RE: [Syslog] RE: byte-counting vs special character

Carson Gaspar <carson@taltos.org> Thu, 17 August 2006 00:19 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GDVbd-0000LS-MM; Wed, 16 Aug 2006 20:19:29 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GDVbc-0000LN-Hx for syslog@ietf.org; Wed, 16 Aug 2006 20:19:28 -0400
Received: from dsl081-242-052.sfo1.dsl.speakeasy.net ([64.81.242.52] helo=gandalf.taltos.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GDVbZ-0003CH-3y for syslog@ietf.org; Wed, 16 Aug 2006 20:19:28 -0400
Received: from gandalf.taltos.org (localhost [127.0.0.1]) by gandalf.taltos.org (Postfix) with ESMTP id 4833221CB9 for <syslog@ietf.org>; Wed, 16 Aug 2006 17:19:19 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on gandalf.taltos.org
X-Spam-Level:
X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.1.0
Received: from [192.168.1.2] (unknown [192.168.1.2]) by gandalf.taltos.org (Postfix) with ESMTP id 45FA021B73 for <syslog@ietf.org>; Wed, 16 Aug 2006 17:19:19 -0700 (PDT)
Date: Wed, 16 Aug 2006 17:21:20 -0700
From: Carson Gaspar <carson@taltos.org>
To: syslog@ietf.org
Subject: RE: [Syslog] RE: byte-counting vs special character
Message-ID: <197BA82F0137F9D5A2AFDBDE@[192.168.1.2]>
In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA174E01@grfint2.intern.adiscon.com>
References: <577465F99B41C842AAFBE9ED71E70ABA174E01@grfint2.intern.adiscon.c om>
X-Mailer: Mulberry/4.0.4 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 2409bba43e9c8d580670fda8b695204a
Cc:
X-BeenThere: syslog@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@lists.ietf.org>
List-Help: <mailto:syslog-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@lists.ietf.org?subject=subscribe>
Errors-To: syslog-bounces@lists.ietf.org

--On Thursday, August 17, 2006 2:08 AM +0200 Rainer Gerhards 
<rgerhards@hq.adiscon.com> wrote:

> Legacy code does not contain LF in messages. It is advised that
> new-style syslog also does not contain control characters (though it now
> is allowed).

Legacy code _will_ emit doubled escape characters (unless the escape 
character selected is forbidden in legacy code). They will then be 
mis-interpreted by new code.

New code _will_ double the escape character when sending it to legacy code, 
mangling the message.

You can't have it both ways. Either you forbid LF and use it as a EOM 
marker and get backwards compatibility, or you allow LF (via whatever 
mechanism, escaping or octet counting are equivalent) and break backwards 
compatibility. Statements that "doubled escape characters are unlikely in 
legacy messages" are bogus. Either they are _impossible_, or they will 
happen eventually.

If you want to bow at the alter of the installed base, forbid LF in 
messages. If not, then octet counting is technically superior. This 
wishy-washy middle ground is just a terrible idea.

-- 
Carson

_______________________________________________
Syslog mailing list
Syslog@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/syslog