Network Working Group D. Skoll Internet-Draft Roaring Penguin Software Inc. Intended status: Informational October 21, 2011 Expires: April 23, 2012 Reputation Reporting Protocol draft-dskoll-reputation-reporting-03 Abstract This draft specifies a protocol for reporting various events associated with IP addresses. These events can be collected and aggregated to form a database containing information about the reputation of IP addresses. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on April 23, 2012. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Skoll Expires April 23, 2012 [Page 1] Internet-Draft Reputation Reporting Protocol October 2011 Table of Contents 1. Requirements notation . . . . . . . . . . . . . . . . . . . . 3 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 3 4. Report Format . . . . . . . . . . . . . . . . . . . . . . . . 4 4.1. Subreports . . . . . . . . . . . . . . . . . . . . . . . . 5 4.2. Subreport Formats . . . . . . . . . . . . . . . . . . . . 5 5. Subreport Format Definitions . . . . . . . . . . . . . . . . . 6 5.1. IP Address Subreports . . . . . . . . . . . . . . . . . . 6 5.1.1. IP Address Event Types . . . . . . . . . . . . . . . . 6 5.2. Repeated IP Address Subreports . . . . . . . . . . . . . . 7 5.3. Vendor Number Subreport . . . . . . . . . . . . . . . . . 7 5.4. Software Name Subreport . . . . . . . . . . . . . . . . . 7 5.5. Software Version Subreport . . . . . . . . . . . . . . . . 8 5.6. End-User Subreport . . . . . . . . . . . . . . . . . . . . 8 5.7. Vendor-Specific Subreport . . . . . . . . . . . . . . . . 8 6. Hierarchical Aggregation . . . . . . . . . . . . . . . . . . . 8 6.1. Collector Level Subreport . . . . . . . . . . . . . . . . 9 7. Report Restrictions . . . . . . . . . . . . . . . . . . . . . 9 8. Report Layout . . . . . . . . . . . . . . . . . . . . . . . . 10 8.1. Sample Report . . . . . . . . . . . . . . . . . . . . . . 11 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 10. Security Considerations . . . . . . . . . . . . . . . . . . . 12 11. Normative References . . . . . . . . . . . . . . . . . . . . . 13 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 14 Skoll Expires April 23, 2012 [Page 2] Internet-Draft Reputation Reporting Protocol October 2011 1. Requirements notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. Introduction Several organizations (Project Honeypot, Spamhaus, RepuScore, etc.) maintain databases detailing the reputation of various IP address. These organizations use various ad hoc methods to collect the reputation data. There is no standard for reporting events to reputation-collectors; this makes it hard to instrument a large number of systems to be data gatherers in a standard way. This draft proposes a standard for reporting events back to a reputation-collecting system. A standard way to report events will make it easy to instrument systems to collect data and report it to one or more reputation-collection systems. This standard has the following goals: 1. To be bandwidth-efficient. The overhead for event-reporting should be as small as possible. 2. To include security mechanisms such as authentication and anti- replay mechanisms. 3. To handle both IPv4 and IPv6. 4. To be open to extension in future. 5. To be scalable. Sending reports should be as quick and easy as possible. The hosts receiving reports should be able to receive and process a large volume of reports with as little CPU and network overhead as possible. This protocol is currently in use by Roaring Penguin Software Inc's CanIt anti-spam products. A web page devoted to the protocol is found at http://www.mimedefang.org/reputation; this page includes a link to a mailing list for discussions of the protocol. 