Darren, Chris --
I haven't received any other requests to speak during the BOF session,
and I must provide the IETF an agenda today. It looks like it will be
up to us to cover the material as well as manage discussion. We have
only an hour. The agenda as I've described it is probably too
detailed -- I think it would be easier to simply describe the problem
and current proposals and then open for discussion:
0. Introductions and background (0 min!)
1. Existing syslog: security and other problems, history (5 min)
2. Security threat model - Schneier & Kelsey paper (10 min)
3. BCP for use of existing syslog: net config, log server resources,
chained MAC in message text (5 min)
4. Existing alternatives: custom/proprietary solutions, nsyslog,
ssyslog, syslog2, ... (10 min)
5. Proposed alternatives:
(5 min) ULM (draft-abela-ulm-05.txt) log record format (log
file format)
(5 min) XML network encoding of UML data with digital
signatures (ref. xmldsig) and alternative encoding
e.g. RADIUS-style TLV
(5 min)
6. Discussion (15 min)
Total: 60 min
Darren -- you've agreed to present the Schneier/Kelsey work as well as
his implementation of nsyslog; could you also comment on the more
general security problem of authentication logging? I realize you've
spent most of your time working on the problem described by Schneier
and Kelsey, but it should be made clear that there are other perhaps
simpler scenarios that should be included in a threat model. This
would mean you would provide comments in section 2 and 4 above.
Chris -- could you present a quick summary of UNIX syslog and its
problems, and briefly comment on your experience with the custom TCP
based syslog replacement? This would cover section 1 and add to
section 4.
I'm willing to cover section 3 and present the UML work and Chris
Calabrese's proposal for XML transport encoding and authentication, as
well as the chained MACs I'm implementing and some other comments for
BCP recommendations on existing syslog.
I will probably try to cover my material with a brief outline without
a written text. Darren, you may have more detail to explain, and may
have a writeup, but please remember the limited time available. If
you would like, perhaps a full writeup could be posted on the Rutgers
web site.
I think the most important thing to work toward in the discussion
period is not a technical resolution of the direction to take
(e.g. haggling over XML vs TLV encoding of UML) but to decide if the
issue is worth forming a new WG, or lies within some other WG, or is
otherwise handled at IETF. Personally I don't think it's worth a WG,
but it's not clear to me where it should go; I hope find out what is
going on that's related and help find a home for it. (We need to find
out the current status of the ULM draft, which will expire this month.)
I understand we will probably have only an overhead projector
available; I plan to make up simple overhead slides of the agenda
perhaps with outlines of material for each section, but I don't have
time to make fancy graphics. I think it would be simplest to have a
lot of blank transparency material and pens available for drawing if
there is a need to clarify with figures.
Let me know by email or voice whether this makes sense!
Thanks again --
Alex Brown <[EMAIL PROTECTED], [EMAIL PROTECTED]>
+1 617 504 8761
