| draft-ietf-intarea-server-logging-recommendations-01.txt | draft-ietf-intarea-server-logging-recommendations-02.txt | |||
|---|---|---|---|---|
| skipping to change at page 1, line 14 | skipping to change at page 1, line 14 | |||
| Internet-Draft Juniper Networks | Internet-Draft Juniper Networks | |||
| Intended status: BCP I. Gashinsky | Intended status: BCP I. Gashinsky | |||
| Expires: July 23, 2011 Yahoo! Inc. | Expires: July 23, 2011 Yahoo! Inc. | |||
| D. Lee | D. Lee | |||
| Facebook, Inc. | Facebook, Inc. | |||
| S. Sheppard | S. Sheppard | |||
| ATT Labs | ATT Labs | |||
| January 19, 2011 | January 19, 2011 | |||
| Logging recommendations for Internet facing servers | Logging recommendations for Internet facing servers | |||
| draft-ietf-intarea-server-logging-recommendations-01 | draft-ietf-intarea-server-logging-recommendations-02 | |||
| Abstract | Abstract | |||
| In the wake of IPv4 exhaustion and deployment of IP address sharing | In the wake of IPv4 exhaustion and deployment of IP address sharing | |||
| techniques, this document recommends that Internet facing servers log | techniques, this document recommends that Internet facing servers log | |||
| port number and accurate timestamps in addition to the incoming IP | port number and accurate timestamps in addition to the incoming IP | |||
| address. | address. | |||
| Status of this Memo | Status of this Memo | |||
| skipping to change at page 3, line 39 | skipping to change at page 3, line 39 | |||
| port(s) were associated with which user and external IPv4 address at | port(s) were associated with which user and external IPv4 address at | |||
| any given point in time. In the past to support abuse mitigation or | any given point in time. In the past to support abuse mitigation or | |||
| public safety requests, the knowledge of the external global IP | public safety requests, the knowledge of the external global IP | |||
| address was enough to identify a subscriber of interest. With | address was enough to identify a subscriber of interest. With | |||
| address sharing technologies, only providing information about the | address sharing technologies, only providing information about the | |||
| external public address associated with a session to a service | external public address associated with a session to a service | |||
| provider is no longer sufficient information to unambiguously | provider is no longer sufficient information to unambiguously | |||
| identify customers. | identify customers. | |||
| Note: this document provides recommendations for Internet facing | Note: this document provides recommendations for Internet facing | |||
| servers logging incoming connections. Its does not provide any | servers logging incoming connections. It does not provide any | |||
| recommendations about logging on carrier-grade NAT or other address | recommendations about logging on carrier-grade NAT or other address | |||
| sharing tools. | sharing tools. | |||
| 2. Recommendations | 2. Recommendations | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119 [RFC2119]. | document are to be interpreted as described in RFC 2119 [RFC2119]. | |||
| It is RECOMMENDED as best current practice that Internet facing | It is RECOMMENDED as best current practice that Internet facing | |||
| servers logging incoming IP addresses also log: | servers logging incoming IP addresses also log: | |||
| o The source port number. | o The source port number. | |||
| o A timestamp, preferably in UTC, accurate to the second, from a | o A timestamp, RECOMMENDED in UTC, accurate to the second, from a | |||
| traceable time source (e.g. NTP). | traceable time source (e.g. NTP). | |||
| o The transport protocol (usually TCP or UDP) and destination port | o The transport protocol (usually TCP or UDP) and destination port | |||
| number, when the server application is defined to use multiple | number, when the server application is defined to use multiple | |||
| transports or multiple ports. | transports or multiple ports. | |||
| Discussion: Carrier-grade NATs may have different policies to recycle | Discussion: Carrier-grade NATs may have different policies to recycle | |||
| ports, some implementations may decide to reuse ports almost | ports, some implementations may decide to reuse ports almost | |||
| immediately, some may wait several minutes before marking the port | immediately, some may wait several minutes before marking the port | |||
| ready for reuse. As a result, servers have no idea how fast the | ready for reuse. As a result, servers have no idea how fast the | |||
| skipping to change at page 4, line 35 | skipping to change at page 4, line 35 | |||
| web servers and email servers. | web servers and email servers. | |||
| Although the deployment of address sharing techniques is not | Although the deployment of address sharing techniques is not | |||
| immediately foreseen in IPv6, the above recommendations apply to both | immediately foreseen in IPv6, the above recommendations apply to both | |||
| IPv4 and IPv6, if only for consistency and code simplification | IPv4 and IPv6, if only for consistency and code simplification | |||
| reasons. | reasons. | |||
| Discussions about data retention policies are out of scope for this | Discussions about data retention policies are out of scope for this | |||
| document. | document. | |||
| The above recommendation also applies to devices such as load- | The above recommendations also applies to devices such as load- | |||
| balancers logging incoming connections on behalf of actual servers. | balancers logging incoming connections on behalf of actual servers. | |||
| 3. ISP Considerations | 3. ISP Considerations | |||
| ISP deploying IP address sharing techniques should also deploy a | ISP deploying IP address sharing techniques should also deploy a | |||
| corresponding logging architecture to maintain records of the | corresponding logging architecture to maintain records of the | |||
| relation between customers identity and IP/port resources they | relation between a customer's identity and IP/port resources | |||
| utilize. However, recommendation on this topic are out of scope for | utilized. However, recommendations on this topic are out of scope | |||
| this document. | for this document. | |||
| 4. IANA Considerations | 4. IANA Considerations | |||
| None. | None. | |||
| 5. Security Considerations | 5. Security Considerations | |||
| In the absence of source port number and accurate timestamp, | In the absence of source port number and accurate timestamp, | |||
| operators deploying any address sharing techniques will not be able | operators deploying any address sharing techniques will not be able | |||
| to identify unambiguously customers when dealing with abuse or public | to identify unambiguously customers when dealing with abuse or public | |||
| End of changes. 5 change blocks. | ||||
| 7 lines changed or deleted | 7 lines changed or added | |||
This html diff was produced by rfcdiff 1.40. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||