Dear Amelia, I disagree with your comment.
Section 12 of RFC6269 is about logging at the network side not the server. Server matters are discussed in Section 13.1 "Abuse Logging and Penalty Boxes". Section 12 is prudent in its language, it starts with " In many jurisdictions, service providers are legally obliged to..". I don't think that you claim that all jurisdiction over the world require operators to maintain some records. Even for the network side, the IETF is prudent in its language and does not include an explicit logging requirement for CGNs, for example. Please given a read to RFC6888. Cheers, Med > -----Message d'origine----- > De : Amelia Andersdotter [mailto:[email protected]] > Envoyé : mercredi 25 avril 2018 07:01 > À : Brian E Carpenter; BOUCADAIR Mohamed IMT/OLN; [email protected] > Cc : Stephen Farrell > Objet : Re: [Int-area] draft-andersdotter (was RE: WG adoption call: > Availability of Information in Criminal Investigations Involving Large-Scale > IP Address Sharing Technologies > > On 2018-04-25 00:26, Brian E Carpenter wrote: > > On 24/04/2018 18:08, Amelia Andersdotter wrote: > >> Dear Mohamed, > >> > >> See below: > >> > >> On 2018-04-24 07:25, [email protected] wrote: > >>> [Med] I don't have a problem with the general intent of your text, my > concern is that you link those explicitly with RFC6302 which is misleading. > RFC6302 has a very clear focus: address sharing. > >>> > >>> [Med] But how this is related to RFC6302 context? > >> RFC6302 is hopelessly out of date. It was specifically justified by a > >> regulatory framework which no longer exists(!) and it takes into account > >> none of the privacy guidances given by RFC6973. > > I can't find any reference to regulatory matters in RFC 6302, > > but I did find this: > > "In the absence of the source port number and accurate timestamp > > information, operators deploying any address sharing techniques will > > not be able to identify unambiguously customers when dealing with > > abuse or public safety queries." > > Has that changed since 2011? > > The reference is to RFC6269 in the introduction, which claims (section > 12) that the need for traceability is regulatorily motivated. When one > makes a recommendation starting from the assumption of some regulatory > need or other, and that regulatory need subsequently changes, I think > that's "outdated". > > best, > > A > > > RFC6973 adds this: > > "When requiring or recommending that information > > about initiators or their communications be stored or logged by end > > systems (see, e.g., RFC 6302 [RFC6302]), it is important to recognize > > the potential for that information to be compromised and for that > > potential to be weighed against the benefits of data storage." > > Indeed. But since that's a general requirement, not specific to port > > logging, what is obsolete in RFC6302 itself? It's what happens to the data > > *after* it's been collected that matters, and that affects everything > > the server collects, not just addr+port. > > > > Regards > > Brian > > > >> If we mean to say the > >> privacy guidelines of RFC6973 should not be applied specifically in our > >> recommendations for logging to internet-facing servers, then fine. If, > >> however, we believe privacy guidelines apply also when we make > >> recommendations to internet-facing servers (as we have done), then > >> RFC6302 needs updating. > >> > >> I think this is the primary thing to establish. I'll provide more > >> comments later. > >> > >> best, > >> > >> A > >> > >> > > -- > Amelia Andersdotter > Technical Consultant, Digital Programme > > ARTICLE19 > www.article19.org > > PGP: 3D5D B6CA B852 B988 055A 6A6F FEF1 C294 B4E8 0B55 _______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
