RE: [Syslog] delineated datagrams

"Rainer Gerhards" <rgerhards@hq.adiscon.com> Sat, 12 August 2006 08:52 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GBpEd-0003Ni-Uo; Sat, 12 Aug 2006 04:52:47 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GBpEc-0003Lv-4i for syslog@ietf.org; Sat, 12 Aug 2006 04:52:46 -0400
Received: from stsc1260-eth-s1-s1p1-vip.va.neustar.com ([156.154.16.129] helo=chiedprmail1.ietf.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GBjwG-0002Od-Gr for syslog@ietf.org; Fri, 11 Aug 2006 23:13:28 -0400
Received: from mail.hq.adiscon.com ([84.245.151.34]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1GBjjL-00007H-Gd for syslog@ietf.org; Fri, 11 Aug 2006 23:00:09 -0400
Received: from localhost (localhost [127.0.0.1]) by mail.hq.adiscon.com (Postfix) with ESMTP id C0C1E9C00C; Sat, 12 Aug 2006 05:01:06 +0200 (CEST)
Received: from mail.hq.adiscon.com ([127.0.0.1]) by localhost (mail.grf.adiscon.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 14918-02; Sat, 12 Aug 2006 05:01:02 +0200 (CEST)
Received: from grfint2.intern.adiscon.com (grfint2 [172.19.0.6]) by mail.hq.adiscon.com (Postfix) with ESMTP id 4E4769C00B; Sat, 12 Aug 2006 05:01:02 +0200 (CEST)
Subject: RE: [Syslog] delineated datagrams
Date: Sat, 12 Aug 2006 04:59:25 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Message-ID: <577465F99B41C842AAFBE9ED71E70ABA174DE4@grfint2.intern.adiscon.com>
In-Reply-To: <98AE08B66FAD1742BED6CB9522B7312201C96C24@xmb-rtp-20d.amer.cisco.com>
Content-class: urn:content-classes:message
X-MimeOLE: Produced By Microsoft Exchange V6.5
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Syslog] delineated datagrams
Thread-Index: Aca8We44KDRAF0sETvmLoLVEiES1iQAopC+gACB59WAAAIf3EAAOnQrg
From: Rainer Gerhards <rgerhards@hq.adiscon.com>
To: "Anton Okmianski (aokmians)" <aokmians@cisco.com>, "Nagaraj Varadharajan (nagarajv)" <nagarajv@cisco.com>, syslog@ietf.org
X-Virus-Scanned: by amavisd-new-2.3.3 (20050822) (Debian) at adiscon.com
X-Spam-Score: -2.6 (--)
X-Scan-Signature: cf3becbbd6d1a45acbe2ffd4ab88bdc2
Cc:
X-BeenThere: syslog@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@lists.ietf.org>
List-Help: <mailto:syslog-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@lists.ietf.org?subject=subscribe>
Errors-To: syslog-bounces@lists.ietf.org

No,we have not called for interopo with 3164. As there are very few 3164
"compliant" (not a standard) implementation, we can not find any common
ground. Even more essential, 3164 is purely UDP, so there is no such
thing as a 3164 "compliant" tcp sender. I agree, however, that
-transport-tls can easily be used together with existing syslog/tls
implementations if we use LF (and no octet count). It then comes down to
what is described in syslog-protocol for interop with existing
implementations.

This is why I would prefer that mode.

Rainer 

> -----Original Message-----
> From: Anton Okmianski (aokmians) [mailto:aokmians@cisco.com] 
> Sent: Friday, August 11, 2006 2:10 PM
> To: Nagaraj Varadharajan (nagarajv); syslog@ietf.org
> Subject: RE: [Syslog] delineated datagrams
> 
> I thought we were targeting the TLS transport to the new
> syslog-protocol, not the current informational RFC 3164.  
> There are some
> considerations in the charter for partial syslog-protocol 
> compatibility
> with RFC 3164. But I don't think we have called for the new 
> transport to
> necessarily work with RFC 3164, did we? 
> 
> Does this need to be a requirement or can the implementations 
> that wish
> to support both provide features to transition clients from one to
> another? 
> 
> Thanks,
> Anton. 
> 
> > -----Original Message-----
> > From: Nagaraj Varadharajan (nagarajv) 
> > Sent: Friday, August 11, 2006 3:51 PM
> > To: syslog@ietf.org
> > Subject: RE: [Syslog] delineated datagrams
> > 
> > Sorry for jumping in late on this topic and also pardon me if 
> > I have not understood the discussion correctly.
> > 
> > My thought is that the easiest way syslog over tls will be 
> > implemented will be by existing apps taking what they have 
> > for syslog over TCP and adding the TLS layer. So in terms of 
> > easy implementation and adoption, it may be good to support 
> > whatever is being done for tcp syslogs now. I believe that LF 
> > as a separator is quite common  currently. 
> > However, I do agree that this is a good opportunity to 
> > upgrade to a better method. My only concern is that this 
> > should not force applications to drastically change their 
> > underlying syslog implementations
> > 
> > Regards,
> > Nagaraj
> > 
> > -----Original Message-----
> > From: Rainer Gerhards [mailto:rgerhards@hq.adiscon.com]
> > Sent: Thursday, August 10, 2006 9:22 PM
> > To: Balazs Scheidler
> > Cc: syslog@ietf.org; Tom Petch
> > Subject: RE: [Syslog] delineated datagrams
> > 
> > > Maybe this already has been said ;)
> > > 
> > > This makes sense. What about other control characters?
> > > 
> > 
> > 
> > We need to differentiate between on-the-wire format and 
> > storage format.
> > On-the-wire, I would escape only LF and the escape character. 
> > In storage, I would escape any control character (which can 
> > be quite tricky with Unicode). Our current scope (and IETF 
> > scope) is on-the-wire. So I propose not to mangle any more 
> > characters than absolutely necessary.
> > 
> > Rainer
> > 
> > _______________________________________________
> > Syslog mailing list
> > Syslog@lists.ietf.org
> > https://www1.ietf.org/mailman/listinfo/syslog
> > 
> > _______________________________________________
> > Syslog mailing list
> > Syslog@lists.ietf.org
> > https://www1.ietf.org/mailman/listinfo/syslog
> > 
> 
> _______________________________________________
> Syslog mailing list
> Syslog@lists.ietf.org
> https://www1.ietf.org/mailman/listinfo/syslog
> 

_______________________________________________
Syslog mailing list
Syslog@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/syslog