On 25/04/2018 11:37, Ted Lemon wrote: > Brian, does the server *have* to collect everything?
Clearly not, but operations people are much more likely to apply a "log everything we can store" approach than to be selective in advance. I think it's privacy law, not IETF BCPs, that will make them think more carefully. http://www.waitrose.com/privacynotice is worth a read, I found. It makes IP addresses look very uninteresting. Brian > > On Tue, Apr 24, 2018, 18:26 Brian E Carpenter <brian.e.carpen...@gmail.com> > wrote: > >> On 24/04/2018 18:08, Amelia Andersdotter wrote: >>> Dear Mohamed, >>> >>> See below: >>> >>> On 2018-04-24 07:25, mohamed.boucad...@orange.com wrote: >>>> >>>> [Med] I don't have a problem with the general intent of your text, my >> concern is that you link those explicitly with RFC6302 which is misleading. >> RFC6302 has a very clear focus: address sharing. >>>> >>>> [Med] But how this is related to RFC6302 context? >>> >>> RFC6302 is hopelessly out of date. It was specifically justified by a >>> regulatory framework which no longer exists(!) and it takes into account >>> none of the privacy guidances given by RFC6973. >> >> I can't find any reference to regulatory matters in RFC 6302, >> but I did find this: >> "In the absence of the source port number and accurate timestamp >> information, operators deploying any address sharing techniques will >> not be able to identify unambiguously customers when dealing with >> abuse or public safety queries." >> Has that changed since 2011? >> >> RFC6973 adds this: >> "When requiring or recommending that information >> about initiators or their communications be stored or logged by end >> systems (see, e.g., RFC 6302 [RFC6302]), it is important to recognize >> the potential for that information to be compromised and for that >> potential to be weighed against the benefits of data storage." >> Indeed. But since that's a general requirement, not specific to port >> logging, what is obsolete in RFC6302 itself? It's what happens to the data >> *after* it's been collected that matters, and that affects everything >> the server collects, not just addr+port. >> >> Regards >> Brian >> >>> If we mean to say the >>> privacy guidelines of RFC6973 should not be applied specifically in our >>> recommendations for logging to internet-facing servers, then fine. If, >>> however, we believe privacy guidelines apply also when we make >>> recommendations to internet-facing servers (as we have done), then >>> RFC6302 needs updating. >>> >>> I think this is the primary thing to establish. I'll provide more >>> comments later. >>> >>> best, >>> >>> A >>> >>> >> >> _______________________________________________ >> Int-area mailing list >> Int-area@ietf.org >> https://www.ietf.org/mailman/listinfo/int-area >> > _______________________________________________ Int-area mailing list Int-area@ietf.org https://www.ietf.org/mailman/listinfo/int-area
