IETF Logo Mail Archive

Re: [marf] Reviewers for draft-kucherawy-marf-source-ports

"John Levine" <johnl@taugh.com> Thu, 19 April 2012 23:33 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: marf@ietfa.amsl.com
Delivered-To: marf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44E6921E801F for <marf@ietfa.amsl.com>; Thu, 19 Apr 2012 16:33:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -111.002
X-Spam-Level:
X-Spam-Status: No, score=-111.002 tagged_above=-999 required=5 tests=[AWL=0.197, BAYES_00=-2.599, HABEAS_ACCREDITED_SOI=-4.3, RCVD_IN_BSP_TRUSTED=-4.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RBScaFtXPuuj for <marf@ietfa.amsl.com>; Thu, 19 Apr 2012 16:33:15 -0700 (PDT)
Received: from leila.iecc.com (leila6.iecc.com [IPv6:2001:470:1f07:1126:0:4c:6569:6c61]) by ietfa.amsl.com (Postfix) with ESMTP id 49E3421E801B for <marf@ietf.org>; Thu, 19 Apr 2012 16:33:15 -0700 (PDT)
Received: (qmail 34866 invoked from network); 19 Apr 2012 23:33:13 -0000
Received: from leila.iecc.com (64.57.183.34) by mail1.iecc.com with QMQP; 19 Apr 2012 23:33:13 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:vbr-info; s=4f90a0b9.xn--9vv.k1204; i=johnl@user.iecc.com; bh=uG7NrNKx513wKG32ouy7CH4nyRqRK+zmqXfzAdx9+HU=; b=SvFexQByRmAzx9+v3shPwb+PUsQH1veGcRgSDRyOq+IuyMdpgB5D3KgF8PbgEaczd6PDmwYSetiZ6CJ6RdT+WzeRJWKFJevg3NUGQwymMh8q1VgZY33aTh3vRXRto9xiVYPjXiivbDFcrtsguFQxTcSxdezzDU1k8GHyd0772DY=
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:vbr-info; s=4f90a0b9.xn--9vv.k1204; olt=johnl@user.iecc.com; bh=uG7NrNKx513wKG32ouy7CH4nyRqRK+zmqXfzAdx9+HU=; b=BGuTPOI3g7Ul28fu+c2XvMoNbnO8N9lmMB0EQz7TZ+nxeeJsb4K9IMrBP/N2SVRSbLEkWddX6yEqfs4j13Jq7W/BTVD0eRLYYXyMunkh9VW6FV3r/ddF6r4fMCnIDVFA23e6w7RSoJ2HZpEjH39IZXo8J5VuLebM6v+Dkln5VN0=
VBR-Info: md=iecc.com; mc=all; mv=dwl.spamhaus.org
Date: Thu, 19 Apr 2012 23:32:51 -0000
Message-ID: <20120419233251.75775.qmail@joyce.lan>
From: John Levine <johnl@taugh.com>
To: marf@ietf.org
In-Reply-To: <938CD663-D2D5-4E65-B3D4-B02424DC7124@wordtothewise.com>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 7bit
Subject: Re: [marf] Reviewers for draft-kucherawy-marf-source-ports
X-BeenThere: marf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Message Abuse Report Format working group discussion list <marf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/marf>, <mailto:marf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/marf>
List-Post: <mailto:marf@ietf.org>
List-Help: <mailto:marf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/marf>, <mailto:marf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Apr 2012 23:33:16 -0000

Remember that we didn't make up this port logging stuff.  It's in RFC 6302.

>That implies that it's expected for legitimate email to be sent from behind a shared
>NAT. I wouldn't expect to see that in the wild

I believe that it's already happening in parts of Asia.  Also, I
expect there are plenty of places where mail leaks out from a web farm
or something else behind a NAT that's not primarily a mail server.

>Do carrier-grade NATs in general use really log connections in enough detail that the
>source port is adequate to identify the user of the NAT?

Combined with the time stamp, it should be.  I agree that accurate time stamps are
important, but they already are for tracking down stuff on busy systems.

>What about ident?

It's hard to see how that would work without making NAT an order of
magnitude grosser than it is now, doing DPI on the incoming stream on
port 113 to figure out which host behind the NAT to route it to.  Or did
you mean that the NAT would handle port 113 requests itself?

R's,
John

v2.23.0 | Report a Bug | By Email