IETF Logo Mail Archive

RE: [Syslog] delineated datagrams

"Rainer Gerhards" <rgerhards@hq.adiscon.com> Mon, 14 August 2006 14:31 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GCdTe-00078L-Dq; Mon, 14 Aug 2006 10:31:38 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GCdTd-00078F-BQ for syslog@ietf.org; Mon, 14 Aug 2006 10:31:37 -0400
Received: from mail.hq.adiscon.com ([84.245.151.34]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GCdTc-0000lX-O6 for syslog@ietf.org; Mon, 14 Aug 2006 10:31:37 -0400
Received: from localhost (localhost [127.0.0.1]) by mail.hq.adiscon.com (Postfix) with ESMTP id 608CA9C00C; Mon, 14 Aug 2006 16:32:55 +0200 (CEST)
Received: from mail.hq.adiscon.com ([127.0.0.1]) by localhost (mail.grf.adiscon.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 16818-06; Mon, 14 Aug 2006 16:32:51 +0200 (CEST)
Received: from grfint2.intern.adiscon.com (grfint2 [172.19.0.6]) by mail.hq.adiscon.com (Postfix) with ESMTP id 53E099C00B; Mon, 14 Aug 2006 16:32:51 +0200 (CEST)
Subject: RE: [Syslog] delineated datagrams
Date: Mon, 14 Aug 2006 16:31:29 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Message-ID: <577465F99B41C842AAFBE9ED71E70ABA174DF0@grfint2.intern.adiscon.com>
Content-class: urn:content-classes:message
In-Reply-To: <Pine.GSO.4.63.0608140706240.16946@sjc-cde-003.cisco.com>
X-MimeOLE: Produced By Microsoft Exchange V6.5
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Syslog] delineated datagrams
Thread-Index: Aca/rM8iN9g2iSTyQgmKGKboAp+QQAAAKEuA
From: Rainer Gerhards <rgerhards@hq.adiscon.com>
To: Chris Lonvick <clonvick@cisco.com>, Tom Petch <nwnetworks@dial.pipex.com>
X-Virus-Scanned: by amavisd-new-2.3.3 (20050822) (Debian) at adiscon.com
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 68ba2b07ef271dba6ee42a93832cfa4c
Cc: syslog@ietf.org
X-BeenThere: syslog@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@lists.ietf.org>
List-Help: <mailto:syslog-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@lists.ietf.org?subject=subscribe>
Errors-To: syslog-bounces@lists.ietf.org

<inline> 

> -----Original Message-----
> From: Chris Lonvick [mailto:clonvick@cisco.com] 
> Sent: Monday, August 14, 2006 8:20 AM
> To: Tom Petch
> Cc: syslog@ietf.org
> Subject: Re: [Syslog] delineated datagrams
> 
> Hi Tom and All,
> 
> What I've seen discussed:
> - There is no character or character sequence that cannot be 
> used in the
>    syslog payload, which might confuse a parser looking to delineate
>    messages in a single packet based upon a character or character
>    sequence.
> - Byte counting can provide assurance for the delineation of messages.
> - {Some | Most | All} syslog daemons already escape LF so a 
> non-escaped LF
>    could be used to delineate messages.
> 
> Is this correct?

Partly: every character can be present in MSG. So no one can be set
aside. However, we can define an escape character (or sequence) and use
that to escape "magic characters". The escape itself is a magic
character and needs to be escaped. With that, LF can be used as
delimiter. Most existing syslogds use LF as a separator (when receiving
via TCP and SSL).

Octet-couting is the cleanest solution. However, it will not work with
existing syslogd - not even in the limited compatibility setting
outlined in -protocol.

Escaping in existing syslogd does not really matter, because it would
interfere with new-style messages (but mostly in an acceptable - and
expected - way).

> 
> Since it's come up on the list before as a concern, what will 
> be done if 
> people start putting binary information into the syslog 
> message payload? 

This is only supported as long as the binary information results to
valid Unicode sequences. If not, the message is invalid and likely to be
discarded.

In short: pure binary is forbidden. Use base-64 or something similar if
you really need to.

> Will that always have to be escaped by the sender and reversed by the 
> receiver?

NO! This is prohibited by -protocol. Any valid Unicode sequence MUST be
supported in MSG. This includes a myriad of (unicode) control sequences.

Think the difference between on the wire and storage here. Inside
storage (outside the scope of this wg), a receiver may escape (in fact
I'd recommend it). But not on the wire.
> 
> Thanks,
> Chris
> 
> On Mon, 14 Aug 2006, Tom Petch wrote:
> 
> > ----- Original Message -----
> > From: "David Harrington" <ietfdbh@comcast.net>
> > To: "'Chris Lonvick'" <clonvick@cisco.com>; "'Miao Fuyou'" 
> <miaofy@huawei.com>
> > Cc: <syslog@ietf.org>; "'Tom Petch'" <nwnetworks@dial.pipex.com>
> > Sent: Friday, August 04, 2006 7:59 PM
> > Subject: RE: [Syslog] delineated datagrams
> >
> >
> >>
> >> As you probably know by now, I like to see design reuse 
> across IETF NM
> >> solutions, especially across SNMP, syslog, ipfix, and netconf where
> >> feasible.
> >>
> >> As all the IETF NM protocols move toward similar secure transport
> >> solutions, including moving from datagrams to streams, it 
> would be a
> >> good thing to use consistent aproaches to framing.
> >>
> >> Here is what is happening in the other IETF NM protocols:
> >>
> > <snip>
> > >
> >> The NETCONF protocol uses an RPC-based communication model.
> >> From
> >> http://www.ietf.org/internet-drafts/draft-ietf-netconf-prot-12.txt:
> >>    NETCONF peers use <rpc> and <rpc-reply> elements to provide
> >> transport
> >>    protocol-independent framing of NETCONF requests and responses.
> >
> > Ok as far as it goes but incomplete.  As the ssh mapping says,
> >
> > " As the previous example illustrates, a special character sequence,
> >    ]]>]]>, MUST be sent by both the client and the server 
> after each XML
> >    document in the NETCONF exchange.  This character sequence cannot
> >    legally appear in an XML document, so it can be 
> unambigiously used to
> >    indentify the end of the current document in the event of an XML
> >    syntax or parsing error, allowing resynchronization of 
> the NETCONF
> >    exchange."
> > .
> > Wishing to promote design reuse across IETF NM solutions, 
> especially across the
> > character-based ones, I did propose the same separator for 
> syslog over tls and
> > still see it as the technically best solution (even though 
> our message content
> > can be anything and so, unlike NETCONF, we cannot rely 100% 
> on that not
> > appearing in our message content).
> >
> >>
> >> David Harrington
> >> dharrington@huawei.com
> >> dbharrington@comcast.net
> >> ietfdbh@comcast.net
> >>
> >
> 
> _______________________________________________
> Syslog mailing list
> Syslog@lists.ietf.org
> https://www1.ietf.org/mailman/listinfo/syslog
> 

_______________________________________________
Syslog mailing list
Syslog@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/syslog

v2.23.0 | Report a Bug | By Email