
this
is
that
when
you're
getting
security
events,
you
may
not
be
able
to
communicate
it.
Well,
look
at
the
work
with
over
in
Dodge
requirements
that
there
may
be
some
attack,
which
basically
means
that
TCP
is
not
going
to
work.
We
try
to
transport
your
your
alerts
over
TCP.
You
may
never
see
the
act
or
something
else
because
whatever
tak
may
be
occurring
to
you
at
that
time,
they
make
the
ability
to
communicate,
challenging
or
arm
state-based
sapphic
cheering
for
various
things
may
be
failing
so
again,
look
at
what
we're
doing
Dash
requirements.
M
Look
at
some
of
the
band
environments
which
can
be
occurring
you're
trying
to
get
these
reports
generated.
We
get
these
alerts
out.
So
looking
at
that
I
then
start
trying
to
say
well.
How
would
I
communicate
this
so
I
said
well
armed
next
I,
please.
So
what
we
need
is
some
pub
sub
pub
process
reporting
system
here,
where
a
security
monitor
subscribes
to
the
security
defense
system
for
selective
reports.
So
if
this
is
an
ISP,
it
says
I
want
this
information,
these
these
alerts,
or
maybe
some
research
or
whatever,
that
they're
going
to
do
so.
M
And
then
a
subscription
publication
process
are
obvious
sort
of
stuff,
and
so
I
was
looking
at
some
work
that
Sue
hairs
and
I've
been
doing
in
defining
a
secure
session
layer
services
environment,
where
I'm
doing
this
in
I
would
start
doing
this
in
dots
where
again
we're
in
a
very
aggressive
bad
environment
and
where
TCP,
state
and
other
sorts
of
things
can
be
then
attack
surfaces
to
ability
to
communicate
so
I
have
a
year
ago,
I
created
a
security
rapper
at
the
session.
M
I
actually
more
than
a
year
ago,
are
called
SSC
secure,
search
session
security
envelope,
which
is
basically
ESP,
moved
up
into
the
messaging
environment.
It
moves
here
context
within
the
messaging
reducing
the
attack
surface
such
that
T
cp's
resets.
Other
sorts
of
things
will
not
break
your
state,
your
independent
you
can
go
to
tcp,
UDP
SMS.
In
fact,
that's
why
I
did
at
SSE
originally
was
for
an
SMS
system,
though,
does
not
need
the
bidirectional
that
dots
requires
and
again
you're,
basically
sending
alerts.
Also
where
dots
is
bi-directional.
M
I,
don't
see
this
environment
as
being
so
much
a
bi-directional
communication,
though
the
SUBSCRIBE
process,
maybe
view
is
adding
bi-directional,
so
the
needs
that
again,
I
had
and
dots
may
not
be
completely
here,
so
how
the
subscription
work
again,
working
with
some
things
that
familiar
with,
and
that
is
again
on
the
other
area
that
we
were
looking
at
this
in
I
to
RS.
M
So
looking
at
netcom
for
the
subscription,
which
is
on
there's,
been
a
lot
of
work
else
when
the
ITF
I'm
pub/sub
work
with
with
yang
modeling,
and
so
you
see
this
in
net
comp
and
we're
looking
at
different
ways
to
do
this.
So
the
idea
here
is
that
you
have
you
set
up
your
relationship
between
the
parties.
Are
you
have
you
take
your
your
message?
M
You
chunk
it
up
and
then
you
send
it
out
over
secure
envelope,
and
so
again
this
is
the
same
as
I
to
RS,
but
first,
but
here
mile
a
lot
of
stuff
we're
doing
these
environments
may
not
apply.
We
pick
and
choose
what
you
need
kind
of
a
thing
so
trying
to
go
here
through
quickly.
I
want
to
compare
this
to
unless
it
will
look
at
XMPP
and
what
the
works
been
done.
M
L
G
L
So
the
slides
are
there.
We
make
clear
distinction
of
why
we
did
the
XMPP
grid,
and
that
was
we
felt
that
it
was
important
to
separate
what
we
call
the
control
plane
or
management
plane
to
say.
