Re: [Syslog] delineated datagrams

Chris Lonvick <clonvick@cisco.com> Mon, 14 August 2006 14:20 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GCdIn-0002o9-Bt; Mon, 14 Aug 2006 10:20:25 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GCdIm-0002ni-AD for syslog@ietf.org; Mon, 14 Aug 2006 10:20:24 -0400
Received: from sj-iport-4.cisco.com ([171.68.10.86]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GCdIk-0008Pc-Uu for syslog@ietf.org; Mon, 14 Aug 2006 10:20:24 -0400
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-4.cisco.com with ESMTP; 14 Aug 2006 07:20:22 -0700
X-IronPort-AV: i="4.08,121,1154934000"; d="scan'208"; a="1846784267:sNHT32758374"
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-3.cisco.com (8.12.11.20060308/8.12.11) with ESMTP id k7EEKMnO015205; Mon, 14 Aug 2006 07:20:22 -0700
Received: from sjc-cde-003.cisco.com (sjc-cde-003.cisco.com [171.71.162.27]) by sj-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id k7EEKLlO015380; Mon, 14 Aug 2006 07:20:21 -0700 (PDT)
Date: Mon, 14 Aug 2006 07:20:21 -0700
From: Chris Lonvick <clonvick@cisco.com>
To: Tom Petch <nwnetworks@dial.pipex.com>
Subject: Re: [Syslog] delineated datagrams
In-Reply-To: <068701c6bf8d$a4ac7f60$0601a8c0@pc6>
Message-ID: <Pine.GSO.4.63.0608140706240.16946@sjc-cde-003.cisco.com>
References: <049a01c6b7ef$b42a36d0$0400a8c0@china.huawei.com> <068701c6bf8d$a4ac7f60$0601a8c0@pc6>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
DKIM-Signature: a=rsa-sha1; q=dns; l=2860; t=1155565222; x=1156429222; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=clonvick@cisco.com; z=From:Chris=20Lonvick=20<clonvick@cisco.com> |Subject:Re=3A=20[Syslog]=20delineated=20datagrams; X=v=3Dcisco.com=3B=20h=3D2mm87HzjwXJcIu6FQYF769SL7tM=3D; b=a7Z+/9VwIL3ht8tc+vBPmMmPqD27a3PXsickjXC6qh/lj49JhRWWrZDykiaBN7/VxpajUAHY jeJjkz97CDOkjf1xxPTeyEtwN5hwqDu2jRlwbdbz3BZ3LLMuZkHMqLQd;
Authentication-Results: sj-dkim-3.cisco.com; header.From=clonvick@cisco.com; dkim=pass ( sig from cisco.com verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 25620135586de10c627e3628c432b04a
Cc: syslog@ietf.org
X-BeenThere: syslog@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@lists.ietf.org>
List-Help: <mailto:syslog-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@lists.ietf.org?subject=subscribe>
Errors-To: syslog-bounces@lists.ietf.org

Hi Tom and All,

What I've seen discussed:
- There is no character or character sequence that cannot be used in the
   syslog payload, which might confuse a parser looking to delineate
   messages in a single packet based upon a character or character
   sequence.
- Byte counting can provide assurance for the delineation of messages.
- {Some | Most | All} syslog daemons already escape LF so a non-escaped LF
   could be used to delineate messages.

Is this correct?

Since it's come up on the list before as a concern, what will be done if 
people start putting binary information into the syslog message payload? 
Will that always have to be escaped by the sender and reversed by the 
receiver?

Thanks,
Chris

On Mon, 14 Aug 2006, Tom Petch wrote:

> ----- Original Message -----
> From: "David Harrington" <ietfdbh@comcast.net>
> To: "'Chris Lonvick'" <clonvick@cisco.com>; "'Miao Fuyou'" <miaofy@huawei.com>
> Cc: <syslog@ietf.org>; "'Tom Petch'" <nwnetworks@dial.pipex.com>
> Sent: Friday, August 04, 2006 7:59 PM
> Subject: RE: [Syslog] delineated datagrams
>
>
>>
>> As you probably know by now, I like to see design reuse across IETF NM
>> solutions, especially across SNMP, syslog, ipfix, and netconf where
>> feasible.
>>
>> As all the IETF NM protocols move toward similar secure transport
>> solutions, including moving from datagrams to streams, it would be a
>> good thing to use consistent aproaches to framing.
>>
>> Here is what is happening in the other IETF NM protocols:
>>
> <snip>
> >
>> The NETCONF protocol uses an RPC-based communication model.
>> From
>> http://www.ietf.org/internet-drafts/draft-ietf-netconf-prot-12.txt:
>>    NETCONF peers use <rpc> and <rpc-reply> elements to provide
>> transport
>>    protocol-independent framing of NETCONF requests and responses.
>
> Ok as far as it goes but incomplete.  As the ssh mapping says,
>
> " As the previous example illustrates, a special character sequence,
>    ]]>]]>, MUST be sent by both the client and the server after each XML
>    document in the NETCONF exchange.  This character sequence cannot
>    legally appear in an XML document, so it can be unambigiously used to
>    indentify the end of the current document in the event of an XML
>    syntax or parsing error, allowing resynchronization of the NETCONF
>    exchange."
> .
> Wishing to promote design reuse across IETF NM solutions, especially across the
> character-based ones, I did propose the same separator for syslog over tls and
> still see it as the technically best solution (even though our message content
> can be anything and so, unlike NETCONF, we cannot rely 100% on that not
> appearing in our message content).
>
>>
>> David Harrington
>> dharrington@huawei.com
>> dbharrington@comcast.net
>> ietfdbh@comcast.net
>>
>

_______________________________________________
Syslog mailing list
Syslog@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/syslog