3. Definitions An EVENT is the basic unit of reputation reporting. An event consists of an IPv4 or IPv6 address and an associated event TYPE. Examples of event types are "SMTP client at IP address issued an SMTP RCPT command for a nonexistent recipient" or "SMTP client at IP address delivered an email message considered by a human to be spam." Skoll Expires April 23, 2012 [Page 3] Internet-Draft Reputation Reporting Protocol October 2011 A SUBREPORT is usually a list of one or more events. However, a subreport may contain other types of information such as software name, version, etc. A SENSOR is a system that reports events. An AGGREGATOR is a system that receives events and builds a reputation database. A REPORT is a series of subreports sent from a sensor to an aggregator. A USER NAME is included in each report. The user name is a key used by the aggregator to look up a shared secret. A SHARED SECRET is used by the sensor and aggregator to authenticate reports. A REPUTATION DATABASE is a dictionary indexed by IPv4 or IPv6 address that contains reputation information about a particular IP address. Note that the exact format of the reputation database as well as what constitutes "reputation" are beyond the scope of this document. We are concerned only with a standard for reporting events. 4. Report Format Reports are transported via UDP. The aggregator SHOULD listen for UDP packets on port 6568, the IANA-assigned port number for this protocol [PORTS]. A report consists of the following items: o A one-byte protocol version number. The version number is 2. An aggregator MUST ignore a report with a version number other than 2. o A one-byte number indicating the length of a user name. A username MUST range from 0 to 63 bytes in length. An aggregator MUST reject a report with an over-long user name. o A sequence of bytes indicating a user name. This name is not terminated with a zero byte. While this document does not specify the form of a user name, it SHOULD be a valid UTF-8 string. o Eight randomly-generated bytes. These bytes SHOULD be generated with a cryptographically-secure random number generator. o A four-byte timestamp in network byte order. This is constructed by computing the current time in seconds since midnight, January 1 1970 UTC as an unsigned integer, and taking the low-order 32 bits of the result. Skoll Expires April 23, 2012 [Page 4] Internet-Draft Reputation Reporting Protocol October 2011 o One or more SUBREPORTS. o An End of Reports (EOR) byte. o Finally, ten bytes consisting of the ten most-significant bytes (in network byte order) of the SHA1 HMAC digest [RFC2104] of all data from the version number up to and including the EOR byte. The password used to calculate the HMAC is a shared secret known by the sensor; the aggregator MUST look up the secret based on the user name in the report. An aggregator MUST reject a report that fails to validate. It SHOULD log information about invalid reports. 4.1. Subreports A subreport consists of either the single byte 0, indicating the end of the subreports, or a three-byte preamble followed by the subreport contents. The three-byte preamble consists of: o One FORMAT byte. o A two-byte LENGTH field. This is a 16-bit unsigned integer in network byte order indicating the length of the subreport contents, not including the three-byte preamble. 4.2. Subreport Formats The following subreport formats are defined. The value of the FORMAT byte is given in decimal. o 0. EOR. (End of Reports) This signifies the end of the subreports in the report. It MUST NOT be followed by a LENGTH field. o 1. IPv4-EVENTS. The LENGTH must be a multiple of 5. o 2. IPv6-EVENTS. The LENGTH must be a multiple of 17. o 3. REPEATED-IPv4-EVENTS. The LENGTH must be a multiple of 6. o 4. REPEATED-IPv6-EVENTS. The LENGTH must be a multiple of 18. o 5. VENDOR-NUMBER. The LENGTH MUST be 3. o 6. SOFTWARE-NAME. The LENGTH can range from 1 to 63. o 7. SOFTWARE-VERSION. The LENGTH can range from 1 to 31. o 8. END-USER. The LENGTH can range from 1 to 31. o 9 through 126. RESERVED. A sensor MUST NOT create a subreport with a RESERVED FORMAT value. An aggregator MUST ignore such a subreport. o 127. COLLECTOR-LEVEL. The LENGTH MUST be 2. See the section "Hierarchical Aggregation". o 128 through 254. VENDOR-SPECIFIC. The report MUST contain a VENDOR-NUMBER subreport before any VENDOR-SPECIFIC subreport. o 255. RESERVED. An aggregator MUST skip over subreports with format values it does Skoll Expires April 23, 2012 [Page 5] Internet-Draft Reputation Reporting Protocol October 2011 not understand. (It can do this by skipping ahead LENGTH bytes.) An aggregator MUST ignore the entire report if any subreports have invalid LENGTHs. For example, it MUST reject a subreport of IPv4- EVENTS if the LENGTH is not a multiple of 5. The aggregator SHOULD log information about invalid reports. 