Re: [Syslog] Issue 14 - Unreliable Delivery
"David Harrington" <ietfdbh@comcast.net> Mon, 21 June 2010 12:23 UTC
Return-Path: <ietfdbh@comcast.net>
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A5D603A6988 for <syslog@core3.amsl.com>; Mon, 21 Jun 2010 05:23:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.322
X-Spam-Level:
X-Spam-Status: No, score=-0.322 tagged_above=-999 required=5 tests=[AWL=-0.137, BAYES_40=-0.185]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2B4afai6CCIR for <syslog@core3.amsl.com>; Mon, 21 Jun 2010 05:23:46 -0700 (PDT)
Received: from qmta14.westchester.pa.mail.comcast.net (qmta14.westchester.pa.mail.comcast.net [76.96.59.212]) by core3.amsl.com (Postfix) with ESMTP id 7BE2E3A67A3 for <syslog@ietf.org>; Mon, 21 Jun 2010 05:23:46 -0700 (PDT)
Received: from omta04.westchester.pa.mail.comcast.net ([76.96.62.35]) by qmta14.westchester.pa.mail.comcast.net with comcast id YbBL1e0010ldTLk5EcPt81; Mon, 21 Jun 2010 12:23:54 +0000
Received: from 23FX1C1 ([67.189.235.106]) by omta04.westchester.pa.mail.comcast.net with comcast id YcPt1e0052JQnJT3QcPtnH; Mon, 21 Jun 2010 12:23:53 +0000
From: David Harrington <ietfdbh@comcast.net>
To: "'Joseph Salowey (jsalowey)'" <jsalowey@cisco.com>, "'Chris Lonvick (clonvick)'" <clonvick@cisco.com>, syslog@ietf.org
References: <Pine.GSO.4.63.1006181711000.13308@sjc-cde-011.cisco.com> <AC1CFD94F59A264488DC2BEC3E890DE50AC62501@xmb-sjc-225.amer.cisco.com>
Date: Mon, 21 Jun 2010 08:22:20 -0400
Message-ID: <496FD167F610474CB8B42191E536451A@23FX1C1>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
Thread-Index: AcsPYV1Np+8gRVsBR/2KBN8/XCljXABmm+fAABATLNA=
In-Reply-To: <AC1CFD94F59A264488DC2BEC3E890DE50AC62501@xmb-sjc-225.amer.cisco.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5931
Subject: Re: [Syslog] Issue 14 - Unreliable Delivery
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jun 2010 12:23:47 -0000
Hi, I think that text looks good, except I think you lost the last word. I assume the last sentence was meant to end with "loss". You also might want to mention syslog-sign by name, not just RFC# dbh > -----Original Message----- > From: syslog-bounces@ietf.org > [mailto:syslog-bounces@ietf.org] On Behalf Of Joseph Salowey > (jsalowey) > Sent: Monday, June 21, 2010 12:48 AM > To: Chris Lonvick (clonvick); syslog@ietf.org > Subject: Re: [Syslog] Issue 14 - Unreliable Delivery > > > > > -----Original Message----- > > From: syslog-bounces@ietf.org [mailto:syslog-bounces@ietf.org] On > Behalf > > Of Chris Lonvick (clonvick) > > Sent: Friday, June 18, 2010 8:42 PM > > To: syslog@ietf.org > > Subject: [Syslog] Issue 14 - Unreliable Delivery > > > > SECDIR Reviewer comments: > > > > One difference between the security considerations for syslog over > > DTLS and those for syslog over TLS (unnoted in the current Security > > Considerations section) is that DTLS does not provide > retransmission. > > If an attacker can cause a packet to be dropped (especially one > > carrying significant information about an attack), the transport > > receiver may not consider this a significant event and so > the syslog > > server may be completely unaware of the occurrence. This contrasts > > with syslog over TLS where a dropped packet would be retransmitted > > until acknowledged or until the TLS connection goes down > (indicating > > to the transport sender and receiver and perhaps to the > syslog client > > and server that a significant event has occurred). Maybe it > would be a > > good idea to recommend that the transport receiver notice > gaps in the > > DTLS sequence numbers and notify the syslog server. Still, > this is not > > as good from a security standpoint as syslog over TLS since none of > > the client code will be aware that the dropped message was not > > received. At least, there should be a discussion of this > issue in the > > Security Considerations section of this document. > > > > My comments back to the reviewer and the IESG: > > ===vvv=== > > It's discussed in section 5.4 (Unreliable Delivery - in the > Security > > Considerations section) in RFC 5426 and throughout Section 3.1 > > (Loss-Insensitive Messaging) in RFC 4347. I'm thinking > that it would > be > > good to note this in Section 4 (Using DTLS to Secure Syslog) in the > draft. > > > > Overall, the community is comfortable with the loss of > information > as > > they've been using syslog/udp for many years and know the problems > with > > that. RFC 5424 also notes that implementers who wish a lossless > stream > > should be using tls/tcp as their transport. From that, > it's probably > best > > to reference RFC 5848 (referenced as draft-ietf-syslog-sign in the > draft) > > which can also provide an indication of loss of messages. " > > ===^^^^=== > > > > ACTION: I'd like to get some discussion going on this. Do people > think > > that this is good? > > > [Joe] I think it would be good to add a security consideration. How > about: > > "9.x Message Loss > > The transports described in this document are unreliable. It > is possible for messages to be lost or removed by an attacker > without the knowledge of the receiver. [RFC 5424] notes that > implementers who wish a lossless stream should be using > tls/tcp as their transport. In addition, the use of [RFC > 5848] can also provide an indication of message. " > > > > Thanks, > > Chris > > _______________________________________________ > > Syslog mailing list > > Syslog@ietf.org > > https://www.ietf.org/mailman/listinfo/syslog > _______________________________________________ > Syslog mailing list > Syslog@ietf.org > https://www.ietf.org/mailman/listinfo/syslog
- [Syslog] Issue 14 - Unreliable Delivery Chris Lonvick
- Re: [Syslog] Issue 14 - Unreliable Delivery Joseph Salowey (jsalowey)
- Re: [Syslog] Issue 14 - Unreliable Delivery David Harrington
- Re: [Syslog] Issue 14 - Unreliable Delivery Jon Callas