Re: [Int-area] WG adoption call: Availability of Information in Criminal Investigations Involving Large-Scale IP Address Sharing Technologies

On 26/04/2018 04:07, Amelia Andersdotter wrote: > On 2018-04-25 14:42, mohamed.boucad...@orange.com wrote: >> You could have two different objections to the draft: >> >> 1. The IETF does not, in general, recommend grace periods or time >> periods for logging, caching, etc. That's just wrong - I

Re: [Int-area] Int-area Digest, Vol 152, Issue 52

On Apr 25, 2018, at 2:49 PM, Povl H. Pedersen wrote: > If we have performance issues, a drill down might be performed when the right > people are involved. And in a few cases we have located some low and slow > attacks and ended up blocking IPs. Usually 1 or 2. So it is

Re: [Int-area] Int-area Digest, Vol 152, Issue 52

I know what the web people are using the logs for. Most of the stuff they could likely do without an IP address. If we have performance issues, a drill down might be performed when the right people are involved. And in a few cases we have located some low and slow attacks and ended up

Re: [Int-area] WG adoption call: Availability of Information in Criminal Investigations Involving Large-Scale IP Address Sharing Technologies

On 2018-04-25 13:16, Povl H. Pedersen wrote: > I would keep full IP address + port info in my firewall log. Separate > from the webserver log. This to help the webguys not abusing collected > data.  > Having talked to the webguys, they use the logfiles in daily > operations, and they see them as

Re: [Int-area] WG adoption call: Availability of Information in Criminal Investigations Involving Large-Scale IP Address Sharing Technologies

On 2018-04-25 14:42, mohamed.boucad...@orange.com wrote: > You could have two different objections to the draft: > > 1. The IETF does not, in general, recommend grace periods or time > periods for logging, caching, etc. That's just wrong - I find loads of > examples in old and new RFCs of

Re: [Int-area] WG adoption call: Availability of Information in Criminal Investigations Involving Large-Scale IP Address Sharing Technologies

Well, you know where I’ll be! :-) daveor > On 25 Apr 2018, at 14:55, Ted Lemon wrote: > > On Apr 25, 2018, at 9:50 AM, Dave O'Reilly wrote: >> In that case - that’s substantially all that’s in my Internet Draft. Where >> do you see a difference between the

Re: [Int-area] WG adoption call: Availability of Information in Criminal Investigations Involving Large-Scale IP Address Sharing Technologies

On Apr 25, 2018, at 9:50 AM, Dave O'Reilly wrote: > In that case - that’s substantially all that’s in my Internet Draft. Where do > you see a difference between the content of the Internet Draft and this > apparent consensus? In order to answer this I'm going to have to

Re: [Int-area] WG adoption call: Availability of Information in Criminal Investigations Involving Large-Scale IP Address Sharing Technologies

Oh OK! In that case - that’s substantially all that’s in my Internet Draft. Where do you see a difference between the content of the Internet Draft and this apparent consensus? daveor > On 25 Apr 2018, at 14:47, Ted Lemon wrote: > > On Apr 25, 2018, at 9:44 AM, Dave

Re: [Int-area] WG adoption call: Availability of Information in Criminal Investigations Involving Large-Scale IP Address Sharing Technologies

On Apr 25, 2018, at 9:44 AM, Dave O'Reilly wrote: > Sorry, I may have misread your email. Are you saying that there are times > when it makes sense to log IP, but NO times in which it makes sense to log > source port? Or something different? No, I'm saying that if it makes

Re: [Int-area] WG adoption call: Availability of Information in Criminal Investigations Involving Large-Scale IP Address Sharing Technologies

Sorry, I may have misread your email. Are you saying that there are times when it makes sense to log IP, but NO times in which it makes sense to log source port? Or something different? daveor > On 25 Apr 2018, at 14:39, Ted Lemon wrote: > > On Apr 25, 2018, at 9:36 AM,

Re: [Int-area] WG adoption call: Availability of Information in Criminal Investigations Involving Large-Scale IP Address Sharing Technologies

On Apr 25, 2018, at 9:36 AM, Dave O'Reilly wrote: > OK, and what are the disadvantages of logging source port? Specifically, what > are the differential disadvantages between logging IP address and source port > versus only logging IP address? I don't think there are times

Re: [Int-area] WG adoption call: Availability of Information in Criminal Investigations Involving Large-Scale IP Address Sharing Technologies

On Apr 25, 2018, at 5:47 AM, Dave O'Reilly wrote: > Considering the examples I provided, would you be prepared to agree that > there exist situations where it would be useful to have source port logged > alongside IP address? I think I already agreed that that was true. I

Re: [Int-area] WG adoption call: Availability of Information in Criminal Investigations Involving Large-Scale IP Address Sharing Technologies

