IETF Logo Mail Archive

Re: Last Call: <draft-kucherawy-marf-source-ports-03.txt> (Source Ports in ARF Reports) to Proposed Standard

Scott Kitterman <scott@kitterman.com> Mon, 07 May 2012 22:35 UTC

Return-Path: <scott@kitterman.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13E8B21F86C4 for <ietf@ietfa.amsl.com>; Mon, 7 May 2012 15:35:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KrzrEb1ErwUI for <ietf@ietfa.amsl.com>; Mon, 7 May 2012 15:35:18 -0700 (PDT)
Received: from mailout02.controlledmail.com (mailout02.controlledmail.com [72.81.252.18]) by ietfa.amsl.com (Postfix) with ESMTP id 1371321F86B6 for <ietf@ietf.org>; Mon, 7 May 2012 15:35:18 -0700 (PDT)
Received: from mailout02.controlledmail.com (localhost [127.0.0.1]) by mailout02.controlledmail.com (Postfix) with ESMTP id 16EAF20E40D0; Mon, 7 May 2012 18:35:17 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=2007-00; t=1336430117; bh=X6/Sh4u3oO16cpKz9dti+XBBDZxK4HgOEtC2stZ68Os=; h=From:To:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Transfer-Encoding:Content-Type; b=dPHj7sUKF1YQjLgD++0Hkk8AljP7mGL4cDptWW73KKIjZtDlECb95YZiAzJgBw5ys vOPe+KkcV9MOmZss8g4k/Y00ROrolOrsMMMGfdDiuK4kkRGy6GH++1Unsi+z9zo9R5 hJ/cLomIlyuBPJ+wPW+4alOhGM6m4lNjmVl1Afh0=
Received: from scott-latitude-e6320.localnet (unknown [12.50.158.66]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout02.controlledmail.com (Postfix) with ESMTPSA id C73FB20E4095; Mon, 7 May 2012 18:35:15 -0400 (EDT)
From: Scott Kitterman <scott@kitterman.com>
To: ietf@ietf.org
Subject: Re: Last Call: <draft-kucherawy-marf-source-ports-03.txt> (Source Ports in ARF Reports) to Proposed Standard
Date: Mon, 07 May 2012 18:35:11 -0400
Message-ID: <1755826.2gyQD9Uvee@scott-latitude-e6320>
User-Agent: KMail/4.8.2 (Linux/3.2.0-24-generic-pae; KDE/4.8.2; i686; ; )
In-Reply-To: <20120507195025.19948.3410.idtracker@ietfa.amsl.com>
References: <20120507195025.19948.3410.idtracker@ietfa.amsl.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
X-AV-Checked: ClamAV using ClamSMTP
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 May 2012 22:35:19 -0000

On Monday, May 07, 2012 12:50:25 PM The IESG wrote:
> The IESG has received a request from an individual submitter to consider
> the following document:
> - 'Source Ports in ARF Reports'
>   <draft-kucherawy-marf-source-ports-03.txt> as Proposed Standard
...

I think adding the source port field has value, particularly for abuse 
reporting, but I think making it RECOMMENDED for authentication failure 
reporting is not appropriate.

The last two paragraphs of section three read (trivial typo - there's an extra 
new line in the first paragraph that I removed here):

   When any report is generated that includes the "Source-IP" reporting
   field (see Section 3.2 of [ARF]), this field SHOULD also be present,
   unless the port number is unavailable.

   Use of this field is RECOMMENED for reports generated per
   [AUTHFAILURE-REPORT] (see Section 3.1 of that document).

The first corresponds to use in abuse reporting.  As described in this draft 
and the references, I think the addition of source ports for abuse reports is 
well justified.  OTOH, if you look at Section 3.1 of RFC 6591  [AUTHFAILURE-
REPORT], it gives the purpose of the most of the various data elements it 
RECOMMENDS as "to aid in diagnosing the authentication failure."

I'm not aware of any authentication methods supported by RFC 6591  
[AUTHFAILURE-REPORT] where source port makes a difference in authentication 
results.  If RFC 6591 is extended in the future to include one that does, that 
would be the time to make source port RECOMMENDED for authentication failure 
reports.  In the mean time it's just additional overhead and message size.

My suggestion would be to change the last part of section three to read:

   When any authentication failure report [AUTHFAILURE-REPORT] is generated
   that includes the "Source-IP" reporting field (see Section 3.1 of
   [AUTHFAILURE-REPORT]]), this field MAY also be included.

Other than that, I think it's ready to go.

Scott K

v2.23.0 | Report a Bug | By Email