Re: [Rucus] ARF BoF: no SIP?
John R Levine <johnl@taugh.com> Sun, 20 September 2009 16:01 UTC
Return-Path: <johnl@iecc.com>
X-Original-To: rucus@core3.amsl.com
Delivered-To: rucus@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 12D393A688D for <rucus@core3.amsl.com>; Sun, 20 Sep 2009 09:01:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -18.894
X-Spam-Level:
X-Spam-Status: No, score=-18.894 tagged_above=-999 required=5 tests=[AWL=0.305, BAYES_00=-2.599, HABEAS_ACCREDITED_SOI=-4.3, RCVD_IN_BSP_TRUSTED=-4.3, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OvX4eRf4KTdB for <rucus@core3.amsl.com>; Sun, 20 Sep 2009 09:01:51 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [208.31.42.53]) by core3.amsl.com (Postfix) with ESMTP id BD4603A693C for <rucus@ietf.org>; Sun, 20 Sep 2009 09:01:50 -0700 (PDT)
Received: (qmail 26581 invoked from network); 20 Sep 2009 16:02:49 -0000
Received: from mail1.iecc.com (208.31.42.56) by mail1.iecc.com with QMQP; 20 Sep 2009 16:02:49 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:from:to:cc:subject:in-reply-to:message-id:references:mime-version:content-type:user-agent:cleverness; s=k0908; olt=johnl@user.iecc.com; bh=C4AJp+WokWGwASSTqo24jA/+QIE6geicHcaIdPP+zbw=; b=fWG4hl4rIhAjUGBc/w2Dn7/+JI/ULmpN7UjfRhvQAWekwjZndPYTRNoaMW+XpbgVG4oQkY9o/BKRPJWPtErghRItuGhcbAOJzk3jmz4cD0uKXxcEapgyE4zXI8U44iVEYGy00gbDQmWE/WJM3KxExNzx3pwh+eFydxKMxyRJuOs=
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:from:to:cc:subject:in-reply-to:message-id:references:mime-version:content-type:user-agent:cleverness; s=k0908; bh=C4AJp+WokWGwASSTqo24jA/+QIE6geicHcaIdPP+zbw=; b=hJA028Mf5k7CnO6SPfaM/LbE1dpkV9m16sBwNOgWrX40/ya4J/Bgxf6wQmZDZaTfvjnmVI7qvCauLYNUJ44XT1nxOavFJVkbYEeaIB/dQKyS/3Kmfkv5y5xDJvm7yN0iHY8N69EwKox91jt/7ZfwuLSartSzgMqMvzGTmc5oLxw=
Date: Sun, 20 Sep 2009 12:02:45 -0400
From: John R Levine <johnl@taugh.com>
To: Dan Wing <dwing@cisco.com>
In-Reply-To: <018401ca3a0a$613508b0$c6f0200a@cisco.com>
Message-ID: <alpine.BSF.2.00.0909201157510.1840@simone.lan>
References: <021101ca37f4$81144e60$5da36b80@cisco.com> <20090919020041.2533.qmail@simone.iecc.com> <018401ca3a0a$613508b0$c6f0200a@cisco.com>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
Cleverness: None detected
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: rucus@ietf.org
Subject: Re: [Rucus] ARF BoF: no SIP?
X-BeenThere: rucus@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "Reducing Unwanted Communication Using SIP \(RUCUS\)" <rucus.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/rucus>, <mailto:rucus-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rucus>
List-Post: <mailto:rucus@ietf.org>
List-Help: <mailto:rucus-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rucus>, <mailto:rucus-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Sep 2009 16:01:52 -0000
>> There's interest in a more general abuse report, but I have not yet >> succeeded in getting people to explain why, other than a dislike of >> XML, we wouldn't just be doing a rerun of INCH. > > Dunno. I'm not familiar with INCH and currently not connected to > the Internet to figure out what it is. It's an old IETF WG, which produced an incident reporting format called IODEF which is simultaneously reviled for being too complex, because it's in XML, and at the same time for not having enough specific features for everyone's favorite online evils. Personally, I think it's ugly but I doubt anything useful could be much less ugly, and that efforts to turn ARF into a general reporting format will end up with a mess that is too underspecified to interoperate. > My only thought is that if ARF is going to be extended to cover > things like SSH and FTP attacks, it should also cover SIP (and, > to Peter's point) and XMPP. Oh, sure. Indeed, they fit into ARF a lot better than SSH does since they have something that obviously makes sense as the included 2822 message, but I hope I can keep ARF for mail and do something else for all the other kinds of evil. R's, John
- [Rucus] ARF BoF: no SIP? Dan Wing
- Re: [Rucus] ARF BoF: no SIP? Peter Saint-Andre
- Re: [Rucus] ARF BoF: no SIP? John Levine
- Re: [Rucus] ARF BoF: no SIP? Dan Wing
- Re: [Rucus] ARF BoF: no SIP? John R Levine
- Re: [Rucus] ARF BoF: no SIP? Dan Wing