Re-,
I think we are in agreement.
Please note there is ** NO RFC ** which mandates logs to be kept 3 days.
I guess you are referring to this text from Amelia’s I-D (which reflects the
author’s opinion):
SHOULD NOT store logs of incoming IP addresses from inbound
traffic for longer than three days.
The above proposed text does not make sense to me. The IETF does not have to
make a call on such matters.
Cheers,
Med
De : Povl H. Pedersen [mailto:[email protected]]
Envoyé : mercredi 25 avril 2018 13:16
À : BOUCADAIR Mohamed IMT/OLN
Cc : [email protected]
Objet : Re: [Int-area] WG adoption call: Availability of Information in
Criminal Investigations Involving Large-Scale IP Address Sharing Technologies
I would keep full IP address + port info in my firewall log. Separate from the
webserver log. This to help the webguys not abusing collected data.
Having talked to the webguys, they use the logfiles in daily operations, and
they see them as necesary to provide continous delivery of the services to the
end user.That is another obligation we have.
Our legal department actually suggested we keep logs for 5 years, as some data
must be kept that long.
The big privacy issue here is more about abuse and losing the data (move them
away from the internet facing server within 3 days would be a good
recommendation). This must be controlled by internal company rules. Not this
RFC that says we must cripple data after 3 days. And 3 days is a stupid limit
if there is a longer weekened/holidays etc. Easter is an example, Thursday to
monday are non-working days. That is 5 days + the extra. So the 3 days should
be 6 days without even accounting for holidays.
On Wed, Apr 25, 2018 at 11:22 AM,
<[email protected]<mailto:[email protected]>> wrote:
Re-,
Please see inline.
Cheers,
Med
De : Povl H. Pedersen [mailto:[email protected]<mailto:[email protected]>]
Envoyé : mercredi 25 avril 2018 11:05
À : BOUCADAIR Mohamed IMT/OLN
Cc : [email protected]<mailto:[email protected]>
Objet : Re: [Int-area] WG adoption call: Availability of Information in
Criminal Investigations Involving Large-Scale IP Address Sharing Technologies
If we are at say a /20 or /22 (that is 2000-8000 possible IP addresses), and we
have the source port, then the ISP should be able to see which of these
addresses has the given source port to our destination IP and port.
[Med] The assumption about destination IP at the provider side is broken.
Further, logging destination IP address is not recommended. RFC6888 says the
following:
REQ-12: A CGN SHOULD NOT log destination addresses or ports unless
required to do so for administrative reasons.
Justification: Destination logging at the CGN creates privacy
issues.
Note also that recent advances in optimizing logs at CGNs (e.g. port set
assignment, deterministic NAT) conflicts with maintaining a track of the
destination IP address.
Also, there are stateless address sharing techniques which does not even
involve a CGN (MAP-E, MAP-T, …). The information about destination IP address
per new session is not an option.
With a timestamp, the risk of collision is low. And the police can at least
minimize number of suspects.
[Med] If the destination IP address is not logged at the provider side (which
is likely), the collision probability of your proposal may be bigger for
deployments which use a low address sharing ratio (1:2, 1:4).
CGN does not break GeoIP. It still allows us to pinpoint the ISP, but might not
allow us to pinpoint the user any closer than the breakout point.
[Med] This is exactly what we meant by broken GeoIP in
https://tools.ietf.org/html/rfc6269#section-7
If we have an ISP, with CGN, and the police can come with a timestamp, and
source port, and a destination ip/port, the carrier can likely determine the
physical person. If he has say 255 possible external IP addresses in use, the
chance of the same source port to the same destination across these is small.
With address sharing, we can't point to one physical person.
[Med] OK.
I have a dynamic public IP at home (changes rarely). It is diificult to
pinpoint anything to me, my wife or my children. Or any user of my open WiFi
SSID. From a legal point of view, this is impossible.
[Med] OK.
But, the privacy protection in GDPR should protect the 20 y.o. old having a
fixed public IP, living alone. And here a fixed IP is enough for an ISP to
locate a person (or rather a machine) with som certainty.
[Med] ISPs operating fixed networks can locate their customers/subscribers
whatever scheme used for assigning IP addresses. The identification is based on
the line, not IP addresses.
I think this is all a tradeoff between protecting individuals, while not
completely giving up investigative tools - At least to do investigation with
some statistical probability. And since you do not know which addresses are
used by CGN, you can't handle them different than other IPs.
[Med] Given that you stated above that it is difficult to track an individual
user based on the IP address, then what is the value of complicating the
investigation by not recording the full IP address + port (for this specific
investigation purpose)?
_______________________________________________
Int-area mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/int-area