5. Subreport Format Definitions The following sections define exactly how various subreports are formatted. 5.1. IP Address Subreports FORMAT values 1 and 2 specify IPv4 and IPv6 subreports, respectively. Each IPv4 and IPv6 subreport contains one or more events. The length of each IPv4 event is 5, and the length of each IPv6 event is 17. The events themselves consist of: o The 4-byte IPv4 address or the 16-byte IPv6 address in network byte order. o A one-byte EVENT TYPE. 5.1.1. IP Address Event Types The following event types are defined for IPv4 and IPv6 events: o 0. RESERVED: Event type 0 is reserved. A sensor MUST NOT report events of type 0. o 1. GREYLISTED: An SMTP client at the specified IP address was greylisted. Greylisting is described in [GREY]. o 2. UNGREYLISTED: An SMTP client at the specified IP address was previously greylisted, but has now passed the greylisting test. o 3. AUTO-SPAM: An SMTP client at the specified IP address sent a message that was considered to be spam by automatic filtering software. o 4. HAND-SPAM: An SMTP client at the specified IP address sent a message that was considered to be spam by a human being. o 5. AUTO-HAM: An SMTP client at the specified IP address sent a message that was considered to be non-spam by automatic filtering software. o 6. HAND-HAM: An SMTP client at the specified IP address sent a message that was considered to be non-spam by a human being. o 7. VALID-RECIPIENT: An SMTP client at the specified IP address issued an SMTP RCPT command that specified a valid recipient address. Skoll Expires April 23, 2012 [Page 6] Internet-Draft Reputation Reporting Protocol October 2011 o 8. INVALID-RECIPIENT: An SMTP client at the specified IP address issued an SMTP RCPT command that specified an invalid recipient address. o 9. VIRUS: An SMTP client at the specified IP address transmitted a message considered to be a virus by virus-scanning software. o 10 - 255. FUTURE: Event types ranging from 10 to 255 are reserved for future use. 5.2. Repeated IP Address Subreports FORMAT values 3 and 4 specify REPEATED-IPv4 and REPEATED-IPv6 subreports, respectively. Each REPEATED-IPv4 and REPEATED-IPv6 subreport contains one or more events. The length of each REPEATED- IPv4 event is 6, and the length of each REPEATED-IPv6 event is 18. The events themselves consist of: o The 4-byte IPv4 address or the 16-byte IPv6 address in network byte order. o A one-byte EVENT TYPE. o A one-byte REPEAT. This byte is interpreted as an unsigned number. It MUST be greater than or equal to two. A REPEATED event MUST be interpreted exactly as if REPEAT non-repeated events were received. The EVENT TYPE field for a REPEATED-IPv4 or REPEATED-IPv6 event is exactly the same as for IPv4 or IPv6 events. The extra REPEAT byte allows a sensor to compress up to 255 identical IP address events into a single REPEATED event. 5.3. Vendor Number Subreport FORMAT value 5 specifies the VENDOR-NUMBER subreport. This subreport MUST have a LENGTH of 3. The 3-byte content of the subreport is a 24-bit unsigned integer in network byte order specifying an IANA- assigned Private Enterprise Number [PEN]. The VENDOR-NUMBER subreport is only required if there are subsequent VENDOR-SPECIFIC subreports. 5.4. Software Name Subreport FORMAT value 6 specifies the SOFTWARE-NAME subreport. The LENGTH can range from 1 to 63. The contents MUST be a valid UTF-8 string specifying the name of the software running on the aggregator. The string MUST NOT be zero-terminated. An aggregator MAY include a SOFTWARE-NAME subreport in each report, but MUST NOT include more than one SOFTWARE-NAME subreport. Skoll Expires April 23, 2012 [Page 7] Internet-Draft Reputation Reporting Protocol October 2011 5.5. Software Version Subreport FORMAT value 7 specifies the SOFTWARE-VERSION subreport. The LENGTH can range from 1 to 31. The contents MUST be a valid UTF-8 string (and SHOULD be a valid ASCII string) specifying the version of the software running on the aggregator. The string MUST NOT be zero- terminated. An aggregator MAY include a SOFTWARE-VERSION subreport in each report, but MUST NOT include more than one SOFTWARE-VERSION subreport. If an aggregator includes a SOFTWARE-VERSION subreport, it MUST also include a SOFTWARE-NAME subreport. 