Security Issues in Network
Event Logging (Syslog)
Last Modified:
2006-03-21
Chair(s):
Chris Lonvick <clonvick@cisco.com>
Security Area Director(s):
Russell Housley <housley@vigilsec.com>
Sam Hartman <hartmans-ietf@mit.edu>
Security Area Advisor:
Sam Hartman <hartmans-ietf@mit.edu>
Mailing Lists:
Description of Working Group:
Syslog is a de-facto standard for logging system events. However, the
protocol component of this event logging system has not been formally
documented. While the protocol has been very useful and scalable, it
has some known security problems which were documented in the
INFORMATIONAL RFC 3164.
The goal of this working group is to address the security and integrity
problems, and to standardize the syslog protocol, transport, and a
select set of mechanisms in a manner that considers the ease of
migration between and the co-existence of existing versions and the
standard.
Reviews have shown that there are very few similarities between the
message formats generated by heterogeneous systems. In fact, the only
consistent commonality between messages is that all of them contain
the at the start. Additional testing has shown that as long as
the is present in a syslog message, all tested receivers will
accept any generated message as a valid syslog message. In designing a
standard syslog message format, this Working Group will retain the
at the start of the message and will introduce protocol
versioning. Along these same lines, many different charsets have been
used in syslog messages observed in the wild but no indication of the
charset has been given in any message. The Working Group also feels
that multiple charsets will not be beneficial to the community;
much code would be needed to distinguish and interpret different
charsets. For compatibility with existing implementations, the Working
Group will allow that messages may still be sent that do not indicate
the charset used. However, the Working Group will recommend that
messages contain a way to identify the charset used for the message,
and will also recommend a single default charset.
syslog has traditionally been transported over UDP and this WG has
already defined RFC 3195 for the reliable transport for the syslog
messages. The WG will separate the UDP transport from the protocol so
that others may define additional transports in the future.
The threats that this WG will primarily address are modification,
disclosure, and masquerading. A secondary threat is message stream
modification. Threats that will not be addressed by this WG are DoS and
traffic analysis. The primary attacks may be thwarted by a secure
transport. However, it must be remembered that a great deal of the
success of syslog has been attributed to its ease of implementation and
relatively low maintenance level. The Working Group will consider those
factors, as well as current implementations, when deciding upon a
secure transport. The secondary threat of message stream modification
can be addressed by a mechanism that will verify the end-to-end
integrity and sequence of messages. The Working Group feels that these
aspects may be addressed by a dissociated signature upon sent messages.
- A document will be produced that describes a standardized syslog
protocol. A mechanism will also be defined in this document that will
provide a means to convey structured data.
- A document will be produced that describes a standardized UDP
transport for syslog.
- A document will be produced that requires a secure transport for the
delivery of syslog messages.
- A document will be produced to describe the MIB for syslog entities.
- A document will be produced that describes a standardized mechanism
to sign syslog messages to provide integrity checking and source
authentication.
We met at the 64th IETF in Vancouver, BC, Canada.
Our notes are here. It has pointers to presentations and minutes.
We met at the 59th IETF in Seoul, South Korea.
Our notes are here. It has pointers to presentations and minutes.
Our submitted information is here. Glenn Mansfield Keeni presented the Syslog MIB work. Marshall Rose took the minutes. Locally, my presentation is here and Glenn's is here.
We met at the 55th IETF. Our notes are here.
We met at the 49th IETF. The WG minutes are here. The presentations are also locally here:
The syslog WG has received a Liaison Letter from the Optical Internetworking Forum. The cover letter requests review and comments from this Working Group.
The syslog WG has received another Liaison Letter from the Optical Internetworking Forum.
Version -6 was returned by our AD for clarification. Version -7 is under review by the WG.
Title : TLS Transport Mapping for SYSLOG
Author(s) : F. Miao, M. Yuzhi
Filename : draft-ietf-syslog-transport-tls-07.txt
Pages : 11
Date : 2006-3-29
This document describes the security threats to Syslog and counter
measures of using Transport Layer Security(TLS) protocol for such
threats. Different phases are defined for using TLS to secure
Syslog, such as initiation, sending data and closure phase.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-syslog-transport-tls-07.txt
We have started a new WG Last Call on this document. Please review it and send your comments.
