IETF Logo Mail Archive

Re: [netmod] I-D Action: draft-ietf-netmod-syslog-model-19.txt

Benoit Claise <bclaise@cisco.com> Tue, 16 January 2018 17:23 UTC

Return-Path: <bclaise@cisco.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 714E312E059 for <netmod@ietfa.amsl.com>; Tue, 16 Jan 2018 09:23:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IGb1eX_pMZbE for <netmod@ietfa.amsl.com>; Tue, 16 Jan 2018 09:23:51 -0800 (PST)
Received: from aer-iport-1.cisco.com (aer-iport-1.cisco.com [173.38.203.51]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1297212E044 for <netmod@ietf.org>; Tue, 16 Jan 2018 09:23:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1352; q=dns/txt; s=iport; t=1516123431; x=1517333031; h=subject:to:references:from:message-id:date:mime-version: in-reply-to:content-transfer-encoding; bh=puW82ppZm4IYpuB7TVbpi8k9NT1I8n1qhlNIOuQhTtg=; b=Nz8Ivd1YhLYm0NQKJEBSxG4yP8ApHvfAPtEPjNW9uw6opdMk4J/nMXf2 h6BtJ1mPhgu4OYJfX2WFUsUvjkAfClMlm0x2L/5muKHVSaRyqrbuul7Bg FXiqhc9dvV2u+kAtES1D49xZaCshFvO6rLKfLjEKOLIZwhxOnXEbltgar 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0B1AQBvNF5a/xbLJq1cGQEBAQEBAQEBAQEBAQcBAQEBAYUbhDqLGI88mXQKhTsChR8UAQEBAQEBAQEBayiFJAYjFVELDgwCJgICVwYBDAgBAYovpSyCJ4lLAQEBAQEBAQMBAQEBAQEigQ+HGYFpKYMFhFslgzmCZQEEo2SVS4IZhh2Db4drjxyEWIMxgTw2IoFQMhoIGxU9giuEV0CKS4I8AQEB
X-IronPort-AV: E=Sophos;i="5.46,369,1511827200"; d="scan'208";a="1484902"
Received: from aer-iport-nat.cisco.com (HELO aer-core-2.cisco.com) ([173.38.203.22]) by aer-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 Jan 2018 17:23:47 +0000
Received: from [10.55.221.36] (ams-bclaise-nitro3.cisco.com [10.55.221.36]) by aer-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id w0GHNl4R032296; Tue, 16 Jan 2018 17:23:47 GMT
To: Kent Watsen <kwatsen@juniper.net>, "netmod@ietf.org" <netmod@ietf.org>
References: <151579789446.21777.985631371557420470@ietfa.amsl.com> <B21EB766-3A67-4642-9791-16586449E885@juniper.net>
From: Benoit Claise <bclaise@cisco.com>
Message-ID: <c6151263-7f62-b8c3-98d5-02ffc2040b94@cisco.com>
Date: Tue, 16 Jan 2018 18:23:47 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2
MIME-Version: 1.0
In-Reply-To: <B21EB766-3A67-4642-9791-16586449E885@juniper.net>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/NhvMNMw0NavZAhP9Td_0j0XSZtA>
Subject: Re: [netmod] I-D Action: draft-ietf-netmod-syslog-model-19.txt
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jan 2018 17:23:52 -0000

Hi,
>
>    ** Downref: Normative reference to an Historic RFC: RFC 6587
>
> Kent: hmmm, what's going on here?  This YANG module is providing an ability to configure the "tcp" transport, even though the IESG made that ability historic in 2012 (see IESG Note below).  Searching online, it looks like Cisco supports this, but Juniper does not.  What about other vendors, is it widely supported?  Was this discussed in the WG?  Answering my own question, searching my local mailbox, I don't see this ever being discussed before, other than Martin questioning if it was a good idea in Mar 2016 (no response).  Please start a thread on the list to get WG opinion if it's okay for the draft to proceed as is or not.  Here's the IESG Note from RFC 6587:
>
>     IESG Note
>
>     The IESG does not recommend implementing or deploying syslog over
>     plain tcp, which is described in this document, because it lacks the
>     ability to enable strong security [RFC3365].
>
>     Implementation of the TLS transport [RFC5425] is recommended so that
>     appropriate security features are available to operators who want to
>     deploy secure syslog.  Similarly, those security features can be
>     turned off for those who do not want them.
>
>
>
Well, I believe it's clear plain TCP should not be in the YANG module.

Regards, Benoit

v2.23.0 | Report a Bug | By Email