Hi Ted, Please see inline.
Cheers, Med De : Ted Lemon [mailto:[email protected]] Envoyé : mardi 24 avril 2018 17:45 À : Dave O'Reilly Cc : BOUCADAIR Mohamed IMT/OLN; [email protected]; Stephen Farrell Objet : Re: [Int-area] WG adoption call: Availability of Information in Criminal Investigations Involving Large-Scale IP Address Sharing Technologies On Apr 24, 2018, at 11:30 AM, Dave O'Reilly <[email protected]<mailto:[email protected]>> wrote: Could you give me an example of when you think it would be appropriate to log source port and when it would not be? It's not appropriate to log source port if there's no potential for abuse by the connecting party, or if the potential for abuse by the connecting party is small compared to the potential for abuse by the consumer of the log information. As has been mentioned previously, it may make sense to log source port when accepting posts from an end user, or when taking orders, or in similar situations. But to use the example Amelia gave, if I go to Wikipedia and start reading articles and clicking on links, it isn't appropriate to log the source port. [Med] Agree if s/source port/source IP address [+ source port]. Please note that logging source port is likely to be **useless** for local correlation purposes. The situation is different for abuse claims, because the source IP address AND source port are supplied via authorities to the provider who can then check its data retention files (can fed by DHCP assignments, CGN records, deterministic NAT configuration, etc...). If I am reading a newspaper, it is not appropriate to log anything about my reading habits (although in this case cookies are likely more of a problem than source port). [Med] Yes. It's possible that some government somewhere would disagree; if they do, that's fine, but it's not the IETF's role to promote or enable this behavior. [Med] Fully agree. To continue the Wikipedia example, Wikipedia does in fact ban IP addresses when abusive behavior is exhibited by some person using that IP address. I don't think there would be a particular problem extending this to ports as well, although it might not actually be all that useful if they are randomized by the CGN. [Med] Sure. Intarea published this RFC to cover this particular problem: https://tools.ietf.org/html/rfc6967 (look for Wikimedia in that RFC). Please note this is not about logging, but more blacklisting/whitelisting. I don't know if Wikipedia logs this information for law enforcement use, but if they do, then logging the source port as well _in these situations_ would make sense, even though logging it when the end user is simply reading pages would not.
_______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
