RE: [Syslog] Re: Last Call: draft-ietf-syslog-protocol (The syslogProtocol) to Proposed Standard

[Rainer Gerhards]

   Mark == Mark Andrews [EMAIL PROTECTED] writes:
 
[snip]

   Similarly if syslogd is using a reliable transport
   to talk to another syslogd.  That too can block which
   will eventualy lead to blockages to applications /
   memory exhaustion.

*That* is a different beast, not yet discussed. I know that it exists
but it is not related to DNS. If it happens, it is really bad and
typically results in a complete system hang. There are some situations
where a lossy transport is preferable. For example, I have written a
syslog/TCP implementation which, if forced to run in single-threaded
mode, favours discarding messages over blocking as the later could
indeed lead to fatal problems on a typical linux system.

The root cause, however, is not reliable syslog per se. The root cause
is the implementation. A reliable syslogd actually needs to be
implemented with a non-blocking, de-coupled, buffered design. In almost
all cases, that means separate receiver threads, a to-be-processed
message queue and separate sender threads. Still, you have to decide
what to do if the queue size is exhausted. But that scenario is much
less likely. In that case, I'd still favour loosing some messages over
potentially loosing all AND the system the syslogd runs on. As far as I
see it, this is an app-layer issue out of scope for the underlying
protocol. The problem, of course, is that syslog is simplex and
hop-to-hop, so the original sender will never know that the message was
lost. Protocol-wise, I do not see any fix to that except integrating
some asynchronous notification mechanism. IMHO, this is outside the
scope of syslog.

It may be useful to add some hint to implementors pointing to this
blocking condition. But I am not sure if it is really justified.

Rainer

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: draft-ietf-syslog-protocol: Reliabledeliveryconsidered harmful.

[Rainer Gerhards]

I agree with Tom that the draft - at least IMHO - does not promote or
strongly encourage reliable logging.

I also agree with the observation that reliable - and blocking -
logging can cause harm to a system. However, I do not think that this
is anything that the protocol can do something against. It is not the
protocol that causes harm. If we say if we support a reliable syslog
protocol, we can block the system and thus the protocol is harmful,
we can also say if we deliver mail messages via a reliable protocol
(SMTP), we can use up all system ressources (e.g. fill the disk), so
SMTP is harmful.

My point is that we must differentiate between the protocol and its
implementations. A reliable syslog protocol offers the foundation on
which a reliable syslog implementation can be build. It is the task of
the application designer to take care of the operating environment
specifics while implementing the protocol. A good design for Unix will
probably take into consideration that a blocking syslogd does not do
any good and leave options to the operator to discard messages when
needed (and probably have turned them on by default). Even in such a
situation, however, a reliable syslog protocol has advantages. We can
not accidently loose messages. The application must actively discard
them. Which in turn means the application *knows* that messages have
been discarded. It can convey that information to the other syslog
applications it is talking to. In contrast, by using UDP messages get
dropped and nobody knows.

To prove my point, my open source syslog pet rsyslog has implemented
active message discarding in case it would need to block (at least in
single-thread mode, with multiple threads discarding occurs only after
the queue space is used up). This was implemented because there is a
real-world need for it. But this is application design, not protocol
design. Think about it: how can an IETF document specify what a
syslogd should do if its sending queue is filled up? How could we word
this so that it becomes part of an on-the-wire protocol?

Rainer

-Original Message-
From: Tom.Petch [mailto:[EMAIL PROTECTED]
Sent: Monday, February 05, 2007 8:06 AM
To: Harald Tveit Alvestrand; ietf
Subject: Re: draft-ietf-syslog-protocol: Reliable deliveryconsidered
harmful.

inline
Tom Petch

- Original Message -
From: Harald Tveit Alvestrand [EMAIL PROTECTED]
To: David W. Hankins [EMAIL PROTECTED]; ietf@ietf.org
Sent: Sunday, February 04, 2007 9:43 PM
Subject: Re: draft-ietf-syslog-protocol: Reliable delivery considered
harmful.


 Daring to rush in without having read the documents

 it seems to me that somewhere one needs a NOTE, something along the
lines
 of:

 NOTE: In some situations, for instance when a destination disk is
full or
 damaged, a syslog facility may be unable to process all messages,
despite
 the message transport being reliable. In such a case, it is
reasonable for
 the logger of a message to have the option of either not logging
more
 messages or ceasing its own operation. This document does not
specify which
 option to take.