5.6. End-User Subreport FORMAT value 8 specifies an END-USER subreport. This report, if present, provides additional information about the specific user who generated subsequent subreports. For example, if an ISP is reporting events, the END-USER subreport may contain enough information for the ISP to determine which of its subscribers reported the events. The contents of the END-USER subreport are a sequence of bytes ranging in length from 1 to 31 bytes. The contents are opaque and have meaning only to the organization running the sensor. 5.7. Vendor-Specific Subreport FORMAT values 128 through 254 specify a VENDOR-SPECIFIC subreport. A VENDOR-SPECIFIC subreport MUST be preceded by a VENDOR-NUMBER subreport. A given report MAY contain more than one VENDOR-NUMBER subreport; the interpretation of a VENDOR-SPECIFIC subreport MUST be made according to the VENDOR-NUMBER subreport that most closely preceded the VENDOR-SPECIFIC subreport. The contents of the subreport are vendor-specific and not defined here. An aggregator that does not understand a VENDOR-SPECIFIC subreport for a given VENDOR-NUMBER MUST ignore the subreport. 6. Hierarchical Aggregation Normally, a sensor detects events directly (for example, it communicates with an MTA to detect events) and reports them to an aggregator, which builds the event database. However, it may be desirable to have an aggregator take all of the events from its sensors and report them to a higher-level "upstream" aggregator. Allowing aggregators to report events to other aggregators introduces the possibility of reporting loops. To break these loops, Skoll Expires April 23, 2012 [Page 8] Internet-Draft Reputation Reporting Protocol October 2011 aggregators MUST include a COLLECTOR-LEVEL subreport. It MUST be the first subreport in the report. A sensor that detects events directly SHOULD NOT include a COLLECTOR- LEVEL subreport. However, if it does include one, it MUST specify a level of zero. An aggregator that will forward reports to another aggregator MUST be configured to have an "intrinsic level" greater than zero. The aggregator MUST reject reports with a COLLECTOR-LEVEL greater than or equal to its intrinsic level. When the aggregator forwards reports, it MUST include a COLLECTOR-LEVEL subreport containing its intrinsic level. (If the original report included a COLLECTOR-LEVEL subreport, the aggregator MUST NOT include the original COLLECTOR-LEVEL report, but MUST replace it with its own COLLECTOR-LEVEL.) Note that assignment and management of intrinsic levels is beyond the scope of this document; such assignment must be agreed upon by aggregator managers based on the hierarchy of sensors and aggregators. 6.1. Collector Level Subreport FORMAT value 127 specifies the COLLECTOR-LEVEL subreport. The LENGTH MUST be 2, and the contents are an unsigned 16-bit integer in network byte order specifying the intrinsic level of the agent sending the report. If the COLLECTOR-LEVEL subreport is present, it MUST be the first subreport. If it is missing, the aggregator MUST assume a COLLECTOR-LEVEL of zero. 7. Report Restrictions A sensor MUST NOT report GREYLISTED or UNGREYLISTED events unless it implements greylisting. A sensor MUST NOT report HAND-SPAM or HAND- HAM events unless it has a reliable system for accepting a human's decision about a message and can show beyond a reasonable doubt that a human in fact made the decision about the reported message. A sensor MUST NOT report VALID-RECIPIENT or INVALID-RECIPIENT events unless it is capable of validating recipient addresses. A sensor MUST NOT report events for an IPv4 address that is not a globally-routable unicast address. In particular, no IPv4 address in the Private Address Space of [RFC1918] should