ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Last Call: <draft-kucherawy-marf-source-ports-03.txt> (Source Ports in ARF Reports) to Proposed Standard

2012-05-08 21:05:03
from [Scott Kitterman] [Permanent Link] 
On Tuesday, May 08, 2012 06:23:46 AM Murray S. Kucherawy wrote:

-----Original Message-----
From: ietf-bounces(_at_)ietf(_dot_)org 
[mailto:ietf-bounces(_at_)ietf(_dot_)org] On Behalf Of
Scott Kitterman

 Sent: Monday, May 07, 2012 10:49 PM

To: ietf(_at_)ietf(_dot_)org
Subject: RE: Last Call: <draft-kucherawy-marf-source-ports-03.txt> (Source
Ports in ARF Reports) to Proposed Standard

 



If all one is doing is figuring out why something like a DKIM signature
failed on an otherwise legitimate message, then I agree the source port
isn't a useful input to that work.  In fact, as far as DKIM goes, the
source IP address is probably not useful either.

If, however, one is trying to track down the transmission of fraudulent
email such as phishing attacks, source ports can be used to identify
the perpetrator more precisely when compared to logs.  Support for this
latter use case is why I believe RECOMMENDED is appropriate.



Which is exactly the case (abuse report) the second to last paragraph
takes care of.  I agree RECOMMENDED is appropriate there and you have
it there.

For auth failure analysis I read you as agreeing it's not needed.
There are some authorization methods that use IP address, so I don't
think that for auth failure reports inclusion of IP address and source
port are comparable.

Based on your response, I don't understand your objection to dropping
the RECOMMENDS for auth failure reports and keeping it  for abuse
reports?



I don't think it's possible for software to identify correctly a case of an
accidental authentication failure versus detected fraud.  If it were, then
I'd agree that for the simple authentication failure case the source port
isn't useful.

 
Then why did we bother with a separate type or report for authentication 
failure?  Presumably we believe systems can have criteria for "I'm sending 
this because the message is abusive" versus "I'm sending this because it 
failed $authentication_type".


In the absence of that capability, isn't it better to give the investigating
user as much information as possible to use in correlation of logs and
such?


Personally, in the forensic work I've done I've found things like mail queue 
IDs a lot more important than source port.  There is lots of information that 
would be useful for an investigation.  On this basis, I could see MAY include 
source port on auth failure reports, but I think making it RECOMMENDED on the 
basis of it may be useful is justified.

Scott K
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: a favor from the list about Jon Postel, Michel Py
Next by Date:  Re: a favor from the list about Jon Postel, Paul Wouters
Previous by Thread:  Re: Last Call: <draft-kucherawy-marf-source-ports-03.txt> (Source Ports in ARF Reports) to Proposed Standard, Douglas Otis
Next by Thread:  RE: Last Call: <draft-kucherawy-marf-source-ports-03.txt> (Source Ports in ARF Reports) to Proposed Standard, Murray S. Kucherawy
Indexes:  [Date] [Thread] [Top] [All Lists]