[Syslog] Issue 10 - Jari Arrko DISCUSS
Chris Lonvick <clonvick@cisco.com> Mon, 07 June 2010 17:23 UTC
Return-Path: <clonvick@cisco.com>
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2B6A528C103 for <syslog@core3.amsl.com>; Mon, 7 Jun 2010 10:23:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.769
X-Spam-Level:
X-Spam-Status: No, score=-8.769 tagged_above=-999 required=5 tests=[AWL=-0.770, BAYES_50=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cLC+ubz4IGuN for <syslog@core3.amsl.com>; Mon, 7 Jun 2010 10:23:26 -0700 (PDT)
Received: from sj-iport-4.cisco.com (sj-iport-4.cisco.com [171.68.10.86]) by core3.amsl.com (Postfix) with ESMTP id 8955228C752 for <syslog@ietf.org>; Mon, 7 Jun 2010 09:02:20 -0700 (PDT)
Authentication-Results: sj-iport-4.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhcFAP6qDEyrR7Ht/2dsb2JhbACSLQGMGXGkYZoChRcEg0o
X-IronPort-AV: E=Sophos;i="4.53,378,1272844800"; d="scan'208";a="140533622"
Received: from sj-core-1.cisco.com ([171.71.177.237]) by sj-iport-4.cisco.com with ESMTP; 07 Jun 2010 15:20:45 +0000
Received: from sjc-cde-011.cisco.com (sjc-cde-011.cisco.com [171.69.16.68]) by sj-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id o57FKj0S010908 for <syslog@ietf.org>; Mon, 7 Jun 2010 15:20:45 GMT
Date: Mon, 07 Jun 2010 08:20:45 -0700
From: Chris Lonvick <clonvick@cisco.com>
To: syslog@ietf.org
Message-ID: <Pine.GSO.4.63.1006070803110.27400@sjc-cde-011.cisco.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Subject: [Syslog] Issue 10 - Jari Arrko DISCUSS
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jun 2010 17:23:27 -0000
Issue 10 - Jari Arrko DISCUSS
Discuss:
This is an excellent document and I was ready to post a Yes vote
on the ballot. However, there is one detail. The document says:
When mapping onto different
transports, DTLS has different record size limitations. The
application implementer SHOULD determine the maximum record size
allowed by DTLS protocol running over the transport in use. The
message size SHOULD NOT exceed the DTLS maximum record size
limitation of 2^14 bytes. To be consistent with RFC 5425, in
establishing a baseline for interoperability, this specification
requires that a transport receiver MUST be able to process messages
with a length up to and including 2048 octets. Transport receivers
SHOULD be able to process messages with lengths up to and including
8192 octets.
This guidance seems quite weak in terms of avoiding excessive
fragmentation. Or am I misunderstanding how DTLS records map to
UDP packets? I am assuming its a 1-1 mapping, but maybe I'm
mistaken.
In any case, the document should say something about tuning applications
and configurations to avoid excessively long packets due to
inefficiencies and other problems that fragmentation may cause.
^^^^
Sean proposes:
vvv
As this I-D is about two transports and they do somethings
differently, I suggest we point to both sets of considerations.
How about a multi-pronged approach:
#1) Specifically mention UDP/DCCP message size/length text in 5.1.
WRT DCCP and tuning, RFC 4340 (DCCP) says "A DCCP application
interface SHOULD let the application discover DCCP's current" maximum
packet size. So I'm not sure we should go stronger (i.e., make it a
MUST). In the text below, RFC 5426 is syslog over UDP:
OLD:
When mapping onto different
transports, DTLS has different record size limitations. The
application implementer SHOULD determine the maximum record size
allowed by DTLS protocol running over the transport in use. The
message size SHOULD NOT exceed the DTLS maximum record size
limitation of 214 bytes. ...
NEW
When mapping onto different transports, DTLS has different record
size limitations. For UDP, see section 3.2 of [RFC5426]. For
DCCP, the application implementer SHOULD determine the maximum
record size allowed by DTLS protocol running over DCCP, as
specified in [RFC4340]. The message size SHOULD NOT exceed the
DTLS maximum record size limitation of 214 bytes. ...
#2) Add new text in Section 5.1 that points to the syslog message
fragmentation implementation guidance:
See section A.2 of [RFC5424] for implementation guidance on message
length, including fragmentation.
^^^
Sean's proposed resolution:
Jari's points about message size/length/fragmentation in Section
5.4.1:
OLD:
DTLS can run over multiple transports. Implementations of this
specification MUST support DTLS over UDP and SHOULD support DTLS
over DCCP [RFC5238]. Transports, such as UDP or DCCP do not
provide session multiplexing and session-demultiplexing. In such
cases, the application implementer provides this functionality by
mapping a unique combination of the remote address, remote port
number, local address and local port number to a session.
NEW:
When mapping onto different transports, DTLS has different record
size limitations. For UDP, see section 3.2 of [RFC5426]. For
DCCP, the application implementer SHOULD determine the maximum
record size allowed by DTLS protocol running over DCCP, as
specified in [RFC4340]. Regardless of the transport, the message
size SHOULD NOT exceed the DTLS maximum record size limitation of
214 bytes. To be consistent with RFC 5425, in establishing a
baseline for interoperability, this specification requires that a
transport receiver MUST be able to process messages with a length
up to and including 2048 octets. Transport receivers SHOULD be able
to process messages with lengths up to and including 8192 octets.
See section A.2 of [RFC5424] for implementation guidance on message
length, including fragmentation.
ACTION: Authors to review and discuss on list before committing to a
plan.
- [Syslog] Issue 10 - Jari Arrko DISCUSS Chris Lonvick