Title : Signed syslog Messages
Author(s) : J. Kelsey, et al.
Filename : draft-ietf-syslog-sign-21.txt
Pages : 36
Date : 2007-3-15
This document describes a mechanism to add origin authentication,
message integrity, replay resistance, message sequencing, and
detection of missing messages to the transmitted syslog messages.
This specification draws upon the work defined in RFC xxxx, "The
syslog Protocol", however it may be used atop any message delivery
mechanism, even that defined in RFC 3164, "The BSD syslog Protocol",
or in the RAW mode of RFC 3195, "The Reliable Delivery of syslog".
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-syslog-sign-21.txt
We are getting syslog-protocol in order before progressing with this.
We have a draft submitted for an SNMP MIB for syslog. The authors have been waiting for the syslog-protocol ID to settle down. The authors are also waiting for syslog-protocol and syslog-transport-udp to settle down.
Title : Syslog Management Information Base
Author(s) : Glenn Mansfield Keeni
Filename : draft-ietf-syslog-device-mib-15.txt
Pages : 47
Date : 2007-3-4
This memo defines a portion of the Management Information Base (MIB),
the Syslog MIB, for use with network management protocols
in the Internet community. In particular, the Syslog MIB will be
used to monitor and control syslog devices.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-syslog-device-mib-15.txt
The base syslog protocol document has been submitted to the IESG for publication.
Title : The syslog Protocol
Author(s) : R. Gerhards
Filename : draft-ietf-syslog-protocol-19.txt
Pages : 47
Date : 2006-11-29
This document describes the syslog protocol. The syslog protocol has
been used throughout the years to convey event notifications. This
documents describes a layered architecture for an easily extensible
syslog protocol. It also describes the basic message format and
structured elements used to provide meta-information about the
message.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-syslog-protocol-19.txt
This document has been submitted to the IESG for publication.
Title : Transmission of syslog messages over UDP
Author(s) : A. Okmianski
Filename : draft-ietf-syslog-transport-udp-09.txt
Pages : 10
Date : 2007-3-9
This document describes the transport for syslog messages over UDP/
IPv4 or UDP/IPv6. While several transport mappings are envisioned
for the syslog protocol, syslog protocol implementors are required to
support the transport mapping described in this document. This
transport specification overcomes limitations of UDP/IP datagram size
by introducing support for fragmentation of large messages.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-syslog-transport-udp-09.txt
RFC 3195
RFC 3195
Title: Reliable Delivery for syslog
Author(s): D. New, M. Rose
Status: Standards Track
Date: November 2001
Mailbox: dnew@san.rr.com, mrose@dbc.mtview.ca.us
Pages: 30
Characters: 60960
Updates/Obsoletes/SeeAlso: None
I-D Tag: draft-ietf-syslog-reliable-12.txt
URL: ftp://ftp.rfc-editor.org/in-notes/rfc3195.txt
The BSD Syslog Protocol describes a number of service options related
to propagating event messages. This memo describes two mappings of
the syslog protocol to TCP connections, both useful for reliable
delivery of event messages. The first provides a trivial mapping
maximizing backward compatibility. The second provides a more
complete mapping. Both provide a degree of robustness and security
in message delivery that is unavailable to the usual UDP-based syslog
protocol, by providing encryption and authentication over a
connection-oriented protocol.
Thid document will be revised after we finalize syslog-protocol
RFC 3164
RFC 3164
Title: The BSD syslog Protocol
Author(s): C. Lonvick
Status: Informational
Date: August 2001
Mailbox: clonvick@cisco.com
Pages: 29
Characters: 72951
Updates/Obsoletes/SeeAlso: None
I-D Tag: draft-ietf-syslog-syslog-12.txt
URL: ftp://ftp.rfc-editor.org/in-notes/rfc3164.txt
This document describes the observed behavior of the syslog
protocol. This protocol has been used for the transmission of
event notification messages across networks for many years. While
this protocol was originally developed on the University of
California Berkeley Software Distribution (BSD) TCP/IP system
implementations, its value to operations and management has led
it to be ported to many other operating systems as well as being
embedded into many other networked devices.
This document is a product of the Security Issues in Network Event
Logging Working Group of the IETF.
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
|
|
