Re: [Syslog] byte-counting vs special character

"tom.petch" <> Fri, 18 August 2006 17:39 UTC

Received: from [] ( by with esmtp (Exim 4.43) id 1GE8JE-0006eI-51; Fri, 18 Aug 2006 13:39:04 -0400
Received: from [] ( by with esmtp (Exim 4.43) id 1GE8JC-0006e8-KG for; Fri, 18 Aug 2006 13:39:02 -0400
Received: from ([]) by with esmtp (Exim 4.43) id 1GE8JB-0002VK-BP for; Fri, 18 Aug 2006 13:39:02 -0400
Received: from pc6 ( []) by (Postfix) with SMTP id E2CD2E0000D2; Fri, 18 Aug 2006 18:38:48 +0100 (BST)
Message-ID: <000201c6c2e4$0d6e43e0$0601a8c0@pc6>
From: "tom.petch" <>
To: "Anton Okmianski (aokmians)" <>
References: <>
Subject: Re: [Syslog] byte-counting vs special character
Date: Thu, 17 Aug 2006 12:53:25 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Spam-Score: 0.3 (/)
X-Scan-Signature: 52e1467c2184c31006318542db5614d5
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: "tom.petch" <>
List-Id: Security Issues in Network Event Logging <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

<inline tp>
----- Original Message -----
From: "Anton Okmianski (aokmians)" <>
To: "David Harrington" <>; "Rainer Gerhards"
Cc: <>
Sent: Tuesday, August 15, 2006 8:04 PM
Subject: RE: [Syslog] byte-counting vs special character

I second these concerns.  Escaping requirements result in a more
interdependent layering, which is a weaker architecture (not to mention
the overhead to a new standard). The syslog transport would need to mess
with payload instead of treating it as opaque blob with easily known
length. Not nice. Imagine TCP/IP escaping all payload to separate
datagrams and segments.

Escaping of magic characters is IMHO clearly a hack and should not be
put into a standard!

Well, I think you just wrote off most of the IETF STANDARDs that deal with
character-based protocols (like the e-mail we are using to communicate(?)).

A set of characters, of symbols, in a 'message' is encoded, given a number, be
it 6 or 8 or 16 or whatever number of bits.  If that bit pattern conflicts with
the 'control' aspects of a protocol, then that bit pattern must be
'transfer-encoded' so that it does not appear per se on the wire.  That is what
base64 or quoted-printable do for e-mail.

So we are talking of using a well-understood, widely deployed piece of protocol
architecture to solve a common problem.


Syslog mailing list