Re-, Please see inline. Cheers, Med > -Message d'origine- > De : Int-area [mailto:int-area-boun...@ietf.org] De la part de Amelia > Andersdotter > Envoyé : mercredi 25 avril 2018 14:37 > À : int-area@ietf.org > Objet : Re: [Int-area] WG adoption call: Availability of Information in >

Re: [Int-area] WG adoption call: Availability of Information in Criminal Investigations Involving Large-Scale IP Address Sharing Technologies

On 2018-04-25 13:27, mohamed.boucad...@orange.com wrote: >     SHOULD NOT store logs of incoming IP addresses from inbound > >   traffic for longer than three days. > >   > > The above proposed text does not make sense to me. The IETF does not > have to make a call on such matters. > >   >

Re: [Int-area] WG adoption call: Availability of Information in Criminal Investigations Involving Large-Scale IP Address Sharing Technologies

Re-, I think we are in agreement. Please note there is ** NO RFC ** which mandates logs to be kept 3 days. I guess you are referring to this text from Amelia’s I-D (which reflects the author’s opinion): SHOULD NOT store logs of incoming IP addresses from inbound traffic for longer

Re: [Int-area] WG adoption call: Availability of Information in Criminal Investigations Involving Large-Scale IP Address Sharing Technologies

I would keep full IP address + port info in my firewall log. Separate from the webserver log. This to help the webguys not abusing collected data. Having talked to the webguys, they use the logfiles in daily operations, and they see them as necesary to provide continous delivery of the services to

Re: [Int-area] WG adoption call: Availability of Information in Criminal Investigations Involving Large-Scale IP Address Sharing Technologies

Ted, In response to this email, I refer you to the response I just wrote to Brian E Carpenter’s email. Considering the examples I provided, would you be prepared to agree that there exist situations where it would be useful to have source port logged alongside IP address? daveor > On 24

Re: [Int-area] WG adoption call: Availability of Information in Criminal Investigations Involving Large-Scale IP Address Sharing Technologies

I think Brian has made a great point below. I’d like to provide a few more examples (all real) of scenarios where criminal investigations can rely heavily on the logs retained by the victim or the platform. 1. A person running a content business (e.g. blog) and their platform is compromised

Re: [Int-area] WG adoption call: Availability of Information in Criminal Investigations Involving Large-Scale IP Address Sharing Technologies

Re-, Please see inline. Cheers, Med De : Povl H. Pedersen [mailto:p...@my.terminal.dk] Envoyé : mercredi 25 avril 2018 11:05 À : BOUCADAIR Mohamed IMT/OLN Cc : int-a...@ietfa.amsl.com Objet : Re: [Int-area] WG adoption call: Availability of Information in Criminal Investigations Involving

Re: [Int-area] WG adoption call: Availability of Information in Criminal Investigations Involving Large-Scale IP Address Sharing Technologies

If we are at say a /20 or /22 (that is 2000-8000 possible IP addresses), and we have the source port, then the ISP should be able to see which of these addresses has the given source port to our destination IP and port. With a timestamp, the risk of collision is low. And the police can at least

Re: [Int-area] draft-andersdotter (was RE: WG adoption call: Availability of Information in Criminal Investigations Involving Large-Scale IP Address Sharing Technologies

> On 25 Apr 2018, at 05:59, Amelia Andersdotter wrote: > > On 2018-04-25 03:22, Ted Lemon wrote: >> On Apr 24, 2018, at 7:57 PM, Brian E Carpenter >> > wrote: >>> Clearly not, but operations people are much

Re: [Int-area] WG adoption call: Availability of Information in Criminal Investigations Involving Large-Scale IP Address Sharing Technologies

> On 24 Apr 2018, at 16:41, Tom Herbert wrote: >> >> Although not explicitly stated, your message is certainly implying that the >> conclusion of your argument is … and therefore we should do nothing. >> >> I agree with you that the world is not perfect - when I’m in an

Re: [Int-area] WG adoption call: Availability of Information in Criminal Investigations Involving Large-Scale IP Address Sharing Technologies

Dear Povl, Thank you for sharing your thoughts. I have one comment and two clarification questions: - Wouldn’t logging based /20-/22 nullify the interest to log source ports for investigations? Multiple subscribers may be assigned the same port in the /20 or /22 range. - GeoIP (whatever that

Re: [Int-area] WG adoption call: Availability of Information in Criminal Investigations Involving Large-Scale IP Address Sharing Technologies

Where I work, we keep the firewall logs with port numbers completely separate from the webserver logs. Looking at article 25 of GDPR, it is clear that IP addresses are pseudonymized data in the firewall logs, as there are only 2 ways to connect the IP address to a physical person. 1. Court order