On 26/04/2018 04:07, Amelia Andersdotter wrote:
> On 2018-04-25 14:42, mohamed.boucad...@orange.com wrote:
>> You could have two different objections to the draft:
>>
>> 1. The IETF does not, in general, recommend grace periods or time
>> periods for logging, caching, etc. That's just wrong - I
On Apr 25, 2018, at 2:49 PM, Povl H. Pedersen wrote:
> If we have performance issues, a drill down might be performed when the right
> people are involved. And in a few cases we have located some low and slow
> attacks and ended up blocking IPs. Usually 1 or 2. So it is
I know what the web people are using the logs for. Most of the stuff they could
likely do without an IP address.
If we have performance issues, a drill down might be performed when the right
people are involved. And in a few cases we have located some low and slow
attacks and ended up
On 2018-04-25 13:16, Povl H. Pedersen wrote:
> I would keep full IP address + port info in my firewall log. Separate
> from the webserver log. This to help the webguys not abusing collected
> data.
> Having talked to the webguys, they use the logfiles in daily
> operations, and they see them as
On 2018-04-25 14:42, mohamed.boucad...@orange.com wrote:
> You could have two different objections to the draft:
>
> 1. The IETF does not, in general, recommend grace periods or time
> periods for logging, caching, etc. That's just wrong - I find loads of
> examples in old and new RFCs of
Well, you know where I’ll be! :-)
daveor
> On 25 Apr 2018, at 14:55, Ted Lemon wrote:
>
> On Apr 25, 2018, at 9:50 AM, Dave O'Reilly wrote:
>> In that case - that’s substantially all that’s in my Internet Draft. Where
>> do you see a difference between the
On Apr 25, 2018, at 9:50 AM, Dave O'Reilly wrote:
> In that case - that’s substantially all that’s in my Internet Draft. Where do
> you see a difference between the content of the Internet Draft and this
> apparent consensus?
In order to answer this I'm going to have to
Oh OK!
In that case - that’s substantially all that’s in my Internet Draft. Where do
you see a difference between the content of the Internet Draft and this
apparent consensus?
daveor
> On 25 Apr 2018, at 14:47, Ted Lemon wrote:
>
> On Apr 25, 2018, at 9:44 AM, Dave
On Apr 25, 2018, at 9:44 AM, Dave O'Reilly wrote:
> Sorry, I may have misread your email. Are you saying that there are times
> when it makes sense to log IP, but NO times in which it makes sense to log
> source port? Or something different?
No, I'm saying that if it makes
Sorry, I may have misread your email. Are you saying that there are times when
it makes sense to log IP, but NO times in which it makes sense to log source
port? Or something different?
daveor
> On 25 Apr 2018, at 14:39, Ted Lemon wrote:
>
> On Apr 25, 2018, at 9:36 AM,
On Apr 25, 2018, at 9:36 AM, Dave O'Reilly wrote:
> OK, and what are the disadvantages of logging source port? Specifically, what
> are the differential disadvantages between logging IP address and source port
> versus only logging IP address?
I don't think there are times
On Apr 25, 2018, at 5:47 AM, Dave O'Reilly wrote:
> Considering the examples I provided, would you be prepared to agree that
> there exist situations where it would be useful to have source port logged
> alongside IP address?
I think I already agreed that that was true. I
Re-,
Please see inline.
Cheers,
Med
> -Message d'origine-
> De : Int-area [mailto:int-area-boun...@ietf.org] De la part de Amelia
> Andersdotter
> Envoyé : mercredi 25 avril 2018 14:37
> À : int-area@ietf.org
> Objet : Re: [Int-area] WG adoption call: Availability of Information in
>
On 2018-04-25 13:27, mohamed.boucad...@orange.com wrote:
> SHOULD NOT store logs of incoming IP addresses from inbound
>
> traffic for longer than three days.
>
>
>
> The above proposed text does not make sense to me. The IETF does not
> have to make a call on such matters.
>
>
>
Re-,
I think we are in agreement.
Please note there is ** NO RFC ** which mandates logs to be kept 3 days.
I guess you are referring to this text from Amelia’s I-D (which reflects the
author’s opinion):
SHOULD NOT store logs of incoming IP addresses from inbound
traffic for longer
I would keep full IP address + port info in my firewall log. Separate from
the webserver log. This to help the webguys not abusing collected data.
Having talked to the webguys, they use the logfiles in daily operations,
and they see them as necesary to provide continous delivery of the services
to
Ted,
In response to this email, I refer you to the response I just wrote to Brian E
Carpenter’s email.
Considering the examples I provided, would you be prepared to agree that there
exist situations where it would be useful to have source port logged alongside
IP address?
daveor
> On 24
I think Brian has made a great point below. I’d like to provide a few more
examples (all real) of scenarios where criminal investigations can rely heavily
on the logs retained by the victim or the platform.
1. A person running a content business (e.g. blog) and their platform is
compromised
Re-,
Please see inline.
Cheers,
Med
De : Povl H. Pedersen [mailto:p...@my.terminal.dk]
Envoyé : mercredi 25 avril 2018 11:05
À : BOUCADAIR Mohamed IMT/OLN
Cc : int-a...@ietfa.amsl.com
Objet : Re: [Int-area] WG adoption call: Availability of Information in
Criminal Investigations Involving
If we are at say a /20 or /22 (that is 2000-8000 possible IP addresses),
and we have the source port, then the ISP should be able to see which of
these addresses has the given source port to our destination IP and port.
With a timestamp, the risk of collision is low. And the police can at least
> On 25 Apr 2018, at 05:59, Amelia Andersdotter wrote:
>
> On 2018-04-25 03:22, Ted Lemon wrote:
>> On Apr 24, 2018, at 7:57 PM, Brian E Carpenter
>> > wrote:
>>> Clearly not, but operations people are much
> On 24 Apr 2018, at 16:41, Tom Herbert wrote:
>>
>> Although not explicitly stated, your message is certainly implying that the
>> conclusion of your argument is … and therefore we should do nothing.
>>
>> I agree with you that the world is not perfect - when I’m in an
Dear Povl,
Thank you for sharing your thoughts.
I have one comment and two clarification questions:
- Wouldn’t logging based /20-/22 nullify the interest to log source ports for
investigations? Multiple subscribers may be assigned the same port in the /20
or /22 range.
- GeoIP (whatever that
Where I work, we keep the firewall logs with port numbers completely
separate from the webserver logs.
Looking at article 25 of GDPR, it is clear that IP addresses are
pseudonymized data in the firewall logs, as there are only 2 ways to
connect the IP address to a physical person.
1. Court order
24 matches
Mail list logo