> John, > > the issue is the simplex nature of syslog. With syslog (other than with > almost all other protocols), you send a message and need to *hope* that > the recipient can receive it. There is also no negotiation phase. So you > need to send it blindly.
What you're failing to grasp here is that syslog-protocol, by itself, does not define how it is to be used. All it is doing is defining a message format. With a layered approach to defining syslog we need to split out documentation that is specific to an implementation (such as the maximum message size) from the definition of the protocol messages themselves. In your charter you have a "syslog-protocol over UDP". So any talk in syslog-protocol about maximum message size is going to be redundant for UDP. Using syslog-protocol over TCP is not yet on the radar so anyone making assumptions about maximum size is doing so at their own risk. If they choose 4K or 8K or 1K as the maximum size, that's up to them. If you really want to get back to basics, I'd not accept any maximum message size that was bigger than 490 bytes (576-14-64-8) as this is the largest frame size that IPv4 is *required* to reassemble. Either you remove the maximum message size from syslog-protocol or drop it to 490 but leave it open to refining by transport definitions. Yes, I'm well aware of 490 being "too small" for some practical purposes but you're not thinking clearly if you want any sort of maximum size in syslog-protocol and this needs to be reinforced. Darren _______________________________________________ Syslog mailing list Syslog@lists.ietf.org https://www1.ietf.org/mailman/listinfo/syslog