[Mimedefang] IP Reputation data collection (announcement, Internet draft)
David F. Skoll
dfs at roaringpenguin.com
Fri Apr 30 16:09:29 EDT 2010
Kevin A. McGrail wrote:
> In synopsis, I'd recommend you go with the broader, more flexible RFC.
OK. I think we should handle it by having different record types for
different events (we should follow up on the reputationm list).
Currently, the report is basically:
<preamble>
<ip4 reports>
<ip6 reports>
<hmac>
Instead, we should have:
<preamble>
<reports>
<reports>
...
<reports>
<hmac>
And each <reports> section will have a four-byte header:
o First byte: Number of events
o Second byte: Event format.
o Third and fourth byte: Total length (including header) of the report data.
So the format byte could be "4" for IPv4 reports and "6" for IPv6
reports. It could be something else for other types of reports
(sender reports, software version, etc.)
The third and fourth byte would allow aggregators to skip reports they don't
understand... they'd just move on to the next set of reports.
> Plus playing devil's advocate, the RFC says specifically the IP
> reputation is NOT the only goal:
Well, it's wrong. It should be reworded more clearly to state that. :)
[...]
> So knowing that, my underlying question is: What is the a reason that a
> sensor should only send 492 bytes?
To keep the maximum UDP packet size to around 512 bytes. We'd like to
make the transmission as reliable as possibe.
Regards,
David.
More information about the MIMEDefang
mailing list