Re: [Syslog] New syslog/tcp draft available

Chris Lonvick <clonvick@cisco.com> Tue, 01 February 2011 02:45 UTC

Return-Path: <clonvick@cisco.com>
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2D64B3A6CBD for <syslog@core3.amsl.com>; Mon, 31 Jan 2011 18:45:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.199
X-Spam-Level:
X-Spam-Status: No, score=-110.199 tagged_above=-999 required=5 tests=[AWL=-0.200, BAYES_00=-2.599, J_CHICKENPOX_41=0.6, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KbNXZ0LHhkNu for <syslog@core3.amsl.com>; Mon, 31 Jan 2011 18:45:30 -0800 (PST)
Received: from sj-iport-3.cisco.com (sj-iport-3.cisco.com [171.71.176.72]) by core3.amsl.com (Postfix) with ESMTP id 0A3473A68F1 for <syslog@ietf.org>; Mon, 31 Jan 2011 18:45:30 -0800 (PST)
Authentication-Results: sj-iport-3.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEAGsDR02rRN+K/2dsb2JhbACkfHOgYJs7hU4EhRM
Received: from sj-core-4.cisco.com ([171.68.223.138]) by sj-iport-3.cisco.com with ESMTP; 01 Feb 2011 02:48:45 +0000
Received: from sjc-cde-011.cisco.com (sjc-cde-011.cisco.com [171.69.16.68]) by sj-core-4.cisco.com (8.13.8/8.14.3) with ESMTP id p112mjjH023151; Tue, 1 Feb 2011 02:48:45 GMT
Date: Mon, 31 Jan 2011 18:48:45 -0800 (PST)
From: Chris Lonvick <clonvick@cisco.com>
To: Sean Turner <turners@ieca.com>
In-Reply-To: <4D459BF9.9050407@ieca.com>
Message-ID: <Pine.GSO.4.63.1101311831130.12626@sjc-cde-011.cisco.com>
References: <Pine.GSO.4.63.1101300851310.23155@sjc-cde-011.cisco.com> <4D459BF9.9050407@ieca.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: syslog@ietf.org
Subject: Re: [Syslog] New syslog/tcp draft available
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Feb 2011 02:45:31 -0000

Hi Sean,

I've seen that but I don't want this document to sit idle for the next 
couple of years while that matures and becomes a normative and 
stable reference via becoming an RFC.

I'm really thinking that putting in definitive references for transport 
layer vulnerabilities is going a bit beyond what is expected of an 
INFORMATIONAL document.  That being said, I think it's a good idea and am 
willing to pursue it within reason.

Gont's document does reference a paper by Steve Bellovin:
    Bellovin, S. M. 1989.  Security Problems in the TCP/IP Protocol
    Suite.  Computer Communication Review, Vol. 19, No. 2, pp. 32-48.
That may be found here:
   http://portal.acm.org/citation.cfm?id=378449

What would you think about referencing that document as an INFORMATIVE 
reference in the third subsection of the Security Considerations section?

Thanks,
Chris

On Sun, 30 Jan 2011, Sean Turner wrote:

> Chris,
>
> Not sure if this is what you're looking for, but have you checked out:
> http://datatracker.ietf.org/doc/draft-ietf-tcpm-tcp-security/
>
> spt
>
>
> On 1/30/11 12:01 PM, Chris Lonvick wrote:
>>  Hi Folks,
>>
>>  We've finally gotten around to revising draft-gerhards-syslog-plain-tcp.
>> : -)
>>
>>  This addresses the issues that Tom raised about
>>  - the intro specifically stating what to expect in the body of the text
>>  - a note on the transport security.
>>
>>  For the first, we just sort'a straightened things out with a few edits.
>>  For the latter, I looked in many places for a list of TCP
>>  vulnerabilities but couldn't find anything substantial. The US-CERT had
>>  a few implementation things and there were a scattering of other things.
>>  In the end, I just added a subsection to warn impelemters to look
>>  closely before writing code. If anyone has any other suggestions, please
>>  let us know.
>>
>>  Thanks,
>>  Chris
>>  _______________________________________________
>>  Syslog mailing list
>>  Syslog@ietf.org
>>  https://www.ietf.org/mailman/listinfo/syslog
>> 
>