Re: [Int-area] Logging Recommendations for Internet-Facing Servers

"SHEPPARD, SCOTT" <> Tue, 17 June 2014 14:37 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 14AE51A0025 for <>; Tue, 17 Jun 2014 07:37:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.851
X-Spam-Status: No, score=-4.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Z9fELffPP8CE for <>; Tue, 17 Jun 2014 07:37:32 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EBF841A0002 for <>; Tue, 17 Jun 2014 07:37:30 -0700 (PDT)
Received: from unknown [] (EHLO by with ESMTP id (envelope-from <>); Tue, 17 Jun 2014 14:37:30 +0000 (UTC)
X-MXL-Hash: 53a052aa7e1f148b-d3bc42dd7574d90e00ce5d791dce6c98a381d78c
Received: from unknown [] (EHLO by over TLS secured channel with ESMTP id (envelope-from <>); Tue, 17 Jun 2014 14:37:22 +0000 (UTC)
X-MXL-Hash: 53a052a21cf3565d-2243d0e9a736197eb2fab977709d95443db2ee84
Received: from (localhost []) by (8.14.5/8.14.5) with ESMTP id s5HEb9iY006264; Tue, 17 Jun 2014 10:37:09 -0400
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id s5HEb0j9005965 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 17 Jun 2014 10:37:01 -0400
Received: from ( []) by (RSA Interceptor); Tue, 17 Jun 2014 14:36:50 GMT
Received: from ([]) by ([]) with mapi id 14.03.0174.001; Tue, 17 Jun 2014 10:36:50 -0400
To: "" <>, S Moonesamy <>, Igor Gashinsky <>, Donn Lee <>, Scott Sheppard <>, "" <>
Thread-Topic: [Int-area] Logging Recommendations for Internet-Facing Servers
Thread-Index: AQHPiUhYOawrDqtSa0WGCiVbPeYIxZt1h/cA///WP2A=
Date: Tue, 17 Jun 2014 14:36:50 +0000
Message-ID: <>
References: <> <787AE7BB302AE849A7480A190F8B9330018425@OPEXCLILM23.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B9330018425@OPEXCLILM23.corporate.adroot.infra.ftgroup>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-RSA-Inspected: yes
X-RSA-Classifications: public
X-AnalysisOut: [v=2.0 cv=OMyQK1mB c=1 sm=1 a=VXHOiMMwGAwA+y4G3/O+aw==:17 a]
X-AnalysisOut: [=Fb9rBCq8oXkA:10 a=ofMgfj31e3cA:10 a=jaRjaomdIKgA:10 a=BLc]
X-AnalysisOut: [eEmwcHowA:10 a=8nJEP1OIZ-IA:10 a=zQP7CpKOAAAA:8 a=XIqpo32R]
X-AnalysisOut: [AAAA:8 a=z9tbli-vAAAA:8 a=48vgC7mUAAAA:8 a=nfdo3q8sAAAA:8 ]
X-AnalysisOut: [a=W_ckQWI9AAAA:8 a=tperLt4SMB9uEP9AkhUA:9 a=wPNLvfGTeEIA:1]
X-AnalysisOut: [0 a=DswvqmXAlqEA:10 a=6twC2c18jGIA:10 a=2mDhba3wg4UA:10 a=]
X-AnalysisOut: [7Nb30phM6KoA:10 a=JedbxzJ0HZAA:10 a=Hz7IrDYlS0cA:10 a=oAXR]
X-AnalysisOut: [_kdF8uMA:10 a=lZB815dzVvQA:10 a=_9qSGt5iiLdEEKXx:21 a=MpW_]
X-AnalysisOut: [wR34AYoxqmvJ:21]
X-Spam: [F=0.2000000000; CM=0.500; S=0.200(2014051901)]
X-Mailman-Approved-At: Tue, 17 Jun 2014 07:59:00 -0700
Cc: Linus Nordberg <>, "" <>
Subject: Re: [Int-area] Logging Recommendations for Internet-Facing Servers
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF Internet Area Mailing List <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 17 Jun 2014 14:37:42 -0000


To close this for now. 

I see no compelling reason to change the BCP RFC 6302. 

Privacy is important. But equally so is the need to protect our customers, ourselves and the population against cyber criminals and they are legion. There is a compelling need for Law Enforcement Agencies and Governments to know some information about traffic as it relates to criminal and military acts (state sponsored cyber espionage etc.,). It is up to the civil authorities to define what is "acceptable reach" for the above agencies actions. It is up to us as citizens to then hold the civil authorities accountable at least in the US. 

This is far beyond an IETF discussion. 


Scott Sheppard
404 499 5539 desk
732 861 3383 cell email

Two messages
Authentic power is service - Pope Francis 
Sillyness is Essential - The Three Stooges
Both are important 

This e-mail and any files transmitted with it are the property
Of the AT&T companies, are confidential, and are intended solely
For the use of the individual or entity to whom this e-mail is 
Addressed. If you are not the one of the named recipients or 
Otherwise have reason to believe that you have received this
Message in error, please notify the sender at (732) 420-0965 and 
Delete this message immediately from your computer. Any other
Use, retention, dissemination, forwarding, printing, or copying
Of this e-mail is strictly prohibited.

-----Original Message-----
From: [] 
Sent: Tuesday, June 17, 2014 8:58 AM
To: S Moonesamy; Alain Durand; Igor Gashinsky; Donn Lee; Scott Sheppard
Cc: Linus Nordberg;
Subject: RE: [Int-area] Logging Recommendations for Internet-Facing Servers

Hi SM,

RFC6302 should be positioned in its context: i.e., how to meet regulatory requirements in some countries when address sharing is in use. A discussion on the background (with a concise discussion on solution flavors and some hints on time duration to store log data) is available at: and

The reco in RFC6302 aims to ease handling abuse claims and avoid revealing the identity of a large number of subscribers. FYI, the penal procedure in France has been updated in August 2013 to take into account address sharing in particular, see for instance where "additional information" should be provided in addition to the IP address for abuse claims).

Privacy-related considerations and other side effects of storing IP addresses (including IP tracking) should be discussed IMHO independently of RFC6302. For example, the concrete case led by the CNIL in France:[backPid]=91&cHash=6c52ebf7fc988c0c7fe49410c4e693429342. 


>-----Message d'origine-----
>De : Int-area [] De la part de S Moonesamy
>Envoyé : lundi 16 juin 2014 11:48
>À : Alain Durand; Igor Gashinsky; Donn Lee; Scott Sheppard
>Cc : Linus Nordberg;
>Objet : [Int-area] Logging Recommendations for Internet-Facing Servers
>In the wake of the revelations about surveillance there has been some
>concerns about RFC 6302.  I would be grateful if the authors of RFC
>6302 could review the comments at
>and provide some feedback.
>S. Moonesamy
>Int-area mailing list