Re: [Syslog] New Version Notification for draft-gerhards-syslog-plain-tcp-05 (fwd)

Chris Lonvick <> Tue, 16 November 2010 19:46 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 653913A6E2A for <>; Tue, 16 Nov 2010 11:46:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -110.299
X-Spam-Status: No, score=-110.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_15=0.6, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id f-ngPGw++Hbh for <>; Tue, 16 Nov 2010 11:45:59 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 9EC1B3A6E23 for <>; Tue, 16 Nov 2010 11:45:59 -0800 (PST)
Authentication-Results:; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEAEdu4kyrR7Hu/2dsb2JhbACiY3GkY5snhUsEhFo
X-IronPort-AV: E=Sophos;i="4.59,207,1288569600"; d="scan'208";a="621120873"
Received: from ([]) by with ESMTP; 16 Nov 2010 19:46:43 +0000
Received: from ( []) by (8.13.8/8.14.3) with ESMTP id oAGJkh7q021406; Tue, 16 Nov 2010 19:46:43 GMT
Date: Tue, 16 Nov 2010 11:46:43 -0800 (PST)
From: Chris Lonvick <>
To: "t.petch" <>
In-Reply-To: <001101cb79e6$8d321620$>
Message-ID: <>
References: <> <001101cb79e6$8d321620$>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Subject: Re: [Syslog] New Version Notification for draft-gerhards-syslog-plain-tcp-05 (fwd)
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 16 Nov 2010 19:46:00 -0000

Hi Tom,

On Mon, 1 Nov 2010, t.petch wrote:

> Chris
> I had not noticed before but this seems to have changed direction during the
> summer; Informational not Standards Track, and stressing byte-counting more,
> byte-stuffing less.
> I do find it less clear.  I think that the Introduction needs more work in the
> light of the changes to the rest of the document. I read
> "This specification includes descriptions of both
>   format options in an attempt to ensure that standardized syslog
>   transport receivers can receive and properly interpret messages sent
>   from legacy syslog senders."
> got to the end of the document and thought 'oh no it does not!' and then
> realised that this is now an Appendix whereas before it was in the main body.
> Of course, if you never knew it was in the body, you might not be as confused as
> I.
> But really, the emphasis on standardised and legacy syslog seems misplaced.  The
> carriage over TCP is the same whether the carried is SYSLOG-3164 or SYSLOG-MSG
> so the distinction seems spurious.  And SYSLOG-3164 does not appear in any RFC
> or I-D I can find.
> Rather, you have two forms of adaptation to carry a message, and what that
> message is is mostly academic.

I was trying to clean it up so that it would only show that one mechanism 
was available for transporting RFC 5424 syslog messages over TCP, and that 
two mechanisms have been seen for transporting legacy syslog over TCP. 
The one mechanism for RFC 5424 over TCP is "bit counting" and is exactly 
like syslog/tls and syslog/dtls.  The other method of "bit stuffing" has 
been seen in the wild but has problems.

I'll take another look at it and see if I can explain that more clearly.

> Separately, I think that more is needed on Security.  It is easier to sabotage
> TCP than it is UDP; spurious FIN, RST etc.

Yeah...  Easier said than done.  A lot of TCP attacks are not documented, 
and there are a lot of them.  I'll see what I can do on that as well.

> And I think more is needed on closing the session.  The transport receiver
> detects a format error (well, the transport sender is not going to) sends FIN,
> gets FIN-ACK and ....  the transport sender carries merrily on.  I think that
> there should be a recommendation that the transport sender closes the connection
> and reopens it if it wants to.

Good point.  I'll work on that.

I'll dig through it after the US Thanksgiving holiday.