> -----Original Message----- > From: Wesley Eddy [mailto:w...@mti-systems.com] > Sent: Wednesday, August 08, 2012 8:26 PM > To: Dan Wing > Cc: 'Scott Brim'; 'Joe Touch'; 'Internet Area'; 'Behcet Sarikaya' > Subject: Re: [Int-area] Completion of working group last call for > draft-ietf-intarea-nat-reveal-analysis-02 > > On 8/8/2012 11:30 AM, Dan Wing wrote: > > Today's Internet users, which are not sharing addresses with other > users, > > are sending an uniquely-identifyable identifier to every Internet > server > > they use: their unique IP address. > > Users don't have IP addresses. Machines do. Which are > we trying to identify again? I think the distinction > is important since the relation between users and devices > can be one-to-many, or many-to-one, and certainly isn't > one-to-one, even if we went back in time when the > relation between end-host machines and addresses might > have been closer to one-to-one. > > I also don't think user and subscriber are synonyms for > many purposes, though some of the reveal-analysis seems to > be more oriented towards identifying the access network > subscriber.
RFC6269 section 13.1 mixes the term 'subscriber' itself: When an abuse is reported today, it is usually done in the form: IPv4 address X has done something bad at time T0. This is not enough information to uniquely identify the subscriber responsible for the ........................................^^^^^^^^^^ abuse when that IPv4 address is shared by more than one subscriber. ...........................................................^^^^^^^^^^ Second and more likely is that one user who fails a number of login ......................................^^^^ attempts may block out other users who have not made any previous ................................^^^^^ attempts but who will now fail on their first attempt. > That subscriber generally may have quite a few users > and machines behind them. draft-ietf-intarea-nat-reveal-analysis is not analyzing that problem. Today's IP address penalty boxes do not attempt to distinguish between the hacker son at home doing a dictionary attack against a mailserver and the mom trying to legitimately login to that same mailserver. The mailserver will protect itself from the dictionary attack by putting that offending IP address into a penalty box. The different problem that draft-ietf-intarea-nat-reveal-analysis is analyzing is when multiple subscribers can no longer be individually identified by their IP address because of IP address sharing. This means the hacker son (in the scenario in the previous paragraph) can now deny service to everyone else sharing that same IP address, which could be dozens or hundreds of subscribers. We might replace 'hacker son' with 'compromised host'. -d _______________________________________________ Int-area mailing list Int-area@ietf.org https://www.ietf.org/mailman/listinfo/int-area