appear in a report, nor should any address in 127/8 nor 224/4. An aggregator MUST ignore such addresses and SHOULD log the fact that they were received. A sensor MUST NOT report events for an IPv6 address that is not an Aggregatable Global Unicast Address as defined in [RFC4291]. An IPv4-compatible IPv6 address or an IPv4-mapped IPv6 address MUST be Skoll Expires April 23, 2012 [Page 9] Internet-Draft Reputation Reporting Protocol October 2011 reported as an IPv4 event and not an IPv6 event. An aggregator MUST ignore events that violate this requirement and SHOULD log the fact that they were received. A sensor MUST NOT report a VIRUS event unless a virus was detected using a signature-based virus scanner. A sensor SHOULD include as many events in its report as necessary to make the report size at least 400 bytes. A sensor MAY send out a shorter report, but MUST NOT do so unless failing to do so would result in loss of data OR unless it has not sent a report within the last hour. For example, if a sensor process is about to exit and has buffered events in memory, it SHOULD report the buffered events before exiting, even if the report size would be less than 400 bytes and even if a report has been sent within the last hour. A sensor SHOULD NOT send a report that would exceed 492 bytes unless it has a priori knowledge that such a large UDP datagram will be received intact by the aggregator. An aggregator MUST be prepared to handle a report as large as the largest possible UDP datagram (65507 bytes of actual data.) A sensor MUST NOT send an empty report (that is, a report with no subreports.) When an aggregator logs information about a report, it MUST log the originating IP address of the report. If the report is well-formed, it MUST log the user name associated with the report. It SHOULD log additional information concerning the disposition of the report and the reason for the disposition. If Hierarchical Aggregation is being used, a sensor MUST NOT report events to more than one aggregator. A lower-level aggregator MUST NOT forward events to more than one higher-level aggregator. These restrictions are required to avoid the possibility of counting the same event more than once. 8. Report Layout The following diagram illustrates the layout of a report. The version byte starts immediately after the UDP header. Skoll Expires April 23, 2012 [Page 10] Internet-Draft Reputation Reporting Protocol October 2011 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | VERSION (=2) | USERNAME LEN | USERNAME ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | USERNAME continued | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | EIGHT RANDOM BYTES | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| | EIGHT RANDOM BYTES continued | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TIMESTAMP | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | FORMAT 1 | LENGTH 1 | DATA 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | DATA 1 CONTINUED ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | FORMAT 2 | LENGTH 2 | DATA 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | DATA 2 CONTINUED ... | EOR (=0) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | HMAC DIGEST | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | HMAC DIGEST continued | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | HMAC DIGEST continued | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Note that there are no alignment requirements or padding bytes. The preceding figure shows some fields aligned to a four-byte boundary purely for ease of drawing. 8.1. Sample Report The following figure shows a sample report. The report is from the user "dfs" with password "foo". It contains two IPv4 events: 192.0.2.2 sent mail automatically classified as spam, and 192.0.2.3 was greylisted. There is a repeated IPv4 event: 192.0.2.4 sent to an invalid recipient 3 times. Finally, There is one IPv6 event: 2001: db8:1d:e4:2e0:18ff:feab:147f sent mail to a valid recipient. The bytes are shown in hexadecimal. Skoll Expires April 23, 2012 [Page 11] Internet-Draft Reputation Reporting Protocol October 2011 02 -- Version 2 of the protocol 03 -- Length of user name is 3 bytes 64 66 73 -- "dfs" in UTF-8 2a 9a 82 d6 51 29 64 f7 -- 8 random bytes 4b d9 da eb -- 32-bit timestamp 01 00 0a -- Two IPv4 events (Fmt 1, Len 10) c0 00 02 02 03 -- 192.0.2.2 sent auto-spam (event type 3) c0 00 02 03 01 -- 192.0.2.3 was greylisted (event type 1) 03 00 06 -- One Repeated-IPv4 event (Fmt 3, Len 6) c0 00 02 04 08 03 -- 192.0.2.4 sent to invalid recip 3 times. 