ietf
[Top] [All Lists]

RE: Last Call: <draft-kucherawy-marf-source-ports-03.txt> (Source Ports in ARF Reports) to Proposed Standard

2012-05-08 00:49:36


"Murray S. Kucherawy" <msk(_at_)cloudmark(_dot_)com> wrote:

-----Original Message-----
From: ietf-bounces(_at_)ietf(_dot_)org 
[mailto:ietf-bounces(_at_)ietf(_dot_)org] On Behalf
Of Scott Kitterman
Sent: Monday, May 07, 2012 3:35 PM
To: ietf(_at_)ietf(_dot_)org
Subject: Re: Last Call: <draft-kucherawy-marf-source-ports-03.txt>
(Source Ports in ARF Reports) to Proposed Standard

My suggestion would be to change the last part of section three to
read:

   When any authentication failure report [AUTHFAILURE-REPORT] is
generated
   that includes the "Source-IP" reporting field (see Section 3.1 of
   [AUTHFAILURE-REPORT]]), this field MAY also be included.

Other than that, I think it's ready to go.

If all one is doing is figuring out why something like a DKIM signature
failed on an otherwise legitimate message, then I agree the source port
isn't a useful input to that work.  In fact, as far as DKIM goes, the
source IP address is probably not useful either.

If, however, one is trying to track down the transmission of fraudulent
email such as phishing attacks, source ports can be used to identify
the perpetrator more precisely when compared to logs.  Support for this
latter use case is why I believe RECOMMENDED is appropriate.

Which is exactly the case (abuse report) the second to last paragraph takes 
care of.  I agree RECOMMENDED is appropriate there and you have it there.

For auth failure analysis I read you as agreeing it's not needed.  There are 
some authorization methods that use IP address, so I don't think that for auth 
failure reports inclusion of IP address and source port are comparable.

Based on your response, I don't understand your objection to dropping the 
RECOMMENDS for auth failure reports and keeping it  for abuse reports?