IETF Logo Mail Archive

Re: [marf] Reviewers for draft-kucherawy-marf-source-ports

"Murray S. Kucherawy" <msk@cloudmark.com> Thu, 19 April 2012 23:26 UTC

Return-Path: <msk@cloudmark.com>
X-Original-To: marf@ietfa.amsl.com
Delivered-To: marf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FDDC21E8013 for <marf@ietfa.amsl.com>; Thu, 19 Apr 2012 16:26:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.564
X-Spam-Level:
X-Spam-Status: No, score=-102.564 tagged_above=-999 required=5 tests=[AWL=0.034, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9vlyNZrZhaCx for <marf@ietfa.amsl.com>; Thu, 19 Apr 2012 16:26:31 -0700 (PDT)
Received: from mail.cloudmark.com (cmgw1.cloudmark.com [208.83.136.25]) by ietfa.amsl.com (Postfix) with ESMTP id D31C711E8073 for <marf@ietf.org>; Thu, 19 Apr 2012 16:26:31 -0700 (PDT)
Received: from ht1-outbound.cloudmark.com ([72.5.239.26]) by mail.cloudmark.com with bizsmtp id zzSf1i0010as01C01zSfln; Thu, 19 Apr 2012 16:26:39 -0700
X-CMAE-Match: 0
X-CMAE-Score: 0.00
X-CMAE-Analysis: v=2.0 cv=fNu7LOme c=1 sm=1 a=QMZKka45TBd+hNGtXG2bIg==:17 a=8Ubwy9MkvaUA:10 a=TvhglxwP5TMA:10 a=zutiEJmiVI4A:10 a=xqWC_Br6kY4A:10 a=48vgC7mUAAAA:8 a=kUBMJ0F_5hXGKQYAAeAA:9 a=CjuIK1q_8ugA:10 a=lZB815dzVvQA:10 a=yMhMjlubAAAA:8 a=SSmOFEACAAAA:8 a=BC6Nv4ANFxzY6dn1clsA:9 a=xAcjfyPSqR5FP-P_kbkA:7 a=gKO2Hq4RSVkA:10 a=UiCQ7L4-1S4A:10 a=hTZeC7Yk6K0A:10 a=QMZKka45TBd+hNGtXG2bIg==:117
Received: from EXCH-MBX901.corp.cloudmark.com ([fe80::addf:849a:f71c:4a82]) by exch-htcas902.corp.cloudmark.com ([fe80::54de:dc60:5f3e:334%10]) with mapi id 14.01.0355.002; Thu, 19 Apr 2012 16:26:20 -0700
From: "Murray S. Kucherawy" <msk@cloudmark.com>
To: Steve Atkins <steve@wordtothewise.com>, "marf@ietf.org" <marf@ietf.org>
Thread-Topic: [marf] Reviewers for draft-kucherawy-marf-source-ports
Thread-Index: Ac0eWIzAWiByKHBVQYeTaXZAPo6wLAAP01CAAAU64KA=
Date: Thu, 19 Apr 2012 23:26:20 +0000
Message-ID: <9452079D1A51524AA5749AD23E0039280FB6A1@exch-mbx901.corp.cloudmark.com>
References: <9452079D1A51524AA5749AD23E0039280FAF8D@exch-mbx901.corp.cloudmark.com> <938CD663-D2D5-4E65-B3D4-B02424DC7124@wordtothewise.com>
In-Reply-To: <938CD663-D2D5-4E65-B3D4-B02424DC7124@wordtothewise.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.22.1.156]
Content-Type: multipart/alternative; boundary="_000_9452079D1A51524AA5749AD23E0039280FB6A1exchmbx901corpclo_"
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudmark.com; s=default; t=1334877999; bh=9H0BRnEIYuInuaykHvkFMEP+J8PeiUjwRIV7DypWuRY=; h=From:To:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:MIME-Version; b=EVBf/l9Uiy2RJ5tzL8eu1s8XGeaciEKZu8V28i+NoRRxIrsq5/PP+GUcHNOp2qpsP qGcar2Mnq70bgyx0CFfh8bqVEbMTrIESdvPNZN5rRKmH99ZOSSsRMhvJUl6tZi5JHZ WY/QwdyRYKm0+EZi+/0GuHpGyY/shayC6KyzL4uk=
Subject: Re: [marf] Reviewers for draft-kucherawy-marf-source-ports
X-BeenThere: marf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Message Abuse Report Format working group discussion list <marf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/marf>, <mailto:marf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/marf>
List-Post: <mailto:marf@ietf.org>
List-Help: <mailto:marf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/marf>, <mailto:marf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Apr 2012 23:26:34 -0000

Comments inline.

From: marf-bounces@ietf.org [mailto:marf-bounces@ietf.org] On Behalf Of Steve Atkins
Sent: Thursday, April 19, 2012 11:50 AM
To: marf@ietf.org
Subject: Re: [marf] Reviewers for draft-kucherawy-marf-source-ports

It looks reasonable at first glance. But I have some comments.

MARF is intended for reporting sightings of email. This extension is intended to make reports of traffic from behind NATs able to differentiate between users behind a NAT. That implies that it's expected for legitimate email to be sent from behind a shared NAT. I wouldn't expect to see that in the wild, certainly not at a provider that's well enough set up that they're accepting ARF reports and keeping detailed access logs and so on - rather I'd expect that mail to be going through an authenticated smarthost, and no non-authenticated SMTP traffic being emitted from the NAT itself.

[MSK: That's probably generally true, but I'd imagine it's not universally true.  For the cases where it's not, the data reported by this extension header field might prove useful.]

Do carrier-grade NATs in general use really log connections in enough detail that the source port is adequate to identify the user of the NAT? AIUI many of them cycle source ports almost immediately, with no persistent relationship with the user, so they'd need to persistently log every TCP connection every user made for this to be useful data.

[MSK: This is what Section 3 of [LOG] advocates.  We're simply matching what they're doing.]

For source port to be useful to the sender, even assuming they have NAT connection logs, the timestamp of the report is going to be much more critical than for previous ARF usage. Dynamically assigned IP addresses tend to last hours, dynamically assigned NAT mappings just seconds. We don't mention anything about timestamps in [ARF], other than to say it should be in RFC5322 format. Do we need to stress the need for NTP-level timing accuracy at every host involved, or is the mention of that in [LOG] enough?

[MSK: We could certainly repeat that advice, or stress the importance of that part of [LOG].]

[LOG] recommends UTC timestamps for everything. Do we want to encourage that for ARF too?

[MSK: I agree with Scott; email date format captures enough information to convert to UTC if needed.  We could say that the report generator MAY convert the ARF date field, whatever it's called (can't recall), in UTC to enable quicker log correlation.]

What about ident?

[MSK: Does anyone still use that?]

Cheers,
  Steve

v2.23.0 | Report a Bug | By Email