Re: [Syslog] Issues for dtls-udp Re: Missing dead peer detection in DTLS (Gerhard Muenz)
Gerhard Muenz <muenz@net.in.tum.de> Tue, 04 August 2009 16:22 UTC
Return-Path: <muenz@net.in.tum.de>
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 38BEC3A68DC for <syslog@core3.amsl.com>; Tue, 4 Aug 2009 09:22:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[AWL=0.144, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b9NbOt4hdbZL for <syslog@core3.amsl.com>; Tue, 4 Aug 2009 09:22:54 -0700 (PDT)
Received: from mail-out1.informatik.tu-muenchen.de (mail-out1.informatik.tu-muenchen.de [131.159.0.8]) by core3.amsl.com (Postfix) with ESMTP id 2E6D13A691D for <syslog@ietf.org>; Tue, 4 Aug 2009 09:22:54 -0700 (PDT)
Received: from phoenix.net.informatik.tu-muenchen.de (phoenix.net.in.tum.de [131.159.14.1]) by services.net.informatik.tu-muenchen.de (Postix Mailer @ mail) with ESMTP id 0CE3C481D8; Tue, 4 Aug 2009 18:22:55 +0200 (CEST)
Received: from [131.159.20.251] (vpn-1.net.in.tum.de [131.159.20.251]) by phoenix.net.informatik.tu-muenchen.de (Postfix) with ESMTP id C0A3D509D; Tue, 4 Aug 2009 18:22:54 +0200 (CEST)
Message-ID: <4A786066.2080505@net.in.tum.de>
Date: Tue, 04 Aug 2009 18:23:02 +0200
From: Gerhard Muenz <muenz@net.in.tum.de>
User-Agent: Thunderbird 2.0.0.22 (Windows/20090605)
MIME-Version: 1.0
To: fenghongyan <hongyanfeng@huaweisymantec.com>
References: <mailman.152.1248807621.17772.syslog@ietf.org> <fc16b80131ef.4a75658d@huaweisymantec.com> <4A75F11B.4050201@net.in.tum.de> <fbc4f6346109.4a78c7e4@huaweisymantec.com>
In-Reply-To: <fbc4f6346109.4a78c7e4@huaweisymantec.com>
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="------------ms090402070803050406050600"
X-Virus-Scanned: ClamAV using ClamSMTP
Cc: syslog@ietf.org
Subject: Re: [Syslog] Issues for dtls-udp Re: Missing dead peer detection in DTLS (Gerhard Muenz)
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Aug 2009 16:22:55 -0000
Hi, >> > There's anything need syslog-dtls to do to support it? what's your >> consideration? >> >> Not sure. We have not tried the corresponding OpenSSL patch yet. Maybe >> the application (e.g. syslog) has to trigger the Heartbeat. >> > yeah, I see that in source code has not yet support trigger for application. > What I considered are the issues for dtls-udp. I don't know too much of ipfix, > are there more than one exporter need export data to one collector? Yes, there may be multiple Exporters sending to one Collector. The definition of IPFIX Transport Sessions allows to distinguish the different sessions. In the case of UDP, the Transport Session is defined by the IP-5-Tuple plus the Observation Domain ID, which is a field in the IPFIX message header. In the case of DTLS/UDP, the Collector needs to maintain the DTLS state for each Exporter. A good question is when to remove the DTLS state because there is no connection termination. We remove it after a certain time without receiving any packets from the Exporter. However, we cannot be sure if the Exporter has also deleted its DTLS state :( This is another situation where DTLS Heartbeat extension is useful. > There may many syslog sender send logs to one receiver, which brings up an issue of dtls-udp. > I wrote it in my proposal, in 5.3 as session demultiplexing. > > I think if the ipfix collector need support multiple exporter, ipfix need also support session demultiplexing, > but I didn't see that in your proposal, what's your consideration? You talk about draft-mentz-ipfix-dtls-recommendations-00? Note that this draft does not play the same role as draft-feng-syslog-transport-dtls-01 because IPFIX over DTLS/UDP is already standardized in RFC5101. draft-mentz-ipfix-dtls-recommendations-00 only covers DTLS specific implementation problems and might be considered as an update of RFC 5153 (IPFIX Implementation Guidelines). Gerhard
- Re: [Syslog] Missing dead peer detection in DTLS … fenghongyan
- Re: [Syslog] Missing dead peer detection in DTLS … Gerhard Muenz
- [Syslog] Issues for dtls-udp Re: Missing dead pee… fenghongyan
- Re: [Syslog] Issues for dtls-udp Re: Missing dead… Gerhard Muenz
- Re: [Syslog] Issues for dtls-udp Re: Missing dead… fenghongyan