IETF Logo Mail Archive

Re: [DNSOP] [Ext] Alexey Melnikov's Discuss on draft-ietf-dnsop-dns-capture-format-08: (with DISCUSS and COMMENT)

Alexey Melnikov <aamelnikov@fastmail.fm> Wed, 28 November 2018 14:45 UTC

Return-Path: <aamelnikov@fastmail.fm>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03538130DCD; Wed, 28 Nov 2018 06:45:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmail.fm header.b=SDqC4iEY; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=UyZqGd6e
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YmeMv_nHWFyj; Wed, 28 Nov 2018 06:45:22 -0800 (PST)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB853130FD9; Wed, 28 Nov 2018 06:45:21 -0800 (PST)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 1288C22F5B; Wed, 28 Nov 2018 09:45:21 -0500 (EST)
Received: from web5 ([10.202.2.215]) by compute7.internal (MEProxy); Wed, 28 Nov 2018 09:45:21 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.fm; h= message-id:from:to:cc:mime-version:content-transfer-encoding :content-type:references:subject:date:in-reply-to; s=fm1; bh=h9Y Y9vMwZsgCvj0FBvn3C4T9nhDb2/hpqWiaLDCf/rg=; b=SDqC4iEYKPCaQrrSfbW b4UOgyTbdo8dNbhi5kQmrALPA+YY5Pnd/plAxq2roRIJWh2931v5A/RmuleaAgmr FqORW76I6OWJHoGIe/xuoreH4iAfMbrsagLUmEfiZkHtdGnfsN507BTd+AsM0PVB z1gIfy/IOIAqD41R+KNRJ51WJAV/9+wbhbonDX9/HJUkbkZ2UiXMYGyIxyUDhQWe tTDnzWIeP8zUGkw7sq6GEQgKtlEsg5NE/p4wX3ZHvAbK2JjG3L0IlrepHmvk+WoV 5hmSLa+XI7wfpKnWwShnTKXbruDnQR2vvsDX13/Zb8iXvOxXfTSLhUzKCLRF6rGv KFw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=h9YY9vMwZsgCvj0FBvn3C4T9nhDb2/hpqWiaLDCf/ rg=; b=UyZqGd6eodvFyzvdNsAcpEkgyQkq1HaSabuNQdC9LVSYt0heYwP98YWpM ZsMDWIFWXsGJ9Gih8TffggcvKgyns8pYqfIBi55pStnGSjhTHXDXjk4ma4QxCpbW uQTewcqyOubJDoQiRDgeh4scyrL1/0IPS5cjpBtAyKaK0kGYzWrfHjcgYEPuFebw vrmdP8szv3ZUufSbCDOvbiVAflP6sWe7OPXoMc4RJMU7/fpfsp9iOlkTY/NZtkU5 qltlklLpscQBB+ffIFjIWk8nuu9DCW3Tt95wG+0uZcMa/E0y+vtApK2Or9YuJ08e YXWP9PYWc4KFobbrYmjsIVONeTb/A==
X-ME-Sender: <xms:AKr-W-KB50-xoM53NV78cF2Stxd4XNXq-CvKzkzJi6Nsr1Gfvissqg>
X-ME-Proxy: <xmx:AKr-W8AwvSrwufcIGcTbFOlXgeQzNWkkFDP-L2-76ZOiWIkcLcJ28A> <xmx:AKr-WzvQmMV3xjnDQjxH8kBLaNMLbsRpa1_7TAB9R9mvzze6K-KRrw> <xmx:AKr-WwepQW7YHJ_8UfSLzR6B-DO1gtMpkYJOxUAjdtLZziXlTv8FNQ> <xmx:AKr-W4-SCFfZqeAamlRQk1V4d6c_eyNZ-Mopy-ts9CVjx1_ROSediQ> <xmx:AKr-WzTB2hKdcCaxCLUlkGaoNku13Ri18fZVIy-s0fiUOyr2P5bWrw> <xmx:Aar-WzgMrjPySEVynbiWcqKqBKbIqAotgbPzhq4rt1tLpu3rPeWYJA>
Received: by mailuser.nyi.internal (Postfix, from userid 99) id 787499E26C; Wed, 28 Nov 2018 09:45:20 -0500 (EST)
Message-Id: <1543416320.998512.1591850400.59F3419D@webmail.messagingengine.com>
From: Alexey Melnikov <aamelnikov@fastmail.fm>
To: Sara Dickinson <sara@sinodun.com>, Paul Hoffman <paul.hoffman@icann.org>
Cc: dnsop <dnsop@ietf.org>, The IESG <iesg@ietf.org>, draft-ietf-dnsop-dns-capture-format@ietf.org
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative; boundary="_----------=_15434163209985120"
X-Mailer: MessagingEngine.com Webmail Interface - ajax-3449945b
References: <154265985064.16386.5550594646862412061.idtracker@ietfa.amsl.com> <BF3169F5-E68D-4C68-80D7-1772E7A9EDEA@sinodun.com> <1542811322.1310112.1584530512.0785569A@webmail.messagingengine.com> <4D2E72B7-1EEE-4BD2-8200-B688074AE5E3@sinodun.com> <CAHw9_iLuNYHHnMz_jgOA2JwTDNWUkRb9TVkT8zwKedNT9LUBmQ@mail.gmail.com> <ca821f6f-26de-f2f8-7e63-d9cb8dcfdf60@rfc-editor.org> <CAHw9_i+6MRiGOeDh5+5tVwajFhCCbgRgSnio04yqUGLbHKyHEw@mail.gmail.com> <CAHw9_iLxsEw4PQ4=Vu1ghhGGEPvS8pBuB9G7buiFMDjNB=m1cg@mail.gmail.com> <FA6BBBB2-D535-4597-8923-5307390D9462@icann.org> <CAHw9_iKEsfjpC2FzjKaaUz=oR_S9WNPNg+EuvBmi_n_CUpC8mQ@mail.gmail.com> <7E59D98E-7350-43FB-BE47-4E2691D5872F@icann.org> <1543316753.3027969.1590279856.6CEC8EC7@webmail.messagingengine.com> <88A3AB64-7E17-4EB8-A6FC-1D425F3F7AFF@icann.org> <71BDC7C1-ECF0-40F8-9225-F801A61AD864@sinodun.com>
Date: Wed, 28 Nov 2018 14:45:20 +0000
In-Reply-To: <71BDC7C1-ECF0-40F8-9225-F801A61AD864@sinodun.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/eJ2iUWbLbIaW6QZQN-WvGsz8G9M>
Subject: Re: [DNSOP] [Ext] Alexey Melnikov's Discuss on draft-ietf-dnsop-dns-capture-format-08: (with DISCUSS and COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Nov 2018 14:45:26 -0000

