Re: [Syslog] TCP and SSH Discussion
Hi Darren, On Sat, 22 Oct 2005, Darren Reed wrote: Hi Darren, It's not syslog/udp/ssh nor syslog/tcp/ssh, it's going to be syslog/ssh/tcp/ip. syslog will be a defined subsystem for SSH much like sftp and netconf. Oh! Hmmm. Do you have any links to critiques about sftp ? The secsh wg mailing list. ;) ftp://ftp.ietf.org/ietf-mail-archive/secsh/ I've spoken to at least one person recently (but I can't recall *who*) that wasn't too impressed with sftp, so I'm curious if there is anything substantial that discusses its drawbacks and what lessons (if any) need to be learnt from it. Joseph Galbriath has offered to have a bar-bof to discuss sftp. Thanks, Chris ___ Syslog mailing list Syslog@lists.ietf.org https://www1.ietf.org/mailman/listinfo/syslog
RE: [Syslog] TCP and SSH Discussion - where are we heading to?
Hi Rainer, On Fri, 21 Oct 2005, Rainer Gerhards wrote: Chris, -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Lonvick Are you volunteering to write? :) I think we are not yet in a position we have something to write. I know that you probably did not mean to start anything right now, but let me use this message as a tool to voice my concerns. Over the past months (years), we've done some good work in evolving syslog. However, RFC 3195 is having a very hard time among implementors and our last efforts on protocol have received very limited feedback from the operator/end user camp. On the other hand, I know that there *is* vital interest in syslog. It's easy to judge this by the interest new implementations receive from the user base and also by the number of deployments of syslog tools. Obviously, end-users tend to be interested more in the actual software tools than in protocols. But the low implementor participation and end-user adoption rate is raising a very important question to me: are we still heading into the right direction? What does it help if we create better and better standards (assumed they are, which is obviously arguable) but nobody cares? In practice, mostly non-official-standard solutions are being asked form, developed and deployed. For example, I will begin to implement plain tcp syslog with ssl encryption shortly. Not because it is so secure or reliable - simply because there is so much demand for it. Current approaches typically use plain tcp syslog together with stunnel (which, by the way, is valid solution for many needs). May be it is just me feeling some asynchronicity between what the field is asking for and what we are doing. If so, I would suggest that we try to obtain some broader feedback from operators and implementors before going any further with new standards. If there is a sufficiently large group of operators (maybe just in terms of purchasing power) asking for some new protocol (or protocol versions), we can probably make the implementors implement them. Currently, I honestly feel it very hard to provide business reasoning for creating something new... Very good points. I've gotten a few separate emails asking if this is the right direction. I'll raise this discussion in a new thread on the mailing list. Thanks, Chris ___ Syslog mailing list Syslog@lists.ietf.org https://www1.ietf.org/mailman/listinfo/syslog
Re: [Syslog] TCP and SSH Discussion - where are we heading to?
Darren Reed wrote: .. [snip] I think there has been too little feedback to this group and research done by this group about how syslog is evolving out there. If someone is deploying a syslog using TCP solution, what are they likely to do? My bet is pick one software bundle and use it everywhere they can. For the most part, this is going to be of most signifance to Linux people. If you're using AIX, HP-UX or Solaris, chances are you don't have the freedom to upgrade/replace syslogd so you're stuck using UDP. If you're using various pieces of network equipment, I'm willing to bet people use syslog/udp because that is what everyone does understands, removing problem of interoperable syslog/tcp implementations. In general, I think that you're right. If you were a commercial Un*x vendor, what would it take you to want to spend $$ on replacing your in-house syslogd? Customer preasure? A couple of ways of creating this customer preasure could be * Writing some best practise documents on the topic. * Writing an attack tree description on the different versions of the syslog protocols. Tina Bird's material, http://www.seclib.com/seclib/ids.general/syslog-attack-sigs.pdf, could be a good starting point for a best practise material? Another thing I think we must have in mind is the possibility that the market for network logging might become proprietary, since it is rumored that Microsoft is cooking some solution for enterprise logging. Darren --Robert ___ Syslog mailing list Syslog@lists.ietf.org https://www1.ietf.org/mailman/listinfo/syslog signature.asc Description: OpenPGP digital signature ___ Syslog mailing list Syslog@lists.ietf.org https://www1.ietf.org/mailman/listinfo/syslog
RE: [Syslog] TCP and SSH Discussion
Hi Chris, Do you think callhome should be done in the SecSH WG, or should it be done as part of the syslog WG transport mapping? It seems to me it is a type of SSH transport negotiation, not part of syslog or snmp or netconf (although they might be affected by a reversed asymmetry of authentication). David Harrington [EMAIL PROTECTED] -Original Message- From: Chris Lonvick [mailto:[EMAIL PROTECTED] Sent: Friday, October 21, 2005 8:48 AM To: David B Harrington Cc: [EMAIL PROTECTED] Subject: RE: [Syslog] TCP and SSH Discussion Hi David, I'd also recommend that people look at the current thoughts on call home. http://www.ietf.org/internet-drafts/draft-lear-callhome-descri ption-03.txt Thanks, Chris On Thu, 20 Oct 2005, David B Harrington wrote: Hi, For a discussion of syslog over SSH, I recommend people read the documents for other IETF network management protocols that plan to run over SSH: http://www.ietf.org/internet-drafts/draft-ietf-netconf-ssh-05.txt and http://www.ietf.org/internet-drafts/draft-ietf-isms-secshell-00.txt http://www.ietf.org/internet-drafts/draft-ietf-isms-tmsm-00.txt also deals with some issues related to moving a management protocol from UDP to TCP and sessions (but mostly is about backwards compatibility with the SNMPv3 architecture and access control). David Harrington [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Lonvick Sent: Thursday, October 20, 2005 9:51 AM To: [EMAIL PROTECTED] Subject: [Syslog] TCP and SSH Discussion Hi, Our charter says: At a minimum this group will address providing authenticity, integrity and confidentiality of Syslog messages as they traverse the network. If the WG feels that an SSH transport will accomplish this goal, and it will be used, then I'm open to having that discussion. I don't feel that documenting current tcp transports works towards that goal. I've heard a few voices say that they would support an SSH transport on the mailing list. Does anyone object or have a differing view? (We will have this as a topic in Vancouver as well.) If we agree to move forward with this then we will need someone to write the document. Volunteers? We do have BEEP as a transport and I've received some email from a few people saying that they are using both the RAW and COOKED modes. Can I get someone who has implemented it to update RFC 3195? Thanks, Chris ___ Syslog mailing list Syslog@lists.ietf.org https://www1.ietf.org/mailman/listinfo/syslog ___ Syslog mailing list Syslog@lists.ietf.org https://www1.ietf.org/mailman/listinfo/syslog
