IETF Logo Mail Archive

Re: Last Call: <draft-kucherawy-marf-source-ports-03.txt> (Source Ports in ARF Reports) to Proposed Standard

Douglas Otis <dotis@mail-abuse.org> Tue, 08 May 2012 00:59 UTC

Return-Path: <dotis@mail-abuse.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C80D921F8604 for <ietf@ietfa.amsl.com>; Mon, 7 May 2012 17:59:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.498
X-Spam-Level:
X-Spam-Status: No, score=-102.498 tagged_above=-999 required=5 tests=[AWL=0.101, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2tEVm3w-0ICC for <ietf@ietfa.amsl.com>; Mon, 7 May 2012 17:59:50 -0700 (PDT)
Received: from mailserv.mail-abuse.org (mailserv.mail-abuse.org [150.70.98.118]) by ietfa.amsl.com (Postfix) with ESMTP id 4FE2821F8483 for <ietf@ietf.org>; Mon, 7 May 2012 17:59:50 -0700 (PDT)
Received: from US-DOUGO-MAC.local (unknown [10.31.37.8]) by mailserv.mail-abuse.org (Postfix) with ESMTPSA id C6789174027A for <ietf@ietf.org>; Tue, 8 May 2012 00:59:49 +0000 (UTC)
Message-ID: <4FA87005.80704@mail-abuse.org>
Date: Mon, 07 May 2012 17:59:49 -0700
From: Douglas Otis <dotis@mail-abuse.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: ietf@ietf.org
Subject: Re: Last Call: <draft-kucherawy-marf-source-ports-03.txt> (Source Ports in ARF Reports) to Proposed Standard
References: <20120507195025.19948.3410.idtracker@ietfa.amsl.com> <1755826.2gyQD9Uvee@scott-latitude-e6320>
In-Reply-To: <1755826.2gyQD9Uvee@scott-latitude-e6320>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 May 2012 00:59:50 -0000

On 5/7/12 3:35 PM, Scott Kitterman wrote:
>  On Monday, May 07, 2012 12:50:25 PM The IESG wrote:
> > The IESG has received a request from an individual submitter to
> > consider the following document: - 'Source Ports in ARF Reports'
> > <draft-kucherawy-marf-source-ports-03.txt> as Proposed Standard
>  ...
>
>  I think adding the source port field has value, particularly for
>  abuse reporting, but I think making it RECOMMENDED for authentication
>  failure reporting is not appropriate.
>
>  The last two paragraphs of section three read (trivial typo - there's
>  an extra new line in the first paragraph that I removed here):
>
>  When any report is generated that includes the "Source-IP" reporting
>  field (see Section 3.2 of [ARF]), this field SHOULD also be present,
>  unless the port number is unavailable.
>
>  Use of this field is RECOMMENED for reports generated per
>  [AUTHFAILURE-REPORT] (see Section 3.1 of that document).
>
>  The first corresponds to use in abuse reporting. As described in
>  this draft and the references, I think the addition of source ports
>  for abuse reports is well justified. OTOH, if you look at Section
>  3.1 of RFC 6591 [AUTHFAILURE- REPORT], it gives the purpose of the
>  most of the various data elements it RECOMMENDS as "to aid in
>  diagnosing the authentication failure."
>
>  I'm not aware of any authentication methods supported by RFC 6591
>  [AUTHFAILURE-REPORT] where source port makes a difference in
>  authentication results. If RFC 6591 is extended in the future to
>  include one that does, that would be the time to make source port
>  RECOMMENDED for authentication failure reports. In the mean time
>  it's just additional overhead and message size.
>
>  My suggestion would be to change the last part of section three to
>  read:
>
>  When any authentication failure report [AUTHFAILURE-REPORT] is
>  generated that includes the "Source-IP" reporting field (see Section
>  3.1 of [AUTHFAILURE-REPORT]]), this field MAY also be included.
>
>  Other than that, I think it's ready to go.
Dear Scott,

Agreed.  Logging ports translated by LSNs is not recommended.  The only 
tangible data represents the source IP address made available by LSN 
services.  Both of which touch upon the changes you recommend.   At some 
point, authentication reporting also needs to be updated as well.

Regards,
Douglas Otis

v2.23.0 | Report a Bug | By Email