Draft specification for future X-Trace header
Olaf Titz
olaf at bigred.inka.de
Tue Jul 4 17:30:50 UTC 2000
This is an attempt at a formal specification for a better X-Trace
header (and a draft for an implementation in INN which I'm going to
do when I have too much time on my hands :-). Any comments welcome.
1. Purpose
Any news system which an article crosses MAY insert an X-Trace header.
However, this SHOULD NOT be done in the normal forwarding of articles,
but only at injection points and gateways (of any kind).
Recommendation: insert this header when an article is received via the
NNTP POST command or a local program.
The X-Trace header serves the purposes of
- identifying injection points and gateways,
- giving the administrator at each injection point enough information
to determine the precise circumstances how the article entered the
system,
- giving every news system enough information to detect potential
trouble from malfunctioning software or misbehaving users.
When this header becomes standardized by RFC it should be renamed to "Trace".
2. Syntax
header = "X-Trace:" LWSP systemid *(LWSP item)
systemid = domain-name
item = ctoken | ntoken | comment
ctoken = ":" data
ntoken = data
data = (any data in base64 encoding)
comment = "(" *pchar ")"
pchar = (any printable character except "(" and ")")
LWSP = linear-white-space
with the following meanings:
systemid = the hostname of the generating system. This MUST be the
same name the system puts in the Path header.
ctoken = Data item which is suitable to compare against the ctoken
parts of other X-Trace headers generated by the same
system to detect multiple postings.
ntoken = any other data, usually only relevant to the local admin.
comment = readable comment.
The total length of the X-Trace header including header name and
terminating newline SHOULD NOT exceed 255 octets.
Example:
X-Trace: g212.hadiko.de :7F0quBAr148= riniJg54iM4= (complaints to usenet at bigred.inka.de)
systemid ctoken ntoken comment
3. Generating the headers
3.1. Postings by local users
For local postings, the injection point SHOULD generate a /ctoken/
which is the same for all postings of one user over a certain period
of time (recommendation: about one day) and always different for
postings by different users. To prevent privacy problems, this token
SHOULD be encrypted or hashed.
For a single-user client system, this can be achieved by combining the
posting IP address and the upper 16 bits of the Unix system time into
an 8-byte block and encrypting this block using a block cipher with a
secret key. When authenticated user info is available, use this user
ID in place of the IP address. In case of a HTTP-based injection
point, use the HTTP client IP address. See the appendix for detailed
packing format.
Additional /ntoken/ parts SHOULD be generated if necessary in a way
that it is possible for the local admin, and for the local admin only,
to find out the identity of the poster. This may include the precise
system time, process IDs or other info. This info SHOULD be encrypted
if its knowledge is otherwise useful to outside parties.
3.2. Mailinglist to news gateways
The first /ctoken/ SHOULD always be the base64 encoding of the original
mail's Message-ID. If no such header is present, the news Message-ID
generated by the gateway should be used. All gateways SHOULD use this
information to prevent loops.
This recommendation also holds for other gateways, e.g. BBS to news.
If the originating system provides authenticated user information this
should be used to construct an additional /ctoken/ as of section 3.1.
3.3. Posting robots
Bulk postings by legitimate robots (e.g. weather reports, NoCeM
notices) SHOULD generate no /ctoken/ at all, to exempt these posters
from rate-limiting done by comparing /ctoken/ values. Additional
information MAY be encoded into /ntoken/ items.
4. Processing and analyzing the headers
4.1. Handling of incoming articles
Any X-Trace header present in an article coming in, whether by POST or
regular feed, MUST NOT be changed or deleted. One additional X-Trace
header MAY be added. An article SHOULD NOT be rejected just because of
the presence of an X-Trace header. (Note this is changed from current
practice.)
4.2. Analyzing
The X-Trace header can be analyzed by any system where the article
arrived, giving information such as:
- Any X-Trace header present indicates and identifies an original
injection point, gateway or POST feed.
- If an X-Trace header is present with the same /systemid/ as the local
system, a message loop has occurred. (The only cause can be that
some kind of gateway or POST feed was crossed which changes or
deletes the Path or Message-ID headers. The present X-Trace headers
then give a hint on where that failure occurred.)
- The presence of identical /ctoken/ fields in corresponding X-Trace
headers of different articles in short succession indicate multiple
postings by the same user or POST feed. Each /ctoken/ field should
be compared by itself for that purpose.
This information can be used for rate-limiting. However, if more
than one X-Trace header is present, a rejection caused by comparing
only one of them SHOULD NOT be noted in the article history (because
it may have come from a legitimate POST feed).
- The /ntoken/ fields are not relevant except to the generating system.
4.3. Reporting
When reporting trouble (such as malfunctioning systems or misbehaving
users), the reports always should include the complete set of headers.
Each system administrator should be able to get all relevant
information out of his own X-Trace header. Systems generating X-Trace
headers MAY insert a relevant reporting address into a comment item,
this is especially encouraged when the address differs from the system
name.
5. Other headers
The header presented here includes the information present in the
existing INN-type X-Trace header, the NNTP-Posting-Host and (possibly)
NNTP-Posting-Date headers, the X-Complaint-To header (as comment) and
the "<address>.POSTED" Path entries. Generation of these items may
therefore be omitted.
The additional loop-prevention properties MUST NOT be taken as an
excuse to violate the strict prohibition of changing or deleting any
existing Message-ID or Date header or manipulating the existing part
of the Path header.
Appendix: Recommendation for generating /ctoken/ from client info
The client info is encoded into an 64 bit or 128 bit block as given
below and encrypted using a 64 bit block cipher. Use the first
available method from this list.
If the client gives an authenticated user ID:
bits 0..15: Upper 16 bits of Unix system time. (I.e. this changes
approximately every 18 hours.)
bit 16..19: 0001 (indicative of user ID and reserved bits).
bits 20..63: User ID of client. If the user ID is non-numeric, an
injective function should be used if possible to map
it to a number.
If the client is only identified by an IPv4 address:
bits 0..15: Upper 16 bits of Unix system time.
bits 16..19: 0010 (indicative of IP address and reserved bits).
bits 20..31: Unused.
bits 32..63: IPv4 address of client. (Use the HTTP client in case of
HTTP based gateways!)
If the client is only identified by an IPv6 address:
Find the rightmost 16-bit word consisting of all zeros in the
address and replace that with the upper 16 bit of the Unix system
time. If the address contains no all-zeros word use the leftmost
word instead. Use the widest-scope address available.
Rationale for this method: this yields a 128-bit block which is good
for block encryption.
$Id: xtrace-protocol,v 1.1 2000/07/04 17:29:23 olaf Exp $
More information about the inn-workers
mailing list