IETF Logo Mail Archive

Re: [Syslog] AD review discuss/comments for draft-ietf-syslog-dtls

"Rainer Gerhards" <rgerhards@hq.adiscon.com> Sat, 22 May 2010 11:37 UTC

Return-Path: <rgerhards@hq.adiscon.com>
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BA45C3A6C8C for <syslog@core3.amsl.com>; Sat, 22 May 2010 04:37:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.601
X-Spam-Level:
X-Spam-Status: No, score=0.601 tagged_above=-999 required=5 tests=[BAYES_50=0.001, J_CHICKENPOX_15=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dgekBHI1Qa6U for <syslog@core3.amsl.com>; Sat, 22 May 2010 04:37:00 -0700 (PDT)
Received: from mailin.adiscon.com (hetzner.adiscon.com [85.10.198.18]) by core3.amsl.com (Postfix) with ESMTP id 8BCE33A6C8D for <syslog@ietf.org>; Sat, 22 May 2010 04:36:59 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailin.adiscon.com (Postfix) with ESMTP id 72222241C002; Sat, 22 May 2010 10:19:57 +0200 (CEST)
Received: from mailin.adiscon.com ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ow3zgS5EfTvm; Sat, 22 May 2010 10:19:57 +0200 (CEST)
Received: from GRFEXC.intern.adiscon.com (pd95c774a.dip0.t-ipconnect.de [217.92.119.74]) by mailin.adiscon.com (Postfix) with ESMTP id F1E09241C001; Sat, 22 May 2010 10:19:56 +0200 (CEST)
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Sat, 22 May 2010 13:36:50 +0200
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA7103E14@GRFEXC.intern.adiscon.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Syslog] AD review discuss/comments for draft-ietf-syslog-dtls
Thread-Index: Acr5Phi7isl7IR7cQ7ipMB7F6TMCNwAY845w
References: <20100511182040.16429@web6.nyc1.bluetie.com> <01c701caf904$d1662c40$4001a8c0@gateway.2wire.net>
From: Rainer Gerhards <rgerhards@hq.adiscon.com>
To: "t.petch" <ietfc@btconnect.com>, jsalowey@cisco.com, Chris Lonvick <clonvick@cisco.com>
Cc: syslog <syslog@ietf.org>
Subject: Re: [Syslog] AD review discuss/comments for draft-ietf-syslog-dtls
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 May 2010 11:37:01 -0000

Hi all,

sorry I was offline a long time for good, but not to mention here, reason. I
will unfortunately be very partly available in the next few days. But I would
at least like to back Tom's argument. Bit first let me admit that I could not
follow the whole discussion, so I may have missed a point that actually
demands a MUST. Out of the context of Tom's posting, I don't think so.

In practice, there are some applications that require more than 16KB within a
single message, namely IHE and maybe some other applications that log
application-data rather than system management data. In RFC5424, we thought
we have a good compromise by specifying a not-too-large to be supported size
but did not set an upper limit. This was done in the spirit that transports
should not impose any limits except if absolutely necessary.

So if dtls can work with 64K (and my understanding is it can), we should
permit it to use this max size. If that comes, for example, at the cost of
fragmentation and potential message loss, so be it for those applications
that need this functionality. After all, folks have been warnend (RFC5424),
but we should not limit those in need AND ready to accept the extra risk.

Speaking as an implementer, I know for sure that if some large-enough
customer approaches us to support 64K messages, we will definitely do that,
if it is possible. I guess the same is true for other implementers. If the
customer needs it and wants to pay for it, one will implement it -- then as a
private extension of the standard. So looking at the real world, removing
that ability from the standard will not result in removing the capability.
The only thing that it will potentially remove is interoperability of
different implementations that do it anyways...

My 2cts, and once again my apologies for not being able to follow more
timely.

Rainer

> -----Original Message-----
> From: syslog-bounces@ietf.org [mailto:syslog-bounces@ietf.org] On
> Behalf Of t.petch
> Sent: Friday, May 21, 2010 6:38 PM
> To: jsalowey@cisco.com; Chris Lonvick
> Cc: syslog
> Subject: [Syslog] AD review discuss/comments for draft-ietf-syslog-dtls
> 
> I see that this I-D had entered 'Revised I-D needed' which I would like
> to
> progress.
> 
> I see several comments about maximum record size, including a
> suggestion that we
> should make the 'SHOULD NOT' a 'MUST NOT' exceed 2**14.
> 
> I am dead set against this change.  We had a clear requirment, early
> on, to
> allow 65k messages, and I think it wrong to MUST NOT that requirement.
> The text
> in the other I-Ds is a compromise to strke a balance between this and
> having
> everything fit in 576 byte; I think we have the balance right.
> 
> Tom Petch
> 
> _______________________________________________
> Syslog mailing list
> Syslog@ietf.org
> https://www.ietf.org/mailman/listinfo/syslog

v2.23.0 | Report a Bug | By Email