Daily Archives: 2012-08-05

Source Ports in ARF Reports

Long time readers may recall my posts from Jan 2010 about the need for security logging to include source port numbers — because of the growth of ‘Carrier Grade NAT’ (CGN) systems that share one IPv4 address between hundreds, possibly thousands, of users. These systems are widely used by the mobile companies and the ‘exhaustion‘ of IPv4 address space will lead to many other ISPs deploying them.

A key impact of CGNs is that if you want to trace back “who did that” you may need to have recorded not only an IP address and an accurate timestamp, but also to be able to provide the source port of the connection. Failure to provide the source port will mean that an ISP using CGN will not be able to do any tracing, because they will be unable to distinguish between hundreds of possible perpetrators. In June 2011 the IETF published an RFC (6302) which sets out chapter and verse for this issue and sets out Best Practice for security logging systems.

Earlier this year, at the M3AAWG meeting in San Francisco, I talked with the people who have developed the Abuse Reporting Format (ARF). The idea of ARF is that abuse reports will be in standard format — allowing the use of automation at both sender and receiver. Unfortunately ARF didn’t include a field for the source port….

… but it does now, because RFC 6692 has recently been published. My name is on it, but in reality all of the work on it that mattered was done by Murray Kucherawy who wrote the initial draft, who has tweaked the text to address working group concerns and who has guided it through the complexities of the IETF process. Thanks to Murray, the mechanisms for dealing with abuse have now become just a little bit better.