I would like to clarify, in response to the email below, that the document is not about logging of records at CGNATs which is usually defined by regulatory requirements. It is about the fact that there is an information gap between the records being maintained by ISPs and the operators of internet-facing servers.
How should that information gap be addressed? The most privacy sensitive way to achieve this is for internet-facing server operators to maintain source port records. In fact, in the document I specifically indicate that centralised logging of additional information is not a good response to this problem (ref. section 3 and section 9). Regards, daveor > On 22 Apr 2018, at 21:36, Amelia Andersdotter <[email protected]> wrote: > > Dear all, > > I have read this draft and I do not support adoption. > > On 2018-04-22 21:18, Dave O'Reilly wrote: >> Dear all, >> >> I hope it’s not inappropriate for me to step into this discussion, but I >> would like to respond to a few of the points that have been raised so far. >> For brevity I will incorporate my responses to the various emails into a >> single email. >> >> The main point people are making: >> ——————————————————————— >> >> There are several objections to the document scope (by Stephen Farrell, >> Brian E Carpenter and Ted Lemon - quotations are not necessary, I trust). >> >> In response I only point out that the intarea working group has already >> adopted a document making recommendations that logging of source port should >> be done (RFC6302/BCP162). The point I’m making in this document is that: > > The working group adopted other documents back in 2011 relating to > CG-NAT och logging requirements, that to me look inspired by woes > brought on by regulatory requirements in some jurisdictions (which are > extensively referenced in those same documents, cf. Section 12 of > RFC6269). There have been a few drafts on NAT logging over the years > that reference these regulatory requirements (in the BEHAVE working > group, for instance). But the regulatory requirements that were likely > referenced expired in December 2016, when the European Union Court of > Justice kind of chucked out generalised data retention requirements in > favour of targetted surveillance practises. I have been able to find no > drafts referencing regulatory requirements to log or retain data in NATs > that have been considered in the IETF. > > The scope of the draft therefore doesn't sit well with me. > > I'm also reminded of other regulatory requirements entering into effect > soon that go in a completely different direction. The proposal by > Stephen to look at a differently scoped document about logging seems > more reasonable under present circumstances. > > best regards, > > Amelia > >> Regards, >> daveor >> >> _______________________________________________ >> Int-area mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/int-area > > > -- > Amelia Andersdotter > Technical Consultant, Digital Programme > > ARTICLE19 > www.article19.org > > PGP: 3D5D B6CA B852 B988 055A 6A6F FEF1 C294 B4E8 0B55 > > _______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
