Re: [Syslog] New Version Notification for draft-gerhards-syslog-plain-tcp-05 (fwd)
Chris Lonvick <clonvick@cisco.com> Tue, 16 November 2010 19:46 UTC
Return-Path: <clonvick@cisco.com>
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 653913A6E2A for <syslog@core3.amsl.com>; Tue, 16 Nov 2010 11:46:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.299
X-Spam-Level:
X-Spam-Status: No, score=-110.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_15=0.6, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f-ngPGw++Hbh for <syslog@core3.amsl.com>; Tue, 16 Nov 2010 11:45:59 -0800 (PST)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id 9EC1B3A6E23 for <syslog@ietf.org>; Tue, 16 Nov 2010 11:45:59 -0800 (PST)
Authentication-Results: sj-iport-6.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEAEdu4kyrR7Hu/2dsb2JhbACiY3GkY5snhUsEhFo
X-IronPort-AV: E=Sophos;i="4.59,207,1288569600"; d="scan'208";a="621120873"
Received: from sj-core-5.cisco.com ([171.71.177.238]) by sj-iport-6.cisco.com with ESMTP; 16 Nov 2010 19:46:43 +0000
Received: from sjc-cde-011.cisco.com (sjc-cde-011.cisco.com [171.69.16.68]) by sj-core-5.cisco.com (8.13.8/8.14.3) with ESMTP id oAGJkh7q021406; Tue, 16 Nov 2010 19:46:43 GMT
Date: Tue, 16 Nov 2010 11:46:43 -0800
From: Chris Lonvick <clonvick@cisco.com>
To: "t.petch" <ietfc@btconnect.com>
In-Reply-To: <001101cb79e6$8d321620$4001a8c0@gateway.2wire.net>
Message-ID: <Pine.GSO.4.63.1011121207520.11953@sjc-cde-011.cisco.com>
References: <Pine.GSO.4.63.1010011313480.22150@sjc-cde-011.cisco.com> <001101cb79e6$8d321620$4001a8c0@gateway.2wire.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: syslog@ietf.org
Subject: Re: [Syslog] New Version Notification for draft-gerhards-syslog-plain-tcp-05 (fwd)
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Nov 2010 19:46:00 -0000
Hi Tom, On Mon, 1 Nov 2010, t.petch wrote: > Chris > > I had not noticed before but this seems to have changed direction during the > summer; Informational not Standards Track, and stressing byte-counting more, > byte-stuffing less. > > I do find it less clear. I think that the Introduction needs more work in the > light of the changes to the rest of the document. I read > "This specification includes descriptions of both > format options in an attempt to ensure that standardized syslog > transport receivers can receive and properly interpret messages sent > from legacy syslog senders." > got to the end of the document and thought 'oh no it does not!' and then > realised that this is now an Appendix whereas before it was in the main body. > Of course, if you never knew it was in the body, you might not be as confused as > I. > > But really, the emphasis on standardised and legacy syslog seems misplaced. The > carriage over TCP is the same whether the carried is SYSLOG-3164 or SYSLOG-MSG > so the distinction seems spurious. And SYSLOG-3164 does not appear in any RFC > or I-D I can find. > > Rather, you have two forms of adaptation to carry a message, and what that > message is is mostly academic. I was trying to clean it up so that it would only show that one mechanism was available for transporting RFC 5424 syslog messages over TCP, and that two mechanisms have been seen for transporting legacy syslog over TCP. The one mechanism for RFC 5424 over TCP is "bit counting" and is exactly like syslog/tls and syslog/dtls. The other method of "bit stuffing" has been seen in the wild but has problems. I'll take another look at it and see if I can explain that more clearly. > > Separately, I think that more is needed on Security. It is easier to sabotage > TCP than it is UDP; spurious FIN, RST etc. Yeah... Easier said than done. A lot of TCP attacks are not documented, and there are a lot of them. I'll see what I can do on that as well. > > And I think more is needed on closing the session. The transport receiver > detects a format error (well, the transport sender is not going to) sends FIN, > gets FIN-ACK and .... the transport sender carries merrily on. I think that > there should be a recommendation that the transport sender closes the connection > and reopens it if it wants to. Good point. I'll work on that. I'll dig through it after the US Thanksgiving holiday. Thanks, Chris
- [Syslog] New Version Notification for draft-gerha… Chris Lonvick
- Re: [Syslog] New Version Notification for draft-g… t.petch
- Re: [Syslog] New Version Notification for draft-g… Chris Lonvick