RE: [Syslog] stream transportwasdraft-ietf-syslog-transport-tls-01.txt

"Rainer Gerhards" <rgerhards@hq.adiscon.com> Fri, 16 June 2006 15:36 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FrGMq-0005Xm-Pp; Fri, 16 Jun 2006 11:36:16 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FrGMo-0005Xc-Tr for syslog@ietf.org; Fri, 16 Jun 2006 11:36:14 -0400
Received: from hetzner.adiscon.com ([85.10.201.79]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FrGMo-0007G9-9H for syslog@ietf.org; Fri, 16 Jun 2006 11:36:14 -0400
Received: from localhost (localhost [127.0.0.1]) by hetzner.adiscon.com (Postfix) with ESMTP id 38A3E27C065; Fri, 16 Jun 2006 17:33:05 +0200 (CEST)
Received: from hetzner.adiscon.com ([127.0.0.1]) by localhost (hetzner [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 25812-10; Fri, 16 Jun 2006 17:33:05 +0200 (CEST)
Received: from fmint2.intern.adiscon.com (pd95b68d5.dip0.t-ipconnect.de [217.91.104.213]) by hetzner.adiscon.com (Postfix) with ESMTP id C8EF027C061; Fri, 16 Jun 2006 17:33:04 +0200 (CEST)
Received: from grfint2.intern.adiscon.com ([172.19.0.6]) by fmint2.intern.adiscon.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 16 Jun 2006 17:36:12 +0200
Subject: RE: [Syslog] stream transportwasdraft-ietf-syslog-transport-tls-01.txt
Date: Fri, 16 Jun 2006 17:36:08 +0200
Message-ID: <577465F99B41C842AAFBE9ED71E70ABA174935@grfint2.intern.adiscon.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
In-Reply-To: <98AE08B66FAD1742BED6CB9522B7312201909803@xmb-rtp-20d.amer.cisco.com>
Content-Transfer-Encoding: quoted-printable
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-class: urn:content-classes:message
Thread-Topic: [Syslog] stream transportwasdraft-ietf-syslog-transport-tls-01.txt
X-MimeOLE: Produced By Microsoft Exchange V6.5
Thread-Index: AcaRJsZmy9+SKaZhT9+KabUVEKsEewAMMLNwAABpaJA=
From: "Rainer Gerhards" <rgerhards@hq.adiscon.com>
To: "Anton Okmianski (aokmians)" <aokmians@cisco.com>, "Tom Petch" <nwnetworks@dial.pipex.com>, <syslog@ietf.org>
X-OriginalArrivalTime: 16 Jun 2006 15:36:12.0914 (UTC) FILETIME=[99263520:01C6915A]
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at adiscon.com
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 93df555cbdbcdae9621e5b95d44b301e
Cc:
X-BeenThere: syslog@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@lists.ietf.org>
List-Help: <mailto:syslog-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@lists.ietf.org?subject=subscribe>
Errors-To: syslog-bounces@lists.ietf.org

Anton, 

> -----Original Message-----
> From: Anton Okmianski (aokmians) [mailto:aokmians@cisco.com] 
> Sent: Friday, June 16, 2006 5:25 PM
> To: Tom Petch; syslog@ietf.org
> Subject: RE: [Syslog] stream 
> transportwasdraft-ietf-syslog-transport-tls-01.txt
> 
> I was just talking to Rainer about similar concern.  

You were, but I misunderstood it. I was so focussed on the (objected)
plain tcp transport, that I did not realize that you were actually
talking of a layer between -protocol and -transport-whatever-secure.

> I think first of all we need a basic mapping to TCP or more 
> generally define syslog payload (framing) format for 
> connection-oriented protocols.  This should cover sending 
> multiple messages over the same connection, obviously. The 
> same payload structure can be used over various TCP protocols 
> (TLScTCP, SSHoTCP, etc) or even over straight TCP with IPSec. 
> 
> Connection establishment and tear-down issues should be left 
> to the actual transport.  

I think it shouldn't. I actually think we need an app-layer ACK,
otherwise we might loose messages without knowing it. This is from the
SELP spec I posted earlier:

=======
  As such, SELP is only reliable as far as the TCP stream is not
   broken. If the TCP stream breaks, the sender does not exactly know
   which data has actually been transmitted to the receiver and which
   not. This is due to the fact that TCP uses a sliding window of
   variable size. In short, this allows that the sender sends packets,
   receives an acknowledgement from the OS, but the data is still on the
   wire. The OS acknowledgment does NOT mean the data is actually
   received. While the sender continues to send data, the already OS
   acknowledge data is eventually delivered to the sender. If that
   succeeds, everthing is fine. If now, however, the TCP stack will
   detect the problem over time and notify the sender. However, the
   sender does not know exactly where the problem occured and so does
   not know what to re-send. Anyhow, it knows at least something went
   wrong and SHOULD log an event to a local system event repository.
======

I think we should address this need in a tcp (or better: stream)
framing. It's not a big deal to add an app-level opening and closing to
the protocol - and eventually even an app-level ack/nak (per message),
which would relive us of many problems.

