"Murray S. Kucherawy" <
msk@...> wrote:
>> -----Original Message-----
>> From:
ietf-bounces@... [mailto:
ietf-bounces@...] On Behalf
>Of Scott Kitterman
>> Sent: Monday, May 07, 2012 3:35 PM
>> To:
ietf@...
>> Subject: Re: Last Call: <draft-kucherawy-marf-source-ports-03.txt>
>(Source Ports in ARF Reports) to Proposed Standard
>>
>> My suggestion would be to change the last part of section three to
>> read:
>>
>> When any authentication failure report [AUTHFAILURE-REPORT] is
>generated
>> that includes the "Source-IP" reporting field (see Section 3.1 of
>> [AUTHFAILURE-REPORT]]), this field MAY also be included.
>>
>> Other than that, I think it's ready to go.
>
>If all one is doing is figuring out why something like a DKIM signature
>failed on an otherwise legitimate message, then I agree the source port
>isn't a useful input to that work. In fact, as far as DKIM goes, the
>source IP address is probably not useful either.
>
>If, however, one is trying to track down the transmission of fraudulent
>email such as phishing attacks, source ports can be used to identify
>the perpetrator more precisely when compared to logs. Support for this
>latter use case is why I believe RECOMMENDED is appropriate.
Which is exactly the case (abuse report) the second to last paragraph takes care of. I agree RECOMMENDED is appropriate there and you have it there.
For auth failure analysis I read you as agreeing it's not needed. There are some authorization methods that use IP address, so I don't think that for auth failure reports inclusion of IP address and source port are comparable.
Based on your response, I don't understand your objection to dropping the RECOMMENDS for auth failure reports and keeping it for abuse reports?
