[logs] FW: [Syslog] WG Review: Recharter of Security Issues in Network Event Logging (syslog)

From: Rainer Gerhards (rgerhards@private)
Date: Thu Mar 09 2006 - 22:56:41 PST


Hi all,

I am forwarding a syslog-related message from the IETF to this group. I
am doing so because I assume there is some interest in the evolution of
syslog. Please note that you can comment to the IESG (IETF) if you have
an opinion on the topic. For details, please see below.

Best regards,
Rainer 

> -----Original Message-----
> From: IESG Secretary [mailto:iesg-secretary@private] 
> Sent: Friday, March 10, 2006 12:58 AM
> To: IETF Announcement list
> Cc: syslog@private
> Subject: [Syslog] WG Review: Recharter of Security Issues in 
> Network Event Logging (syslog) 
> 
> A modified charter has been submitted for the Security Issues 
> in Network Event
> Logging (syslog)working group in the Security Area of the IETF.  
> The IESG has not made any determination as yet. The modified 
> charter is provided
> below for informational purposes only. Please send your 
> comments to the IESG
> mailing list (iesg@private) by March 15th.
> 
> The IESG solicits feedback from those considering 
> implementing or deploying
> syslog on the following charter. In particular, the concern 
> has been raised that
> insufficient vendors will implement a new syslog protocol and 
> insufficient
> operators will deploy it. The IESG requests those who support 
> this effort to
> explicitly indicate their support.
> If significant community support is not indicated, this work 
> will not be
> chartered.
> 
> +++
> 
> Security Issues in Network Event Logging (syslog) 
> ====================================
> 
> Current Status: Active Working Group
> 
> Chair(s):
> Chris Lonvick <clonvick@private>
> 
> Security Area Director(s):
> Russ Housley <housley@private>
> Sam Hartman <hartmans-ietf@private>
> 
> Security Area Advisor:
> Sam Hartman <hartmans-ietf@private>
> 
> Mailing Lists:
> 
> General Discussion: syslog@private
> To Subscribe: syslog-request@private
> In Body: in body: (un)subscribe
> Archive: ftp://ftp.ietf.org/ietf-mail-archive/syslog/
> 
> Description of Working Group:
> 
> Syslog is a de-facto standard for logging system events. 
> However, the protocol
> component of this event logging system has not been formally 
> documented. While
> the protocol has been very useful and scalable, it has some 
> known security
> problems which were documented in the INFORMATIONAL RFC 3164.
> 
> The goal of this working group is to address the security and 
> integrity
> problems, and to standardize the syslog protocol, transport, 
> and a select set of
> mechanisms in a manner that considers the ease of migration 
> between and the
> co-existence of existing versions and the standard.
> 
> Reviews have shown that there are very few similarities 
> between the message
> formats generated by heterogeneous systems. In fact, the only 
> consistent
> commonality between messages is that all of them contain the 
> <PRI> at the start.
> Additional testing has shown that as long as the <PRI> is 
> present in a syslog
> message, all tested receivers will accept any generated 
> message as a valid
> syslog message. In designing a standard syslog message 
> format, this Working
> Group will retain the <PRI> at the start of the message and 
> will introduce
> protocol versioning. Along these same lines, many different 
> charsets have been
> used in syslog messages observed in the wild but no 
> indication of the charset
> has been given in any message. The Working Group also feels 
> that multiple
> charsets will not be beneficial to the community; much code 
> would be needed to
> distinguish and interpret different charsets.
> For compatibility with existing implementations, the Working 
> Group will allow
> that messages may still be sent that do not indicate the charset used.
> However, the Working Group will recommend that messages 
> contain a way to
> identify the charset used for the message, and will also 
> recommend a single
> default charset.
> 
> syslog has traditionally been transported over UDP and this 
> WG has already
> defined RFC 3195 for the reliable transport for the syslog 
> messages. The WG will
> separate the UDP transport from the protocol so that others may define
> additional transports in the future.
> 
> The threats that this WG will primarily address are 
> modification, disclosure,
> and masquerading. A secondary threat is message stream 
> modification. Threats
> that will not be addressed by this WG are DoS and traffic 
> analysis. The primary
> attacks may be thwarted by a secure transport. However, it 
> must be remembered
> that a great deal of the success of syslog has been 
> attributed to its ease of
> implementation and relatively low maintenance level. The 
> Working Group will
> consider those factors, as well as current implementations, 
> when deciding upon a
> secure transport. The secondary threat of message stream 
> modification can be
> addressed by a mechanism that will verify the end-to-end 
> integrity and sequence
> of messages. The Working Group feels that these aspects may 
> be addressed by a
> dissociated signature upon sent messages.
> 
> - A document will be produced that describes a standardized 
> syslog protocol.
> A mechanism will also be defined in this document that will 
> provide a means to
> convey structured data.
> 
> - A document will be produced that describes a standardized 
> UDP transport for
> syslog.
> 
> - A document will be produced that requires a secure 
> transport for the delivery
> of syslog messages.
> 
> - A document will be produced to describe the MIB for syslog entities.
> 
> - A document will be produced that describes a standardized 
> mechanism to sign
> syslog messages to provide integrity checking and source 
> authentication.
> 
> 
> Milestones:
> 
> Nov 2006 Submit Syslog Protocol to the IESG for consideration 
> as a PROPOSED
> STANDARD.
> Nov 2006 Submit Syslog UDP Transport Mapping to the IESG for 
> consideration as a
> PROPOSED STANDARD.
> Nov 2006 Submit Syslog TLS Transport Mapping to the IESG for 
> consideration as a
> PROPOSED STANDARD.
> Nov 2006 Submit Syslog Device MIB to IESG for consideration 
> as a PROPOSED
> STANDARD.
> Nov 2006 Submit a document that defines a message signing and 
> ordering mechanism
> to the IESG for consideration as a PROPOSED STANDARD
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Syslog mailing list
> Syslog@private
> https://www1.ietf.org/mailman/listinfo/syslog
> 
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis



This archive was generated by hypermail 2.1.3 : Fri Mar 10 2006 - 11:52:38 PST