View Source

Date

14 Dec 2016

Attendees

Simona Venuti
Tomáš Čejka
Václav Bartoš
Linus Nordberg
Evangelos Spatharas
Albert Hankel
David Schmitz

Goals

• Status Updates of work items (FOD/SecEventProcessing/CT)
• Status of DDoS Detection/Mitigation WG
Announcement Mail about DDoS Survey to CERT/CSIRT mailing lists

• GN Best Practice Guide for Virtual Meetings and TCP (-> Documents)
@All: Please read the documents (3 attachments) and think about how the information in it may be applied to our task to improve it.

• Holiday periods of members
@All: Please update information about potential holiday plans at
JRA2T6 Holiday periods of members

• F2F-Meeting-Planning
• Review Open Action Points from last VC(s)
• AOB

Discussion items

Time	Item	Who	Notes
	FOD (refocus of current development activities in T6)		(info page for FOD development JRA2T6 Work Items / Firewall On Demand) Tomas and Vaclav agreed to provide their development man power in next months and help to get FOD (new version) running and tested and help implement needed features Evangelos added accounts for Tomas and Vaclav on FOD testing machines. Issues with missing sudo right for Tomas/Vaclav on both FOD test machines, Evangelos will fix this. Issues with access to the FOD web GUI, Evangelos will add local accounts within FOD on both test machines to handle this. In Progress: First target is to get known to FOD code and installation by investigating about what todo for port range feature After that (or in parallel as far as possible) then to get new (github) version running on second FOD test machine and test its RESTAPI - Tomas sent detailed mail about his investigation/development before the meeting: - Currently he is working on the GUI and the internal part of FOD for the port range feature - Next steps will include investigate and check about the celeryd part which actually installs BGP FlowSpec rules via NETCONF - Basically, it turned out that GEANT core routers do not support port range feature with BGP FlowSpec directly at all - -> a rule with a port range will have to be translated to a list of rules (for each port in the range) - -> enforce a limit on the size of ranges which can be specified: e.g. 100 - plan to have port range feature working on start of January 2017, if possible also find about running new version (depending on difficulty)
	DDoS D/M WG		Nino is today busy with testing of Radware installation at GARR. He will provide experience from this later. fastnetmon testing by GARR: Already mirroring GARR netflow data to fastnetmon, still have to tune exporter parameters (of production routers), as non production-influencing method for this is investigated. Still machines for this are missing yet. Nino will provide first intermediate testing results of fastnetmon on wiki fastnetmon testing Albert: Surfnet is preparing the replacement of their ARBOR devices. This will continue in 2017. When more information and experience is available, Albert will share this. GEANT is starting to evaluate A10 box for mitigation in combination with DDoS Defender module of flowmon for detection. It it also though about testing and comparing this with solutions for Deepfield, Radware and CORSA. -> In future FOD will have to be extended to support not only plain BGP FlowSpec, but also A10 REST API, and similar APIs/interfaces for the potential other solutions -> in future FOD will not only have to submit flow rules but also read from BGP (in multi-domain scenario) Evangelos, Simona and Tomas will attend the next TF-CSIRT meeting. Tomas will give a hands-on tutorial for the CESNET DDoS detection/mitigation system. Evangelos: Check with Silvia about GARR's interest in receiving NShaRP alerts. Create a new Foodle for DDoS D/M WG VC in next year. DDoS D/M Survey Evangelos prepared nice announcement/invitation mail for the survey. After review in the mailing list, he will now sent it out to the NREN CERT/CSIRTmailing lists provided by Simona.
	RepShield		- lots of internal changes - reimplementation for storing incoming alerts in postgreSQL DB for better performance - new users and new data contributors
	CT		v0.9 was released at end of November: - pre-production version - nearly feature-complete - lacking only some stuff for configuration and running a log distributed over multiple domains Feature complete version planned for January 2017. v1.0 planned for 2017Q1.
	GN Best Practice Guide for Virtual Meetings and TCP		Currently, best practices in Best Practice Guide for Virtual Meetings are more or less already done in our VCs, but we may check in future what points might still be improved. regarding team communication plan (TCP): T6 currently uses mailing list, chats (skype/jabber), VC (zoom) and wiki. Wiki seems appropriate place for an explicit TCP in future -> idea: work in future on that as a kind of overview/navigation page, especially when more information and more pages come to the wiki.
	F2FMtg Planning		Create new foodle next year for it.
	Next VC		In 4 weeks, as in David is on holiday from 15-31.12.2016: 04.01.2017, 14:15-14:45 CET

Action items

Evangelos: fix sudo rights for Tomas/Vaclav on FOD test machines
Evangelos: add FOD local accounts for Tomas/Vaclav on both FOD test machines (for acces to FOD we GUI)
Tomas: investigate/develop port range feature (planned for start of January) while continuing to investigate FOD code and installation of new version
Nino: if possible, provide first intermediate testing results of fastnetmon on wiki in fastnetmon testing
Nino: check what to put about Radware DDoS solution info wiki area DDoS Detection/Mitigation Infos
Evangelos: sent out announcement/invitation mail for DDoS survey
David: Create new foodle for DDoS D/M WG
David: Create new foodle for F2F meeting in 2017
all: Next regular T6 VC: 04.01.2017, 14:15-14:45 CE(S)T