IETF Logo Mail Archive

RE: Last Call: <draft-kucherawy-marf-source-ports-03.txt> (Source Ports in ARF Reports) to Proposed Standard

Scott Kitterman <scott@kitterman.com> Tue, 08 May 2012 05:49 UTC

Return-Path: <scott@kitterman.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F73A21F854E for <ietf@ietfa.amsl.com>; Mon, 7 May 2012 22:49:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.353
X-Spam-Level:
X-Spam-Status: No, score=-2.353 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, SARE_SUB_ENC_UTF8x2=0.246]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n+ffbPq2jxfT for <ietf@ietfa.amsl.com>; Mon, 7 May 2012 22:49:10 -0700 (PDT)
Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [208.43.65.50]) by ietfa.amsl.com (Postfix) with ESMTP id 5BDA121F8543 for <ietf@ietf.org>; Mon, 7 May 2012 22:49:10 -0700 (PDT)
Received: from mailout03.controlledmail.com (localhost [127.0.0.1]) by mailout03.controlledmail.com (Postfix) with ESMTP id 72148D0408B; Tue, 8 May 2012 00:49:09 -0500 (CDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=2007-00; t=1336456149; bh=NDYpvGP0Wa+UpCZAKG47zHquR3NaJxDi4u1fBrSfhcQ=; h=References:In-Reply-To:MIME-Version:Content-Type: Content-Transfer-Encoding:Subject:From:Date:To:Message-ID; b=DegkS2poVLvD7eV7McXZzu9wN/e3FI+2HD9aIMO+HJx5Q/a7HwvC59nDOo/eklUPB 2hykVs6H9AQdMNHdOE+pYUi7mqy6bj/DKaAzU/nxvBp54Qcrp7Qij3KJkE/v5xOBcp nqbMMcOdewSutKbgV67x4oqdIiX8tgyzRgMkPo0w=
Received: from 223.sub-97-210-212.myvzw.com (223.sub-97-210-212.myvzw.com [97.210.212.223]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id CECD0D04087; Tue, 8 May 2012 00:49:08 -0500 (CDT)
References: <20120507195025.19948.3410.idtracker@ietfa.amsl.com> <1755826.2gyQD9Uvee@scott-latitude-e6320> <9452079D1A51524AA5749AD23E003928118C04@exch-mbx901.corp.cloudmark.com>
User-Agent: K-9 Mail for Android
In-Reply-To: <9452079D1A51524AA5749AD23E003928118C04@exch-mbx901.corp.cloudmark.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Subject: RE: Last Call: <draft-kucherawy-marf-source-ports-03.txt> (Source Ports in ARF Reports) to Proposed Standard
From: Scott Kitterman <scott@kitterman.com>
Date: Tue, 08 May 2012 00:49:09 -0500
To: "ietf@ietf.org" <ietf@ietf.org>
Message-ID: <a80ed582-27a1-4669-acf5-782b4f342b04@email.android.com>
X-AV-Checked: ClamAV using ClamSMTP
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 May 2012 05:49:11 -0000

"Murray S. Kucherawy" <msk@cloudmark.com> wrote:

>> -----Original Message-----
>> From: ietf-bounces@ietf.org [mailto:ietf-bounces@ietf.org] On Behalf
>Of Scott Kitterman
>> Sent: Monday, May 07, 2012 3:35 PM
>> To: ietf@ietf.org
>> Subject: Re: Last Call: <draft-kucherawy-marf-source-ports-03.txt>
>(Source Ports in ARF Reports) to Proposed Standard
>> 
>> My suggestion would be to change the last part of section three to
>> read:
>> 
>>    When any authentication failure report [AUTHFAILURE-REPORT] is
>generated
>>    that includes the "Source-IP" reporting field (see Section 3.1 of
>>    [AUTHFAILURE-REPORT]]), this field MAY also be included.
>> 
>> Other than that, I think it's ready to go.
>
>If all one is doing is figuring out why something like a DKIM signature
>failed on an otherwise legitimate message, then I agree the source port
>isn't a useful input to that work.  In fact, as far as DKIM goes, the
>source IP address is probably not useful either.
>
>If, however, one is trying to track down the transmission of fraudulent
>email such as phishing attacks, source ports can be used to identify
>the perpetrator more precisely when compared to logs.  Support for this
>latter use case is why I believe RECOMMENDED is appropriate.

Which is exactly the case (abuse report) the second to last paragraph takes care of.  I agree RECOMMENDED is appropriate there and you have it there.

For auth failure analysis I read you as agreeing it's not needed.  There are some authorization methods that use IP address, so I don't think that for auth failure reports inclusion of IP address and source port are comparable.

Based on your response, I don't understand your objection to dropping the RECOMMENDS for auth failure reports and keeping it  for abuse reports?

v2.23.0 | Report a Bug | By Email