If
you
have
specially
in
a
federated
environment,
multiple
parties
that
want
to
share
information
there
has
to
be
the
strong
federation
constraint,
an
authorization,
no.
L
L
Is
decoupled
from
the
data
plane
in
which
you
actually
share
information,
and
that.
L
M
And
that's
what
I'm
saying
that
that
has
a
potential
failure
environment
that
that
data
communication
from
that
frontline
defense
unit
to
the
monitor.
If
there's
attack
the
TCP
app
will
not
get
through.
You
not
know
that
it's
completed
and
there's
other
sorts
of
attacks
which
are
identified
in
the
dots
requirements.
Doing
over
UDP
has
a
slightly
better
chance
of
success.
Arm
then
over
TCP
does
potentially
switching
it
between
the
environment
from
TCP
to
UDP.
M
When
needed
is
some
thing
else
which
may
be
a
value
and
even
be
able
to
go
to
some
other
method
of
communication.
Maybe
of
desire
are
so
so
it's
not
the
control
plane
which
I'm
questioning
it's
the
data
plane
portion
of
it.
In
this
regard,
and
in
fact,
though,
I've
done
this
person
I'll
try
to
identify
the
very
briefly
because
I'll
say
that
really
did
this
very
reason:
I
felt
together,
I
edge
astray,
shun
some
pub
sub
model.
M
It's
really
talking
more
about
how
the
data
is
communicate,
how
this
is
set
up,
and
it's
very
agnostic
to
a
large
extent
of
what
is
a
particular
data
model
registration
model
you
have,
and
if
you
can
look
at
XMPP,
are
that
particular
protocol.
If
you
wanted
to
run
over
UDP,
it's
almost
like.
Why
not
so
the
FSL
less
provides
a
transport
company
and
message
layer,
security
desired
and
exit
pv
can
be
used
as
a
sub
pop
function.
M
N
That's
why
I
was
asking
about
the
extra
p
we
really
wanted
to
see
if
we
could
play
around
with
itseif.
You
know
learn
a
little
bit
more
about
the
environment,
because
in
in
the
management
plane
we're
trying
to
do,
we
were
just
trying
to
learn
if
it
was
a
good
thing
if
it
was
a
bad
thing.
So
that's
why
I
was
asking
about
soap.
M
Slide
please
so
in
fact,
along
that
since
I
published
this
draft
and
going
and
going
back
again
on
the
XMPP
grid
draft,
so
it's
a
to
pass.
I
can
I
can
go
from
here.
One
is
it
take
the
work?
M
So
I,
don't
necessarily
see
a
you
know,
it's
kind
of
like
where
you
may
want
to
go
here
on
this
in
terms
of
how
I
spend
my
time
in
F
which
direction
I
go
with
it
and
it's
safe.
Do
we
want
to
look
more
at
what
the
yang
deta
modeling
for
I'll
def
may
look
like,
and
how
that
pub
sub
model
works
here
or
do
I
say
no,
let's
go
with
XMPP
in
support
of
il
death,
but
let's
address
the
communication
security
concerns
and
how
to
strengthen
that
portion
arm
I
can
work
in
either
direction.
M
Moving
forward
on
this
or
I
can
work
in
both
directions.
Moving
forward
on
it,
so
it's
I
bring.
This
I
bring
this
to
the
work
group,
because
I
did
see
that
there
was,
and
also
an
eye
to
NSF
of
how
the
information
gets
into
the
itune
SF.
Monitoring,
which
was
last
question,
is
responded
to
in
terms
of
the
analytics.
M
M
I
think
it's
going
to
be
very
interesting
is
the
next
step
and
that's
what
I'm
trying
to
do
here
in
positioning
this
as
a
way
to
address
attack
you're,
seeing
elsewhere
being
able
to
make
these
communications
to
go
to
get
those
first
level
alerts
into
the
system
wherever
that
may
be,
and
then
work
with
what
people
feel
is
a
good
tool
for
working
with
that.
So
that's
why
I
like
to
offer
on
to
this
work
group.
So
any
further
questions
I'm
on
what
I've
trying
to
present
our
did
is
pretty
fast
and
seda.
M
Drafts
are
really
new
and
missing
a
bit.
