IETF Logo Mail Archive

Re: [DNSOP] [Ext] Alexey Melnikov's Discuss on draft-ietf-dnsop-dns-capture-format-08: (with DISCUSS and COMMENT)

Sara Dickinson <sara@sinodun.com> Wed, 28 November 2018 13:40 UTC

Return-Path: <sara@sinodun.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5885A130FAF; Wed, 28 Nov 2018 05:40:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sinodun.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RH6WwVZjYw_g; Wed, 28 Nov 2018 05:40:05 -0800 (PST)
Received: from balrog.mythic-beasts.com (balrog.mythic-beasts.com [IPv6:2a00:1098:0:82:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31F85130FC2; Wed, 28 Nov 2018 05:40:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sinodun.com ; s=balrog-2018; h=To:Date:Subject:From; bh=wRVt9fkK/yHEqVf9nF7S/MhaWVcUwOBsobqNE06Kqe8=; b=hxkO3LG7iMGhSh7UyUz3osqD7/ ajiw1f2Ot5xktVaDsOH09K7uA3T3byJs1BRTxHVEshIHVFUg25c21pcYmrUI8drLYnSBlxeMD9dIi Khcj9gQ1IAkYaL5A+caQT4BQ2kbqipVvPyLEOgvl6hLx0IwkDziBZH4/6UmHyzpYszqptotr8l85D x29MTSDbeVR6gQNOIaeqJu5XO90jfMTjo9sQHXIDUaaVu4o2BAzp5EXucc6LuQJAonecBk06KmPb5 91XJv41X309QxdwH6PCrzwoiNqqiv908CGre+NDAOq1Ipl1ECioYCXUgTYTGUeO+IgsLoNaa1onCF mWUyB2Xw==;
Received: from [2a02:8010:6126:0:69b6:98cd:c542:134c] (port=58605) by balrog.mythic-beasts.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <sara@sinodun.com>) id 1gS04E-0004S7-2u; Wed, 28 Nov 2018 13:39:54 +0000
From: Sara Dickinson <sara@sinodun.com>
Message-Id: <71BDC7C1-ECF0-40F8-9225-F801A61AD864@sinodun.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_DC819ED3-431D-4397-8620-1D661E948601"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Wed, 28 Nov 2018 13:38:52 +0000
In-Reply-To: <88A3AB64-7E17-4EB8-A6FC-1D425F3F7AFF@icann.org>
Cc: Alexey Melnikov <aamelnikov@fastmail.fm>, dnsop <dnsop@ietf.org>, The IESG <iesg@ietf.org>, draft-ietf-dnsop-dns-capture-format@ietf.org
To: Paul Hoffman <paul.hoffman@icann.org>
References: <154265985064.16386.5550594646862412061.idtracker@ietfa.amsl.com> <BF3169F5-E68D-4C68-80D7-1772E7A9EDEA@sinodun.com> <1542811322.1310112.1584530512.0785569A@webmail.messagingengine.com> <4D2E72B7-1EEE-4BD2-8200-B688074AE5E3@sinodun.com> <CAHw9_iLuNYHHnMz_jgOA2JwTDNWUkRb9TVkT8zwKedNT9LUBmQ@mail.gmail.com> <ca821f6f-26de-f2f8-7e63-d9cb8dcfdf60@rfc-editor.org> <CAHw9_i+6MRiGOeDh5+5tVwajFhCCbgRgSnio04yqUGLbHKyHEw@mail.gmail.com> <CAHw9_iLxsEw4PQ4=Vu1ghhGGEPvS8pBuB9G7buiFMDjNB=m1cg@mail.gmail.com> <FA6BBBB2-D535-4597-8923-5307390D9462@icann.org> <CAHw9_iKEsfjpC2FzjKaaUz=oR_S9WNPNg+EuvBmi_n_CUpC8mQ@mail.gmail.com> <7E59D98E-7350-43FB-BE47-4E2691D5872F@icann.org> <1543316753.3027969.1590279856.6CEC8EC7@webmail.messagingengine.com> <88A3AB64-7E17-4EB8-A6FC-1D425F3F7AFF@icann.org>
X-Mailer: Apple Mail (2.3445.9.1)
X-BlackCat-Spam-Score: 14
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/3LuIUQunAQn_5YNL7cnpP3qTiMI>
Subject: Re: [DNSOP] [Ext] Alexey Melnikov's Discuss on draft-ietf-dnsop-dns-capture-format-08: (with DISCUSS and COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Nov 2018 13:40:19 -0000

> From: Paul Hoffman <paul.hoffman@icann.org>
> Subject: Re: [DNSOP] [Ext] Alexey Melnikov's Discuss on draft-ietf-dnsop-dns-capture-format-08: (with DISCUSS and COMMENT)
> Date: 27 November 2018 at 14:59:51 GMT
> To: Alexey Melnikov <aamelnikov@fastmail.fm>
> Cc: dnsop <dnsop@ietf.org>, The IESG <iesg@ietf.org>
> 
> On Nov 27, 2018, at 3:05 AM, Alexey Melnikov <aamelnikov@fastmail.fm> wrote:
>> 
>> On Tue, Nov 27, 2018, at 2:10 AM, Paul Hoffman wrote:
>>>  | filter           | O | T | "tcpdump" [pcap] style filter for      |
>>>  |                  |   |   | input.                                 |
>>> 
>>> 
>>> On Nov 26, 2018, at 6:05 PM, Warren Kumari <warren@kumari.net> wrote:
>>>> ... that is where we started.
>>>> The concern was what happens if there are new filters added, and implementations written don't know how to deal with them.
>>> 
>>> New filters being added to tcpdump (or even removed) doesn't affect a C-
>>> DNS application from reading or writing that field. It's just a text 
>>> string. 
>> 
>> I think this depends on how the field is used.
>> 
>> If you want to write an application that validates or does something with this field, that wouldn't be true.
>> If you think that writing such an application is a dumb idea, then the draft should clearly state that.
> 
> My interpretation of the spec has been all along that this field, as well as the other fields in CollectionParameters, were informational for whomever is looking at the particular capture. "Parameters relating to how data in the file was collected" seemed sufficient for that. If the authors added "These parameters are informational are only informational and cannot necessarily be validated by looking in the data captured", would that satisfy your concern?

Paul is correct in that the _intention_ of including these fields is just to provide informational meta data about the capturing process. I would suggest we change the first sentence of the section to be:

“Parameters providing information to how data in the file was collected (applicable for some, but not all collection environments). The values are informational only and serve as hints to downstream analysers as to the configuration of a collecting implementation. They can provide context when interpreting what data is present/absent from the capture but cannot necessarily be validated against the data captured.”

Given that, I’m hoping the short reference is acceptable http://www.tcpdump.org/manpages/pcap-filter.7.html? <http://www.tcpdump.org/manpages/pcap-filter.7.html?> 

Regards

Sara.

v2.23.0 | Report a Bug | By Email