 Or words to that effect.

   Harald


Harald

It might be worth reading the I-D:-)

I am not clear which piece of text in the I-D provoked the original
comment.  I
do not see the I-D recommending reliable transport, with all the
problems that
have been identified with that.  Rather, under security, the I-D
points out that
with an unreliable transport, losing critical messages may adversely
impact
operation.

It then goes on to say
 It may be desirable to use a transport with guaranteed delivery to
mitigate
congestion.  It may also be desirable to include rate-limiting
features in
syslog senders.  This can reduce potential congestion problems when
message
bursts happen.

I find it hard to square this with the original statement that
'draft-ietf-syslog-protocol-19.txt recommends using a reliable
protocol'

If we were to put in a comment about reliable transports introducing
problems
with blocking, then I think that that should be in an I-D which
specifies a
reliable transport, eg the soon to be completed one on TLS (there are
no plans
for one with TCP).

Tom Petch


 --On 2. februar 2007 09:59 -0800 David W. Hankins
[EMAIL PROTECTED]
 wrote:

  On Fri, Feb 02, 2007 at 08:31:49AM +0100, Stephane Bortzmeyer
wrote:
  Wether it is a bug or a feature depends on your requirments. On
some
  high-security environments, people prefer to suspend the service
  rather than not being able to log it. (Otherwise, an attacker
could
  easily attempt many attacks, fill in the hard disk and then
perform
  the real attack unlogged).
 
  I'd just like to point out that you're choosing one bug over
  another.  A DOS in preference to lack of observance of events.
 
  In my opinion, that's a bad selection, but it's your selection to
  make.
 
  That kind of preference, that kind of choice, is a good thing to
  have, but it would be unwise to apply to the general case a
  

RE: [Syslog] Re: Last Call: draft-ietf-syslog-protocol (The syslogProtocol) to Proposed Standard

[Rainer Gerhards]

I am thinking on how to come this by on the protocol basis, but so far I
have no good clue (except that Baszi is probably right and it is a
purely operational issue). However, I know some problems in this
relation and though it is not a deadlock issue, I would like to share
the scenario for sake of completeness:

It occurs on a typical *nix system that runs both syslogd and the dns
daemon. So it could potentially occur on almost all *nix DNS servers.
The problem exists if syslogd contains rules for remote forwarding AND
these rules do contain hostnames which need to be resolved by DNS. A
typical problem is that syslogd starts before the dns daemon. When it
intend to send a message to the remote host, it must do a dns lookup,
which fails because dns daemon is not yet active. The stock linux
syslogd contains some logic which simply defers the connection request,
but at the cost of some message loss. Other ways to avoid this problem
is to use IP addresses in syslog configuration, host files or, as Baszi
said, special configuration options for static address mapping in
syslgod.

I do not, however, know actual deadlock situations (that is neither
syslogd nor dnsd can proceed because they are waiting on each other). I,
too, would appreciate any details on that.

Rainer

 -Original Message-
 From: Sam Hartman [mailto:[EMAIL PROTECTED]
 Sent: Thursday, February 01, 2007 2:09 PM
 To: Mark Andrews
 Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; ietf@ietf.org
 Subject: [Syslog] Re: Last Call: draft-ietf-syslog-protocol (The
 syslogProtocol) to Proposed Standard
 
  Mark == Mark Andrews [EMAIL PROTECTED] writes:
 
  - 'The syslog Protocol ' draft-ietf-syslog-protocol-19.txt as
  a Proposed Standard
 
 Mark draft-ietf-syslog-protocol-19.txt recommends using a
 Mark reliable protocol.  Existing implementations of syslog do
 Mark this and deadlock with nameservers which are logging via
 Mark syslog.
 
 
 Please explain the deadlock in more detail.  One of the primary
 reasons for the syslog working group is reliable syslog, so I think we
 need to focus on how to avoid the deadlock in other ways rather than
 avoiding reliability.
 
 
 ___
 Syslog mailing list
 Syslog@lists.ietf.org
 https://www1.ietf.org/mailman/listinfo/syslog

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf