Re: I-D draft-petersson-forwarded-for-00.txt

In message <20110408153631.GD13348@1wt.eu>, Willy Tarreau writes:
>On Fri, Apr 08, 2011 at 02:08:09PM +0000, Poul-Henning Kamp wrote:

>> And then we SHOULD strongly encourage that they follow this form:
>> 
>> 	src-IP ':' src-port [ '/' dst-IP ':' dst-port ]
>
>While I agree with the principle, I would render the port optional.
>It's almost always wrong anyway because you have the equipments in
>the following order :
>
>   client
>   firewall
>   load balancer
>   reverse-proxy
>   ...
>   server
>
>The load balancer almost always translates the source port (unless it's
>doing DSR, which is progressively disappearing), and nobody car correlate
>this source port seen by the reverse-proxy to anything logged anywhere.
>So while there are *some* situations where the port can be exploited, i
>practice where admins do care about logs, it's meaningless.

You overlooked the bit about it only having meaning in the context
where it was generated.  To derive that meaning, you will need to
investigate logs from firewalls, load balancers and everything else.

But IP+port is what identifies the far end, and is the only handle
you can give the police for the remote end.  What the remote end
or the police can do with it, is their problem

So we should log the port number, always.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

Received on Friday, 8 April 2011 15:59:10 UTC