Re: [Syslog] RE: byte-counting vs special character

Chris Lonvick <clonvick@cisco.com> Thu, 17 August 2006 14:34 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GDixQ-0006ls-SL; Thu, 17 Aug 2006 10:34:52 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GDixP-0006Qx-CM for syslog@ietf.org; Thu, 17 Aug 2006 10:34:51 -0400
Received: from sj-iport-4.cisco.com ([171.68.10.86]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GDikI-0002aW-Hd for syslog@ietf.org; Thu, 17 Aug 2006 10:21:19 -0400
Received: from sj-dkim-7.cisco.com ([171.68.10.88]) by sj-iport-4.cisco.com with ESMTP; 17 Aug 2006 07:21:18 -0700
X-IronPort-AV: i="4.08,137,1154934000"; d="scan'208"; a="1848057942:sNHT30722452"
Received: from sj-core-4.cisco.com (sj-core-4.cisco.com [171.68.223.138]) by sj-dkim-7.cisco.com (8.12.11.20060308/8.12.11) with ESMTP id k7HELIdM022790; Thu, 17 Aug 2006 07:21:18 -0700
Received: from sjc-cde-003.cisco.com (sjc-cde-003.cisco.com [171.71.162.27]) by sj-core-4.cisco.com (8.12.10/8.12.6) with ESMTP id k7HELH6X020404; Thu, 17 Aug 2006 07:21:17 -0700 (PDT)
Date: Thu, 17 Aug 2006 07:21:16 -0700
From: Chris Lonvick <clonvick@cisco.com>
To: Balazs Scheidler <bazsi@balabit.hu>
Subject: Re: [Syslog] RE: byte-counting vs special character
In-Reply-To: <1155817162.6514.27.camel@bzorp.balabit>
Message-ID: <Pine.GSO.4.63.0608170715390.8687@sjc-cde-003.cisco.com>
References: <577465F99B41C842AAFBE9ED71E70ABA174DFB@grfint2.intern.adiscon.c om> <3EC76EAEC1590ED5FF81F03E@[192.168.1.2]> <1155817162.6514.27.camel@bzorp.balabit>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
DKIM-Signature: a=rsa-sha1; q=dns; l=2028; t=1155824478; x=1156688478; c=relaxed/simple; s=sjdkim7002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=clonvick@cisco.com; z=From:Chris=20Lonvick=20<clonvick@cisco.com> |Subject:Re=3A=20[Syslog]=20RE=3A=20byte-counting=20vs=20special=20character; X=v=3Dcisco.com=3B=20h=3DMKyuInNi2zgmdXLiilw4ckD/4Dw=3D; b=psLprqoC+9rxUwKiyzw/72H8i08Sc7nSRr66jqgiL5uyaDDv4A9DKSHycrN7KKRTv/1wc9MT oPbZL0mQPs8mrR5dMvSH1EDNeO7GsLfU83iNNcMLUdYJ+N5BGnfnq+sv;
Authentication-Results: sj-dkim-7.cisco.com; header.From=clonvick@cisco.com; dkim=pass ( sig from cisco.com verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a7d6aff76b15f3f56fcb94490e1052e4
Cc: syslog@ietf.org
X-BeenThere: syslog@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@lists.ietf.org>
List-Help: <mailto:syslog-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@lists.ietf.org?subject=subscribe>
Errors-To: syslog-bounces@lists.ietf.org

Hi,

On Thu, 17 Aug 2006, Balazs Scheidler wrote:

> On Wed, 2006-08-16 at 12:32 -0700, Carson Gaspar wrote:
>> Escaping precludes no-configuration backwards compatibility, as no legacy
>> syslog-over-tcp code does escaping. So if you want to interoperate with
>> existing code, you must have a "don't escape or expect escapes" switch in
>> your code. If you're going to do that, just have a "LF mode vs byte-count
>> mode" switch. This whole backwards compat argument is bogus, iff we decide
>> to escape embedded LF instead of forbidding it. And I have yet to see
>> anyone argue for LF on any grounds except backwards compatibility.
>
> As I said in a private mail to you, no we don't need that switch. LF is
> escaped as a sequence of two characters '\' and 'n'. This way escaped LF
> characters will not affect protocol processing, the only issue is that
> LFs in the message will be written to the disk in a slightly different
> format. But adding the fact that current TCP senders are not transparent
> wrt LFs this is not a big deal.
>
> - old sender - new receiver
>    => works, because current syslog-TCP senders strip LFs off the
> message, either they replace it with space or forward multiple messages
>
> - new sender - old receiver
>    => works, because the old receiver does not care about the "\n"
> string in the message, although it will not unescape it when it writes
> it to disk

What's going to happen with syslog-sign and/or other mechanisms that will 
look at the packet and create a hash of it?  It sounds like everything 
will be acceptable if a new receiver gets it and does the re-conversion 
before anything looks at the contents.  However, an old receiver will 
continue to keep the \n which will mess up syslog-sign.  Is that correct?

Also, what's going to happen to a new receiver that receives a legitimate 
"\n" as in an original message send:
    <PRI>... BOM The offending characters are \n
Will the receiver convert that into LF?

Thanks,
Chris

_______________________________________________
Syslog mailing list
Syslog@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/syslog