Hi Folks, Below are the minutes from the syslog WG meeting held yesterday here at the IETF. I wish to sincerely thank Richard Graveman for these superb notes. These notes are consistent with my recollection of the meeting and if no one objects, I will post them to the IESG as official. Apologies but no one in the room had jabber on their machine so we missed that.
Thanks, Chris ---notes as taken by Richard Graveman--- Security Issues in Network Event Logging WG (syslog WG; Sec Area) Notes from Richard Graveman, RFG Security. Chair: Chris Lonvick <[EMAIL PROTECTED]> The ML is at [EMAIL PROTECTED] Additional information is available at http://www.employees.org/~lonvick/Seoul_agenda/agenda.html. Issue tracking is in use. I. Review of Scope and Charter (Chris) 10 min. There were no changes to the agenda. The agenda and on-line information were reviewed. The work is to secure the transport of logs. Content is out of scope. They produced RFCs 3164 and 3195. Protocol, UDP transport, sign, device MIB, and Internationalization drafts are in progress. II. Update of "syslog Protocol" ID (Rainer or proxy) 30 min. draft-ietf-syslog-protocol-03.txt The three layers are application, protocol, and transport. 3164 is the two lower layers. 3195 touches the application. Sign and International are mostly the two higher layers. A new concept for aligning documents within these layers was proposed, which leads to six documents instead of four. UDP and 3195; protocol, and then international and sign, etc. at the application layer. Protocol describes devices, relays, collectors, protocol layers, simplex communications, common header, structured data, classical free-form messages, and security considerations. There is no two-way communications, except for RFC 3195 which is over TCP. End-to-end (duplex) would be an entirely different protocol. Transport layer mapping: UDP being written; others, including TCP, later. The protocol ID is not completely backward compatible. Non-compliant messages will be treated as messages without a header. WG consensus that a solid base is more important than backwards compatibility. The new HEADER has more fields, including a version number. TIMESTAMP is better defined. John Kelsey introduced structured data elements. Used for extended functionality. Assigned by IANA. Extensible. The ID s defined are msgpart, time, and origin, with more to come. Time zones were debated. IP addresses are preferable to hostnames. Multi-part messaging: 1280 is the maximum message size. A message segmentation scheme exists. Downstream message splitting is proposed. Semantics questions were on facility (issue 5) and TAG (issue 16). Issue 13 states that syslog-protocol currently dictates many details. There is a tradeoff between ambiguity and security. The notes could be moved to an Informational RFC. There was no objection to this. Relay operations may be described in the -protocol document or described briefly with the rest deferred. It will be left for now. Message size was discussed: current maximum is 1280. Removing this restriction was proposed. It could become a transport issue. Comments and feedback are solicited. See http://www.syslog.cc/ietf/protocol.html. III. Introduction of "syslog Transport" ID (Anton or proxy) 15 min. draft-ietf-syslog-transport-udp-00.html http://www.employees.org/~lonvick/transport/draft-ietf-syslog-transport-udp-00.txt This is a standards track ID to replace 3164. It defines UDP over port 514 as MUST. One datagram per syslog message. One datagram per msg part for multi-part. UDP checksums RECOMMENDED. IP fragmentation SHOULD be avoided. Recommends 548 bytes maximum message size to avoid fragmentation. (S. Bellovin drew a comparison with the DNS message size limit of 512. Reliability is a separate section: lost, corrupted, congestion control, un-sequenced delivery, and increased risk of loss with IP fragmentation. Many sec considerations: authenticity, authentication, forgery, eavesdropping, replay, unreliability, no prioritization, DoS, and covert channels. There was no objection to this approach, which simplifies the syslog-protocol document. IV. Update of "syslog-sign" ID (Jon or proxy) 15 min. draft-ietf-syslog-sign-13 Slightly on hold while the protocol issues are resolved. Parts can be removed based on the above protocol and transport. IANA considerations need to be done. The current document is transport independent. It can be used with classic syslog or home-grown applications. No objection to this. V. Update of "syslog-device-mib" ID (Glenn Mansfield Keeni) 30 min. draft-ietf-syslog-device-mib-05 This started with modest ambitions and became more complicated. After more reflection, the current -05 draft emerged. The name "device" is historical. Purpose is to monitor syslog operation: message stats, received, processed, relayed. Security considerations need to address READONLY threats and other threats. The following issues are resolved: Issue 1: Written, and feedback is requested. Issue 2: Make the MIB generic (now BSD centric) Issue 3: Do not overlap with HR-MIB. provide mapping to hrSWRunTable. Remove syslogParamsProcessStatus (or make it readOnly), add syslogProcReference. The syslogProcReference OBJECT-TYPE was shown. Issue 4: Add SNMP notification. The MIB will not address syslog over SNMP. Issue 5: Add "no DNS lookup" Issue 6: Use the MIB to control and configure syslog. The suggestion was to do this with ScriptMIB. The syslog.conf semantics are not part of this, but a script can be transferred to a host, which can deal with syslog.conf. Much complexity The next draft is scheduled for April: DESCRIPTION clauses, REFERENCE clauses, editorial items. VI. Wrap-up and review of decisions made (Chris) 10 min. There were no additional items. There was no objection to the plan to proceed as described in the discussion items. Meeting adjourned at 16:34. ---end