draft-ietf-intarea-server-logging-recommendations-01.txt   draft-ietf-intarea-server-logging-recommendations-02.txt 
skipping to change at page 1, line 14 skipping to change at page 1, line 14
Internet-Draft Juniper Networks Internet-Draft Juniper Networks
Intended status: BCP I. Gashinsky Intended status: BCP I. Gashinsky
Expires: July 23, 2011 Yahoo! Inc. Expires: July 23, 2011 Yahoo! Inc.
D. Lee D. Lee
Facebook, Inc. Facebook, Inc.
S. Sheppard S. Sheppard
ATT Labs ATT Labs
January 19, 2011 January 19, 2011
Logging recommendations for Internet facing servers Logging recommendations for Internet facing servers
draft-ietf-intarea-server-logging-recommendations-01 draft-ietf-intarea-server-logging-recommendations-02
Abstract Abstract
In the wake of IPv4 exhaustion and deployment of IP address sharing In the wake of IPv4 exhaustion and deployment of IP address sharing
techniques, this document recommends that Internet facing servers log techniques, this document recommends that Internet facing servers log
port number and accurate timestamps in addition to the incoming IP port number and accurate timestamps in addition to the incoming IP
address. address.
Status of this Memo Status of this Memo
skipping to change at page 3, line 39 skipping to change at page 3, line 39
port(s) were associated with which user and external IPv4 address at port(s) were associated with which user and external IPv4 address at
any given point in time. In the past to support abuse mitigation or any given point in time. In the past to support abuse mitigation or
public safety requests, the knowledge of the external global IP public safety requests, the knowledge of the external global IP
address was enough to identify a subscriber of interest. With address was enough to identify a subscriber of interest. With
address sharing technologies, only providing information about the address sharing technologies, only providing information about the
external public address associated with a session to a service external public address associated with a session to a service
provider is no longer sufficient information to unambiguously provider is no longer sufficient information to unambiguously
identify customers. identify customers.
Note: this document provides recommendations for Internet facing Note: this document provides recommendations for Internet facing
servers logging incoming connections. Its does not provide any servers logging incoming connections. It does not provide any
recommendations about logging on carrier-grade NAT or other address recommendations about logging on carrier-grade NAT or other address
sharing tools. sharing tools.
2. Recommendations 2. Recommendations
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
It is RECOMMENDED as best current practice that Internet facing It is RECOMMENDED as best current practice that Internet facing
servers logging incoming IP addresses also log: servers logging incoming IP addresses also log:
o The source port number. o The source port number.
o A timestamp, preferably in UTC, accurate to the second, from a o A timestamp, RECOMMENDED in UTC, accurate to the second, from a
traceable time source (e.g. NTP). traceable time source (e.g. NTP).
o The transport protocol (usually TCP or UDP) and destination port o The transport protocol (usually TCP or UDP) and destination port
number, when the server application is defined to use multiple number, when the server application is defined to use multiple
transports or multiple ports. transports or multiple ports.
Discussion: Carrier-grade NATs may have different policies to recycle Discussion: Carrier-grade NATs may have different policies to recycle
ports, some implementations may decide to reuse ports almost ports, some implementations may decide to reuse ports almost
immediately, some may wait several minutes before marking the port immediately, some may wait several minutes before marking the port
ready for reuse. As a result, servers have no idea how fast the ready for reuse. As a result, servers have no idea how fast the
skipping to change at page 4, line 35 skipping to change at page 4, line 35
web servers and email servers. web servers and email servers.
Although the deployment of address sharing techniques is not Although the deployment of address sharing techniques is not
immediately foreseen in IPv6, the above recommendations apply to both immediately foreseen in IPv6, the above recommendations apply to both
IPv4 and IPv6, if only for consistency and code simplification IPv4 and IPv6, if only for consistency and code simplification
reasons. reasons.
Discussions about data retention policies are out of scope for this Discussions about data retention policies are out of scope for this
document. document.
The above recommendation also applies to devices such as load- The above recommendations also applies to devices such as load-
balancers logging incoming connections on behalf of actual servers. balancers logging incoming connections on behalf of actual servers.
3. ISP Considerations 3. ISP Considerations
ISP deploying IP address sharing techniques should also deploy a ISP deploying IP address sharing techniques should also deploy a
corresponding logging architecture to maintain records of the corresponding logging architecture to maintain records of the
relation between customers identity and IP/port resources they relation between a customer's identity and IP/port resources
utilize. However, recommendation on this topic are out of scope for utilized. However, recommendations on this topic are out of scope
this document. for this document.
4. IANA Considerations 4. IANA Considerations
None. None.
5. Security Considerations 5. Security Considerations
In the absence of source port number and accurate timestamp, In the absence of source port number and accurate timestamp,
operators deploying any address sharing techniques will not be able operators deploying any address sharing techniques will not be able
to identify unambiguously customers when dealing with abuse or public to identify unambiguously customers when dealing with abuse or public
 End of changes. 5 change blocks. 
7 lines changed or deleted 7 lines changed or added

This html diff was produced by rfcdiff 1.40. The latest version is available from http://tools.ietf.org/tools/rfcdiff/