[EMAIL PROTECTED] wrote:
> Which is why I suggested propogating the originator's timestamp in the log
> message. This solves the problem without exceeding our scope. Whether you
> want to include intermediate hop timestamps as well is a topic for discussion.
>
> Cross-machine time synchronization is NTP's job, not ours.
IMO, it's very important to include intermediate-hop (or at least final destination)
timestamps because it's very important to be able to serialize events (this took
place before/after this), even if the events were generated on different machines
and you can't rely on NTP for this. Why?
* NTP is not part of the logging system and not everyone will set it up
correctly. You can argue that they should, but why design a system that relies
on it when you don't have to.
* It's hard enough getting trustworthy logs out of a system that's under attack.
The assumption that the NTP itself isn't under attack seems like a bad one
(it's pretty easy to inject forged NTP packets on the wire, etc.).
--
Chris Calabrese
Internet Infrastructure and Security
Merck-Medco Managed Care, L.L.C.
[EMAIL PROTECTED]
.
