On 2018-04-25 00:26, Brian E Carpenter wrote: > On 24/04/2018 18:08, Amelia Andersdotter wrote: >> Dear Mohamed, >> >> See below: >> >> On 2018-04-24 07:25, [email protected] wrote: >>> [Med] I don't have a problem with the general intent of your text, my >>> concern is that you link those explicitly with RFC6302 which is misleading. >>> RFC6302 has a very clear focus: address sharing. >>> >>> [Med] But how this is related to RFC6302 context? >> RFC6302 is hopelessly out of date. It was specifically justified by a >> regulatory framework which no longer exists(!) and it takes into account >> none of the privacy guidances given by RFC6973. > I can't find any reference to regulatory matters in RFC 6302, > but I did find this: > "In the absence of the source port number and accurate timestamp > information, operators deploying any address sharing techniques will > not be able to identify unambiguously customers when dealing with > abuse or public safety queries." > Has that changed since 2011?
The reference is to RFC6269 in the introduction, which claims (section 12) that the need for traceability is regulatorily motivated. When one makes a recommendation starting from the assumption of some regulatory need or other, and that regulatory need subsequently changes, I think that's "outdated". best, A > RFC6973 adds this: > "When requiring or recommending that information > about initiators or their communications be stored or logged by end > systems (see, e.g., RFC 6302 [RFC6302]), it is important to recognize > the potential for that information to be compromised and for that > potential to be weighed against the benefits of data storage." > Indeed. But since that's a general requirement, not specific to port > logging, what is obsolete in RFC6302 itself? It's what happens to the data > *after* it's been collected that matters, and that affects everything > the server collects, not just addr+port. > > Regards > Brian > >> If we mean to say the >> privacy guidelines of RFC6973 should not be applied specifically in our >> recommendations for logging to internet-facing servers, then fine. If, >> however, we believe privacy guidelines apply also when we make >> recommendations to internet-facing servers (as we have done), then >> RFC6302 needs updating. >> >> I think this is the primary thing to establish. I'll provide more >> comments later. >> >> best, >> >> A >> >> -- Amelia Andersdotter Technical Consultant, Digital Programme ARTICLE19 www.article19.org PGP: 3D5D B6CA B852 B988 055A 6A6F FEF1 C294 B4E8 0B55 _______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
