This is Update A of our issues. Updated 12 Sept. 2003 http://www.employees.org/~lonvick/issues-a.txt --vv----previously----vv-- Hi Folks, We've had some issues raised in the past few weeks about syslog-sign-12. I believe that I've cataloged them here: http://www.employees.org/~lonvick/issues.txt but please send a note to the mailing list if I've missed any, or if there are any additional ones. Let's get some consensus on these so that John and Jon may update the ID and we can move it along. :-) I've moved the syslog-sign ID into html via the xml2rfc program. http://www.employees.org/~lonvick/draft-ietf-syslog-sign-12.html and I'm going to put each of these issues into a separate email - with appropriate Subject line. Please respond to these emails with your thoughts. Thanks, Chris ======================================================================= Issue 1: Examples http://www.employees.org/~lonvick/draft-ietf-syslog-sign-12.html#Examples From Archive: http://www.mail-archive.com/syslog-sec%40employees.org/msg01221.html Albert has an example available. I'll suggest that we resolve each of the other issues and then make sure that the example given is consistent with the consensus of the group at that time. STATUS: To be resolved after the other issues. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Issue 2: TAG Field Definition http://www.employees.org/~lonvick/draft-ietf-syslog-sign-12.html#HEADER From Archive: http://www.mail-archive.com/syslog-sec%40employees.org/msg01224.html http://www.mail-archive.com/syslog-sec%40employees.org/msg01234.html http://www.mail-archive.com/syslog-sec%40employees.org/msg01222.html Rainer has proposed the following text: """ The TAG is a string of visible (printing) characters excluding SP, that MUST NOT exceed 32 characters in length. The first occurrence of a colon (":") or SP " " character terminates the TAG field. Generally, the TAG contains the name of the process that generated the message. It may OPTIONALLY contain additional information such as the numerical process ID of that process bound within square brackets ("[" and "]"). A colon MUST be the last character in this field. To be consistent with the format described in RFC 3164, a space character need not follow the colon in normal syslog packets. """ However, anyone trying to convey information of "Myproc[PID,Threadid]:" may have a problem with something like syslog[12345,C:\usr\sbin\cron]: Albert suggests just having "syslog" in the cert/sig-block messages but that seems to be inconsistent with the possible formats of the normal syslog messages. Can anyone offer a suggestion to resolve this? STATUS: Proposals have been received and are being considered. from the Archive: http://www.mail-archive.com/syslog-sec%40employees.org/msg01269.html http://www.mail-archive.com/syslog-sec%40employees.org/msg01270.html =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Issue 3: IANA Considerations for undefined PRI values http://www.employees.org/~lonvick/draft-ietf-syslog-sign-12.html#iana From Archive: http://www.mail-archive.com/syslog-sec%40employees.org/msg01213.html http://www.mail-archive.com/syslog-sec%40employees.org/msg01218.html http://www.mail-archive.com/syslog-sec%40employees.org/msg01220.html http://www.mail-archive.com/syslog-sec%40employees.org/msg01226.html The consensus appears to be to have a new part in the "IANA Considerations" of syslog-sign stating the Facilities not defined are open to future use by the consensus process (RFC 2434 page 6). The current set of Facilities and Severities are listed by IANA here: http://www.iana.org/assignments/syslog-parameters Any disagreement to that? STATUS: Resolved (no disagreement). =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Issue 4: Index into Payload in Cert Block http://www.employees.org/~lonvick/draft-ietf-syslog-sign-12.html#index From Archive: http://www.mail-archive.com/syslog-sec%40employees.org/msg01228.html Should the value of "0" or "1" be used as the lowest available value? Albert suggests "0". Any disagreement to that? STATUS: Resolved (no disagreement). =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Issue 5: First Message Number http://www.employees.org/~lonvick/draft-ietf-syslog-sign-12.html#firstmsg From Archive: http://www.mail-archive.com/syslog-sec%40employees.org/msg01228.html Similar to Issue 4, should the value of "0" or "1" be used as the lowest available value? Albert again suggests "0". Any disagreement to that? STATUS: No direct responses to this issue but Anton Okmianski suggests using "1" as the start for ordinal values. From the Archive (see point 4) http://www.mail-archive.com/syslog-sec%40employees.org/msg01265.html =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Issue 6: Fragment Length http://www.employees.org/~lonvick/draft-ietf-syslog-sign-12.html#fraglen From Archive: http://www.mail-archive.com/syslog-sec%40employees.org/msg01229.html Albert suggests changing the value from "1-4 characters" to "1-3" since the payload of a syslog Certificate Block will be less than 999 characters -taking out the length of the PRI, TIMESTAMP and HOSTNAME. Anyone have any problems with this? STATUS: Deferred until we resolve Issue 8 From the Archive: http://www.mail-archive.com/syslog-sec%40employees.org/msg01246.html =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Issue 7: TPBL Length http://www.employees.org/~lonvick/draft-ietf-syslog-sign-12.html#tpbl From Archive: http://www.mail-archive.com/syslog-sec%40employees.org/msg01232.html The Total Payload Block Length parameter is currently defined as "8 characters" but perhaps that should be "1-8 characters" which is consistent with other fields. Comments? STATUS: Resolved as "1-8 characters" From the Archive: http://www.mail-archive.com/syslog-sec%40employees.org/msg01247.html =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Issue 8: Length of syslog messages http://www.employees.org/~lonvick/draft-ietf-syslog-sign-12.html#format From the Archive: http://www.mail-archive.com/syslog-sec%40employees.org/msg01118.html http://www.mail-archive.com/syslog-sec%40employees.org/msg01119.html http://www.mail-archive.com/syslog-sec%40employees.org/msg01120.html It's defined as 1024 in several places. Mike McFaden offers a good suggestion in the 3rd pointer above: I prefer that the minimum size a conformant implementation must support be defined. SNMP over UDP specifies a minimum message size of 484. If one wants to support a larger msg size, just configure for it. The same goes for switches these days too. Otherwise why not just recommend a transport that has path mtu discovery in cases where syslog msg length > 1024. Any comments or other suggestions? STATUS: Resolved that 1) senders should try to keep packets within the 1024octet limit. (Address this in the Security Considerations section?) 2) receivers shouldn't panic if they are given a packet greater than 1024 octects. (Again, address this in the Security Considerations section?) 3) Very long messages may be separated into multiple syslog packets and it would be nice if they were numbered so they could be reassembled without having to look at the timestamp. That will not be addressed in syslog-sign but Rainer will take a look at it for inclusion in syslog-international or a subsequent document. From the Archive: http://www.mail-archive.com/syslog-sec%40employees.org/msg01249.html http://www.mail-archive.com/syslog-sec%40employees.org/msg01252.html http://www.mail-archive.com/syslog-sec%40employees.org/msg01253.html http://www.mail-archive.com/syslog-sec%40employees.org/msg01254.html http://www.mail-archive.com/syslog-sec%40employees.org/msg01255.html http://www.mail-archive.com/syslog-sec%40employees.org/msg01256.html http://www.mail-archive.com/syslog-sec%40employees.org/msg01257.html http://www.mail-archive.com/syslog-sec%40employees.org/msg01257.html =======================================================================