[Syslog] Legitimate \n or byte-counting

Chris Lonvick <clonvick@cisco.com> Fri, 18 August 2006 14:35 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GE5Rk-0007kU-O4; Fri, 18 Aug 2006 10:35:40 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GE5Rj-0007kO-Mj for syslog@ietf.org; Fri, 18 Aug 2006 10:35:39 -0400
Received: from sj-iport-3-in.cisco.com ([171.71.176.72] helo=sj-iport-3.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GE5Rg-0002gL-DX for syslog@ietf.org; Fri, 18 Aug 2006 10:35:39 -0400
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-3.cisco.com with ESMTP; 18 Aug 2006 07:35:36 -0700
X-IronPort-AV: i="4.08,145,1154934000"; d="scan'208"; a="440992656:sNHT27460638"
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-3.cisco.com (8.12.11.20060308/8.12.11) with ESMTP id k7IEZZnk005723 for <syslog@ietf.org>; Fri, 18 Aug 2006 07:35:35 -0700
Received: from sjc-cde-003.cisco.com (sjc-cde-003.cisco.com [171.71.162.27]) by sj-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id k7IEZZYq011347 for <syslog@ietf.org>; Fri, 18 Aug 2006 07:35:35 -0700 (PDT)
Date: Fri, 18 Aug 2006 07:35:35 -0700
From: Chris Lonvick <clonvick@cisco.com>
To: syslog@ietf.org
Message-ID: <Pine.GSO.4.63.0608180727510.12295@sjc-cde-003.cisco.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
DKIM-Signature: a=rsa-sha1; q=dns; l=345; t=1155911735; x=1156775735; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=clonvick@cisco.com; z=From:Chris=20Lonvick=20<clonvick@cisco.com> |Subject:Legitimate=20\n=20or=20byte-counting; X=v=3Dcisco.com=3B=20h=3DPdAHXIz5kgQBSRbH2IAGA4jV/uA=3D; b=uTnZMV434wZClUZFqNvZ2U4EYWfZZ7juOfEXw5ghRKIbY+tj7AQgdgalYKQ8klbuTODWK73Q 7rH+j/p9JMrGpUQGNiOCKLFhe0VqjvMwzt1VO9KwJsS+rgbQMJCl1uLy;
Authentication-Results: sj-dkim-3.cisco.com; header.From=clonvick@cisco.com; dkim=pass ( sig from cisco.com verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 1ac7cc0a4cd376402b85bc1961a86ac2
Cc:
Subject: [Syslog] Legitimate \n or byte-counting
X-BeenThere: syslog@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@lists.ietf.org>
List-Help: <mailto:syslog-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@lists.ietf.org?subject=subscribe>
Errors-To: syslog-bounces@lists.ietf.org

Hi,

If we use LF-escaping in syslog messages, what's going to happen if a 
legitimate "\n" is sent by a sender?  An example would be:

    <PRI>... BOM The offending characters are \n

Will a receiver convert that into LF?  If that's the case then we should 
not be using LF-escaping.

We need this answered today.

Thanks,
Chris

_______________________________________________
Syslog mailing list
Syslog@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/syslog