Ask
questions
they'll
be
another
version
coming
out,
hopefully
within
a
month
which
will
address
questions
being
asked
to
richen
them
up,
or
else
it
may
be.
As
I
said,
I
may
say:
here's
how
this
works
with
the
underneath
XMPP
cool
grid
to
support
it
in
this
environment.
I
can
go
either
direction.
L
Just
always
confused,
so
you
had
a
slider
that
said
there
were
requirements,
so
absolutely
agree
that
they're,
stronger
requirements
and
dots
and
then
sakin,
for
example,
right
and
I
to
RS
work
but
sue
so
I
was
trying
to
figure
out.
It
wasn't
clear
to
me
what
problems
you
were
trying
to
solve
for
mile
and
whether
your
request
is
just
the
convergence
within
mile
or
whether
you're
trying
to
broaden
it
and
I
say
this
because,
as
I've
been
working
with
anima
I
suggested
that
similar
work
was
being
done.
L
Geez
I
should
know
this:
the
IOT
sixth
ish
anyway,
and
so
we're
now
proactively
working
to
make
sure
that
anima
defines
that
framework
and
then
they'll
be
I'm,
not
sure
how
the
other
groups
are
gonna.
Do
it.
This.
M
Is
this
yeah?
Oh,
this
is
real
question.
This
may
not
belong
in
mile,
because
mile
is
this
administrative
administrative
help
process
by
saying
where
do
now
get
this
information
to
act?
That
so
is
this
part
of
mile,
or
is
this
since
I
to
and
SF
is
addressing
security
monitoring?
Is
an
community
device
is
really
an
eye
to
NSF
I'm
function
which
ties
into
mile?
You
know
that's
the
sort
of
question
where
I'm
coming
from
on
this.
M
Do
you
want
to,
and
you
do
have
private
in
the
xmas
squared
which
you
have
adopted
that
allows
for
this
this
this
first
mile
process.
So
it's
like
we're.
You
want
to
go
with
this.
Do
you
want
to
see
some
more
activity
in
this
or
you
say
you
know
this?
Let's,
let's
take
this
over
to
NSF,
because
it
is
the
general
security
messaging
or
is
it
because
anima
is
not
again
all
I,
don't
think
it
is
no.
G
L
A
N
N
So
when
you
got
these
two
structures
and
by
the
way
some
routing
systems
have,
as
you
know,
security
pieces.
So
in
looking
at
all
these
pieces
together,
you
come
to
the
place
that
either
a
security
system
or
a
routing
system.
Do
they
go
off
and
reporter
cert
or
how
does
that
all
work
together
in
looking
at
you
know,
did
we
get
all
the
pieces
right?
So
some
of
this
is
questions
for
when
I
was
going
through
the
review
again
of
the
I
to
NSF
system.
L
L
Well,
no,
but
I
think
that's
what
we
were
getting
to
write
when
you
mentioned.
We've
got
there
trying
to
work
on
the
management
side
because
di
to
RS
right.
The
chairs
at
the
time
were
very
clear
and
drawing
that
boundary
right
right.
Remember
the
application,
because
we
were
trying
to
put
the
whole
even.
L
L
G
L
M
Yeah
whoo
hoo
am
I
going
to
share
no
I'm
a
defense
to
box
I'm
a
firewall,
whatever
a
home,
router
or
corporate
router
Who
am
I
going
to
stand,
was
happening
to
me
to
my
isp
for
one
whom
else
might
be
sending
the
information
to
that's
that
registration
process,
then
in
terms
of
what
information
is
sent.
That's
the
subscription.
O
Fleming
andreas,
could
you
pull
up
the
slide
again
where
you
made
the
references
to
dots,
yeah,
I,
guess
I'm
all
confused
about
the
analogy,
because,
maybe
on
on
I'm
unclear
of
the
scope
of
what
mile
is
trying
to
do?
Are
you
suggesting
that
mile
applies
in
basically
where
we
would
have
signaling
between
a
dots
client
and
the
thoughts
server,
because
I
would
have
thought
that
an
incident
would
live
at
a
level
higher
than
that?
