IETF Logo Mail Archive

Re: [marf] Reviewers for draft-kucherawy-marf-source-ports

Steve Atkins <steve@wordtothewise.com> Thu, 19 April 2012 18:49 UTC

Return-Path: <steve@wordtothewise.com>
X-Original-To: marf@ietfa.amsl.com
Delivered-To: marf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9006621F864B for <marf@ietfa.amsl.com>; Thu, 19 Apr 2012 11:49:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PXfytFpI3uo6 for <marf@ietfa.amsl.com>; Thu, 19 Apr 2012 11:49:45 -0700 (PDT)
Received: from m.wordtothewise.com (misc.wordtothewise.com [184.105.179.154]) by ietfa.amsl.com (Postfix) with ESMTP id 9CA4B21F866A for <marf@ietf.org>; Thu, 19 Apr 2012 11:49:45 -0700 (PDT)
Received: by m.wordtothewise.com (Postfix, from userid 1003) id 7A7292EB3F; Thu, 19 Apr 2012 11:49:44 -0700 (PDT)
Received: from platter.wordtothewise.com (204.11.227.194.static.etheric.net [204.11.227.194]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: steve) by m.wordtothewise.com (Postfix) with ESMTPSA id CC28D2EADE for <marf@ietf.org>; Thu, 19 Apr 2012 11:49:42 -0700 (PDT)
From: Steve Atkins <steve@wordtothewise.com>
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: multipart/alternative; boundary="Apple-Mail=_96572BAD-F7AE-4969-94F6-CE6C43EC6F5D"
Date: Thu, 19 Apr 2012 11:49:41 -0700
In-Reply-To: <9452079D1A51524AA5749AD23E0039280FAF8D@exch-mbx901.corp.cloudmark.com>
To: marf@ietf.org
References: <9452079D1A51524AA5749AD23E0039280FAF8D@exch-mbx901.corp.cloudmark.com>
Message-Id: <938CD663-D2D5-4E65-B3D4-B02424DC7124@wordtothewise.com>
X-Mailer: Apple Mail (2.1257)
Subject: Re: [marf] Reviewers for draft-kucherawy-marf-source-ports
X-BeenThere: marf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Message Abuse Report Format working group discussion list <marf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/marf>, <mailto:marf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/marf>
List-Post: <mailto:marf@ietf.org>
List-Help: <mailto:marf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/marf>, <mailto:marf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Apr 2012 18:49:46 -0000

On Apr 19, 2012, at 11:16 AM, Murray S. Kucherawy wrote:

> Hello MARF,
>  
> The above draft was mentioned during the (brief) meeting in Paris.  It is a simple document that registers with IANA a RECOMMENDED field for ARF reports to include the port number from which the abusive action came.  This is encouraged practice in the IETF these days, as you can see from the document about logging that this one references.
>  
> It was decided in Paris to process it outside of MARF so that we could continue the process of winding down, since the draft is so simple.  Still, we need a few reviewers for the record.  Could we get a couple of volunteers?
> 
> Here’s the datatracker link: https://datatracker.ietf.org/doc/draft-kucherawy-marf-source-ports/
>  
> It’s five pages, about two of which are typical RFC boilerplate.  Truly a quick read.
>  
> If you’ve read it and agree with it, you can reply here and just say so.  Of course, if you have comments, those are also welcome.

It looks reasonable at first glance. But I have some comments.

MARF is intended for reporting sightings of email. This extension is intended to make reports of traffic from behind NATs able to differentiate between users behind a NAT. That implies that it's expected for legitimate email to be sent from behind a shared NAT. I wouldn't expect to see that in the wild, certainly not at a provider that's well enough set up that they're accepting ARF reports and keeping detailed access logs and so on - rather I'd expect that mail to be going through an authenticated smarthost, and no non-authenticated SMTP traffic being emitted from the NAT itself.

Do carrier-grade NATs in general use really log connections in enough detail that the source port is adequate to identify the user of the NAT? AIUI many of them cycle source ports almost immediately, with no persistent relationship with the user, so they'd need to persistently log every TCP connection every user made for this to be useful data.

For source port to be useful to the sender, even assuming they have NAT connection logs, the timestamp of the report is going to be much more critical than for previous ARF usage. Dynamically assigned IP addresses tend to last hours, dynamically assigned NAT mappings just seconds. We don't mention anything about timestamps in [ARF], other than to say it should be in RFC5322 format. Do we need to stress the need for NTP-level timing accuracy at every host involved, or is the mention of that in [LOG] enough?

[LOG] recommends UTC timestamps for everything. Do we want to encourage that for ARF too?

What about ident?

Cheers,
  Steve

v2.23.0 | Report a Bug | By Email