02 00 11 -- One IPv6 event (Fmt 2, Len 17 decimal) 20 01 0d b8 00 1d 00 e4 -- IPv6 address (first 8 bytes) 02 e0 18 ff fe ab 14 7f -- IPv6 address (last 8 bytes) 07 -- Event type 7 (Valid Recipient) 00 -- Subreport Format 0 (End of Reports) 0c 10 51 0f 5d -- 10-byte truncated SHA1 HMAC 7e a1 e0 aa 20 -- 10-byte truncated SHA1 HMAC cont'd 9. IANA Considerations This document defines a one-byte SUBREPORT FORMAT. Formats 0 through 8 and 127 are defined in Section 4.2 of this document. The IANA should set up the "IP Reputation Reporting Format Numbers" registry for registering formats 9 through 126. Formats 128 through 254 are available for private use without requiring IANA registration. Format 255 should not be used. This document defines a one-bye EVENT TYPE. Event types 1 through 9 are described in Section 5.1.1 of this document. Event type 0 is reserved. The IANA should set up the "IP Reputation Reporting Event Types" registry for registering event types 10 through 255. 10. Security Considerations Because reports are transmitted via UDP, aggregators are vulnerable to IP address spoofing. An aggregator MAY use techniques other than HMAC verification to reject reports. For example, if it knows that a particular user always sends reports from a restricted set of IP addresses, it MAY discard reports claiming to be from that user if they originate from outside the restricted set of addresses. The aggregator SHOULD log information about discarded reports. Reports are transmitted in the clear. An eavesdropper can easily sniff user names from the reports. The eavesdropper can also gain information about SMTP traffic as seen by sensors. If this is undesirable, the sensor SHOULD arrange to transmit data to the Skoll Expires April 23, 2012 [Page 12] Internet-Draft Reputation Reporting Protocol October 2011 aggregator over a secure channel using IPSec or some other VPN solution. The shared secret SHOULD be at least 8 bytes long and SHOULD be generated by a cryptographically-secure random number generator. The shared secret SHOULD NOT be chosen by a human being because of the risk of picking a weak secret or a secret guessable from the user name. An aggregator SHOULD use the time stamp and random-number fields to detect duplicate reports and fend off replay attacks. An aggregator SHOULD NOT accept a report whose timestamp is more than two minutes away from the current time. (For this reason, both aggregators and sensors SHOULD synchronize their clocks to a standard time source using NTP [RFC1305].) Aggregators implicitly trust sensors. Therefore, aggregator administrators SHOULD ensure that sensor administrators follow security best-practices. Both aggregator and sensor administrators MUST take the utmost care to keep their shared secret from leaking out. 11. Normative References [GREY] Harris, E., "The Next Step in the Spam Control War: Greylisting", August 2003. [PEN] IANA, "Private Enterprise Numbers", 2010. [PORTS] IANA, "Port Numbers", 2010. [RFC1305] Mills, D., "Network Time Protocol (Version 3) Specification, Implementation", RFC 1305, March 1992. [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and E. Lear, "Address Allocation for Private Internets", BCP 5, RFC 1918, February 1996. [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- Hashing for Message Authentication", RFC 2104, February 1997. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 4291, February 2006. Skoll Expires April 23, 2012 [Page 13] Internet-Draft Reputation Reporting Protocol October 2011 Author's Address David F. Skoll Roaring Penguin Software Inc. 17 Grenfell Crescent, Suite 209C Ottawa, ON K2G 0G3 CA Phone: +1 613 231-6599 Email: dfs@roaringpenguin.com Skoll Expires April 23, 2012 [Page 14]