So
I'm
not
clear
on
why
you
think
that
the
does
requirements
necessarily
apply
to
mile?
It's.
M
The
does
mile
going
to
be
concerned
with
how
it
got
the
actionable
items.
Where
do
the
actual
items
in
mile
going
to
be
coming
from
it's
going
to
remain
this
human
inner
human
action,
we're
looking
at
whatever
is
doing
that
female
system
or
going
to
try
to
get
some
automation
of
the
process
into
mile?
That's,
why
call
it
first
mile
sure,
and
so
looking
at
so
where's,
the
information
can
be
coming
from
and
it
may
be
coming
from
a
dot
server.
I
maybe
come
from
a
dots
client,
you
just
don't
firewall
what.
O
Will
that
I'm?
So
that's
the
critical
question
to
me
when
you
make
the
analogy
I
can
see
that
it
could
come
from
a
dot
server,
because
you
could
argue
that
a
dot
server
can
take
all
the
information
that
it's
getting
and
turning
that
ant,
that
into
incidents
I,
don't
think
I
mean
the
way
we
had
to
find
out
clients.
There
is
anything
in
advance
clients
who
suggest
that
it
would
be
generating
incidents.
It
generates
data,
of
course,
that
alerts
edad
server
about
attacks,
et
cetera,
I.
M
But
there
are
types
of
security
events
which
are
not
duct
in
that
I'm
DDoS
attacks.
There
are
things
which
are
happening
which
to
the
box.
Is
that
a
we
got
somebody
out
here,
who's
to
who
is
doing
whatever
sort
of
things?
Try
and
Mac
done
all
these
classes
of
firewalls
and
it's
we
gotta,
take
some
action,
we're
seeing
all
these
these
things,
it's
those
other
men
on
security
events
which
are
not
dot
security
events.
M
How
dig
in
the
system
there
hope
there
are
I
think
all
classes
of
security
events
which
I
saw
something
like
I.
Remember
them,
tcp,
syn
resets.
Do
we
care
about
those?
Maybe
we
don't
care
about
them,
but
if
we're
seeing
this
a
clock
across
a
wide
selection
of
boxes,
somebody's
trying
to
to
poke
at
boxes
to
trying
to
knock
them
down
to
find
flaws
by
how
they
respond-
and
this
comes
back
so
you
want
to
know
that
you
seen
these
sorts
of
events
occurring.
M
This
may
go
to
an
analytic
system
which
then
analyzing
all
these
ports,
which,
in
all
I'm
seeing
these
sorts
of
events,
I'm
seeing
things
to
death
or
to
try
and
knock
down
the
boxes
or
there
was
a
there's,
a
particular
skated
device
which,
which
the
skate
device
manufacturer
thought,
be
really
cool
and
full
tcp,
because
they
only
do
UDP,
and
then
they
found
out
that
you
did
send
a
tcp
port
scan
to
the
box
and
watch
the
boxes
fall
over
because
of
end
all
the
manufacturers.
These
pull
teeth.
M
I,
don't
think
it
is
I
and
and
I
welcome
this
analysis,
because
I
am
NOT,
don't
even
claim
to
be
the
material
expert
in
this
area
and
I
need
to
learn
more
from
you,
people
and
I
I.
Think
in
terms
of
dots,
you
are
most
likely
right
is
the
dot
server
and
then
it
is
probably
self
Niner
TAC
and
doesn't
have
the
challenges
of
a
of
a
firewall
home
router
corporate
router,
which
is
seeing
all
these.
M
H
So
I
think
part
of
my
question
is
already
been
answered:
the
room
engineer,
Carnegie
Mellon,
so
there's
some
goodness
that
comes
with
this
approach:
I
guess
what
I'm
getting
lost
in
is
we
talk
about
what
that,
additional
goodness
is,
there's
a
lot
of
discussion
of
a
lot
of
other
people's
requirements
and
I
feel
like
we
need
to
narrow
down.
What's
the
requirement,
we
have
four
mile
what
what
which
requirement
if
we
could
articulate
it,
is
satisfied
by
kind
of
this
I
think
it
part
it
comes
down
to
there's
some
channel
properties.
We
say
we
want.