On Wed, Nov 28, 2018, at 1:38 PM, Sara Dickinson wrote:
> 
>> *From: *Paul Hoffman <paul.hoffman@icann.org>
>> *Subject: **Re: [DNSOP] [Ext] Alexey Melnikov's Discuss on draft-ietf-dnsop-dns-capture-format-
>> 08: (with DISCUSS and COMMENT)*>> *Date: *27 November 2018 at 14:59:51 GMT
>> *To: *Alexey Melnikov <aamelnikov@fastmail.fm>
>> *Cc: *dnsop <dnsop@ietf.org>, The IESG <iesg@ietf.org>
>> 
>> On Nov 27, 2018, at 3:05 AM, Alexey Melnikov
>> <aamelnikov@fastmail.fm> wrote:>>> 
>>> On Tue, Nov 27, 2018, at 2:10 AM, Paul Hoffman wrote:
>>>>  | filter           | O | T | "tcpdump" [pcap] style filter
>>>>  | for      |>>>>  |                  |   |   | input.
>>>>  |                  |   |   | |>>>> 
>>>> 
>>>> On Nov 26, 2018, at 6:05 PM, Warren Kumari <warren@kumari.net>
>>>> wrote:>>>>> ... that is where we started.
>>>>> The concern was what happens if there are new filters added, and
>>>>> implementations written don't know how to deal with them.>>>> 
>>>> New filters being added to tcpdump (or even removed) doesn't
>>>> affect a C->>>> DNS application from reading or writing that field. It's just
>>>> a text>>>> string. 
>>> 
>>> I think this depends on how the field is used.
>>> 
>>> If you want to write an application that validates or does something
>>> with this field, that wouldn't be true.>>> If you think that writing such an application is a dumb idea, then
>>> the draft should clearly state that.>> 
>> My interpretation of the spec has been all along that this field, as
>> well as the other fields in CollectionParameters, were informational
>> for whomever is looking at the particular capture. "Parameters
>> relating to how data in the file was collected" seemed sufficient for
>> that. If the authors added "These parameters are informational are
>> only informational and cannot necessarily be validated by looking in
>> the data captured", would that satisfy your concern?> 
> Paul is correct in that the _intention_ of including these fields is
> just to provide informational meta data about the capturing process. I
> would suggest we change the first sentence of the section to be:> 
> “Parameters providing information to how data in the file was
> collected (applicable for some, but not all collection environments).
> The values are informational only and serve as hints to downstream
> analysers as to the configuration of a collecting implementation. They
> can provide context when interpreting what data is present/absent from
> the capture but cannot necessarily be validated against the data
> captured.”I can live with that, but I would like you to in particular add a note
that pcap filter value should not be trusted, as it effectively can
contain arbitrary text string.
> Given that, I’m hoping the short reference is acceptable
> http://www.tcpdump.org/manpages/pcap-filter.7.html?Yes.

v2.23.0 | Report a Bug | By Email