Re: [Int-area] Logging Recommendations for Internet-Facing Servers

Peter Koch <pk@DENIC.DE> Tue, 17 June 2014 21:24 UTC

Return-Path: <peter@denic.de>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2FA01A0168 for <int-area@ietfa.amsl.com>; Tue, 17 Jun 2014 14:24:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.501
X-Spam-Level:
X-Spam-Status: No, score=-4.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zeSpcJ8Cf_mu for <int-area@ietfa.amsl.com>; Tue, 17 Jun 2014 14:24:26 -0700 (PDT)
Received: from office.denic.de (office.denic.de [81.91.160.182]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F79F1A017C for <int-area@ietf.org>; Tue, 17 Jun 2014 14:24:26 -0700 (PDT)
Received: from x27.adm.denic.de (x28.fra2.if.denic.de [10.122.64.17]) by office.denic.de with esmtp id 1Wx0rg-0001nL-KA; Tue, 17 Jun 2014 23:24:24 +0200
Received: from localhost by x27.adm.denic.de with local id 1Wx0rg-0003eK-Fl; Tue, 17 Jun 2014 23:24:24 +0200
Date: Tue, 17 Jun 2014 23:24:24 +0200
From: Peter Koch <pk@DENIC.DE>
To: int-area@ietf.org
Message-ID: <20140617212424.GV6928@x28.adm.denic.de>
Mail-Followup-To: int-area@ietf.org
References: <6.2.5.6.2.20140616024123.0ba53310@elandnews.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <6.2.5.6.2.20140616024123.0ba53310@elandnews.com>
User-Agent: Mutt/1.4.2.3i
Sender: Peter Koch <peter@denic.de>
Archived-At: http://mailarchive.ietf.org/arch/msg/int-area/fIMDfhZK-E1SA2HB3NQ2tHHDVu0
Subject: Re: [Int-area] Logging Recommendations for Internet-Facing Servers
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jun 2014 21:24:29 -0000

SM,

> In the wake of the revelations about surveillance there has been some 
> concerns about RFC 6302.  I would be grateful if the authors of RFC 
> 6302 could review the comments at 
> http://www.ietf.org/mail-archive/web/ietf-privacy/current/msg00454.html 
> and provide some feedback.

not one of the authors, but still: the document basically says that _if_ you log,
you ought to log port numbers (and timestamps) in addition to IP addresses.
The question whether to log (the _if_ above) is, in my reading, and hindsight,
addressed (by way of abstention) by the paragraph starting:

   Discussions about data-retention policies are out of scope for this
   document. [...]

Of course, RFC 6302 is easily read as the IETF recommending "full" logging.
I doubt that it is in the best interest of the IETF to be misinterpreted
that lightly, but that was already the fact in June 2011.  Changing the
message to "IP address and timestamp might not be sufficient to identify
a system or user" and not calling it a "BCP" has an odd chance of mitigating
the misunderstandings. An IETF position on "do or do not log" is likely
irrelevant given (competing, conflicting) regulatory requirements and
legislation/court rulings on data protection.

-Peter