On Mon, 21 Aug 2000, Jon Callas wrote:
> (1) Syslog is unreliable. If you send a message, you don't know that it
> will get there. Furthermore, you don't know when it doesn't get there. You
> don't know that the server you're talking to is the right one.
Agreed. Just to feed this interesting discussion...
Authentication, secrecy, integrity verification has been all addressed in the
drafts for the new syslog.
However the mechanisms actually used do not ensure that a message is
delivered.
The chained authentication (based on MACs) of the stream of messages can
help by showing gaps in the stream itself. But the gaps are identified to
late to let someone notice timely that something is going wrong on a
remote host.
Authenticated ackowledgments of important messages can increase too much
network traffic and are also be subject to interruption threats. Dropping
of acknowledgments will also cause retransmission, since the sender will
typically resend the message if he not hear and acknowledgment soon
enough.
"The problem is that there is only a single path for
information transmission. If any point of the single
path is corrupted, trasmission security is corrupted" [SITR]
As pointed by Jun Li, Peter Reiker and Gerard Popek in "Security
Information Trasmission by Redundancy", in New Security Paradigm Workshop
1999 by ACM, adding redundacy to information transmission structures can
improve transmission resiliency (eg. more than one path through the
network can be used to reach the destination/syslogd).
"If the redundant paths are completely disjoint, than
attackers must compromise multiple resources in the newtork
to prevent message delivery. [...omissis...] Even if the
paths are not fully disjoint, any non shared portion of the
path limit an attackers choice of the attack point. The
attacker must either find and compromise the right set of
non shared elements".
There are many complex issues in deploying redundancy in large scale
networks like the Internet. However in [SITR] and other bibliography
resources there are some interesting hints that can help us to find a
convenient mechanisms.
Simingly reliable delivery will not be a completely solved issue in new
syslog. But we can try to find a partial solution. Maybe a "SHOULD"
instead of a "MUST"...
alfonso
[SITR] "Securing Information Trasmission by Redundancy", Jun Li, Peter
Reiker and Gerard Popek in New Security Paradigm Workshop, ACM 1999
[S-BGP] Secure BGP Project (S-BGP)
[r-mcast] "A Reliable Multicast Framework for Lightweight Session and
Application Level Framing", S.Floyd, V.Jacobson, S.McCanne, C.G.Liu and
L.Zhang, in Proceedings of SIGCOMM '95, Boston, MA, Sept. 1995, ACM
[r-bcast] "Reliable Broadcast Protocols", J.M.Chang anf N.F.Maxemchuck,
ACM Transaction on Computing Systems, August 1984
