-----BEGIN PGP SIGNED MESSAGE-----
>Date: Tue, 31 Oct 2000 11:33:50 -0800
>From: Carson Gaspar
>Subject: Re: Note from John Kelsey --Was Re: syslog-sec-digest V1
>#55
[I've reformated the original message I'm responding to as
best I could; the digest showed up in my mailbox as
three very long lines. --JMK]
>On Friday, October 27, 2000 3:15 PM -0500 "Chris M. Lonvick"
>wrote:
>> Should they have one "global" counter on the box
>>and then "secondary" counters for each output? ..or should
>>they just have a counter associated with each output queue?
>Just one counter per output queue. I see no reason to tell
>third parties how many messages they aren't being sent, and
>many resons not to. Besides, what purpose would a global
>counter serve? The only purpose for counters at all is
>sequencing, and why do you care about the sequence of things
>you're never sent?
I think the goal here is to be able to place messages that
were sent to different servers in sequence, during offline
analysis. This might be really important, for example, if
the same event wound up causing messages to be sent to two
different servers, and you were trying to reconstruct the
precise sequence of events. Why would we care whether an
attacker knew how many messages were sent to other systems?
I mean, how worried can we be about an attacker gaining this
kind of subtle information from eavesdropped syslog
messages, when we're sending the whole messages over the
network in the clear?
>Carson Gaspar
--John Kelsey, Counterpane Internet Security, [EMAIL PROTECTED]
PGP Fingerprint: 5D91 6F57 2646 83F9 6D7F 9C87 886D 88AF
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 Int. for non-commercial use
<http://www.pgpinternational.com>
Comment: foo
iQCVAwUBOgDDOyZv+/Ry/LrBAQGeQAQAwLWA6M0TDLydh5RX/rfDddyQWtuwMO6Z
xVbwVVnXPpdUJQt4P6rovPVqd2xAYITYClKfyDVlY186whJH9+hF+RrRsPNtTY1r
y5ydh8LKZ/dY9eDmwM9RyHONDcLXXEMqn+GU7ZDgin/xeiuL27ANKRLbCbmoeavg
SluBYx6w4AE=
=HZcF
-----END PGP SIGNATURE-----