It can be as simple as

Sender:
XFERSTART <sender-name> (could be checked against cert!)
MSG <header><protocol-message><trailer> (trailer for error-checking,
questionable)
CLOSE <optional-param>

Receiver: 
SMTP-like status codes (or simply ACK / NAK "reason")

No a big deal but a big advantage...

> If we don't introduce anything new 
> in TLS or SSH, I am not sure why anything extra is needed to 
> be specified.  Maybe just to create a baseline of requirement 
> (minim cipher suite, auth mode, etc), but even that is questionable.  

I think the parameters should be outlined.
> 
> BTW, can IPSec be considered a viable security transport for 
> syslog using UDP transport?  I already mentioned how IPSec 
> can address security issues in syslog-transport-udp-07.  So, 
> do we simply need to provide an overview of how it does it in 
> that ID to pass the IESG criteria of secure syslog transport?

This is a very good question, I think one for Sam. Maybe Chris could
check it out?

Rainer
> 
> Thanks,
> Anton. 
> 
> > -----Original Message-----
> > From: Tom Petch [mailto:nwnetworks@dial.pipex.com] 
> > Sent: Friday, June 16, 2006 4:13 AM
> > To: syslog@ietf.org
> > Subject: Re: [Syslog] stream transport 
> > wasdraft-ietf-syslog-transport-tls-01.txt
> > 
> > I think that this document has some way to go.  It has 
> > introduced, and woven
> > together, both TLS and TCP transport, which I think wrong.  
> > Ideally, I think
> > that we should have two separate documents, one dealing with 
> > TLS, the other with
> > TCP issues; given that both would be short, it is probably 
> > sensible to have only
> > the one, but I still see the need for separation within the 
> > document.  After
> > all, DTLS exists: an outsider could, should, think that 
> > syslog is UDP-based,
> > DTLS provides UDP security so DTLS is the obvious choice, 
> > what on earth is this
> > document talking about?  We need a section on DTLS (if only 
> > justifying why it is
> > not for further consideration).  And, for me, that alone 
> > justifies teasing out
> > the TLS issues from the TCP issues; is FRAME-LEN needed over DTLS?.
> > 
> > That said, I do not think that this document adequately 
> > covers the TCP issues,
> > ones that have surfaced on the list before.
> > 
> > TLSoTCP can deliver one syslog message, many syslog messages, 
> > part of a syslog
> > message or a combination thereof - it is in the nature of a 
> > stream protocol.
> > This needs spelling out.
> > 
> > A TCP connection takes time to set up, TLSoTCP longer.  This 
> > needs spelling out;
> > if timely delivery is a concern, then the connection should 
> > be established in
> > advance.
> > 
> > The section on TCP termination is too weak.  If we are 
> > recommending a timeout,
> > then we should recommend a value, even specifying that it 
> > should be configurable
> > over a range.  And if we cannot agree on such values, I do 
> > not think we should
> > be specifying a timeout.
> > 
> > TCP perforce introduces flow control.  This will slow down 
> > and rate limit
> > messages; what is the impact of this on the application?
> > 
> > TCP failures can terminate the connection!  Again, this has 
> > an impact on the
> > application with the time taken to become aware that the 
> > connection has failed.
> > 
> > Tom Petch
> > 
> > ----- Original Message -----
> > From: "David B Harrington" <dbharrington@comcast.net>
> > To: <syslog@ietf.org>
> > Sent: Tuesday, May 09, 2006 4:26 PM
> > Subject: [Syslog] draft-ietf-syslog-transport-tls-01.txt
> > 
> > 
> > Hi,
> > 
> > A new revision of the syslog/TLS draft is available.
> > 
> http://www.ietf.org/internet-drafts/draft-ietf-syslog-transport-tls-01
> > .txt
> > 
> > We need reviewers.
> > Can we get
> > 1) a person to check the grammar?
> > 2) a person to check the syslog technical parts?
> > 3) a person to check compatibility with the other WG documents?
> > 4) a person to check the TLS technical parts?
> > 
> > We also need general reviews of the document by multiple people.
> > 
> > Thanks,
> > David Harrington
> > co-chair, Syslog WG
> > ietfdbh@comcast.net
> > _______________________________________________
> > Syslog mailing list
> > Syslog@lists.ietf.org
> > https://www1.ietf.org/mailman/listinfo/syslog
> > 
> > 
> > _______________________________________________
> > Syslog mailing list
> > Syslog@lists.ietf.org
> > https://www1.ietf.org/mailman/listinfo/syslog
> > 
> 
> _______________________________________________
> Syslog mailing list
> Syslog@lists.ietf.org
> https://www1.ietf.org/mailman/listinfo/syslog
> 

_______________________________________________
Syslog mailing list
Syslog@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/syslog