Hi Anton, On Wed, 6 Jul 2005, Anton Okmianski (aokmians) wrote:
> Chris: > > Thanks for feedback. Attached is the latest draft for final review by the > group before I send it out officially. One follow up question below... > > > > Section 2 "One Message Per Datagram" contains: > > Each syslog UDP datagram MUST contain one and only one syslog > > message. The message MUST be formatted according to the RFC- > > protocol[2]. Additional data MUST NOT be present in the datagram > > payload. > > Doesn't this go against the rules of fragmentation where a > > single udp datagram may contain less than one syslog message? > > (I know what Anton is trying to say here but I don't think > > it's coming out exactly right.) > > I changed this to: > > "Each syslog UDP datagram MUST contain only one syslog message, which > can be complete or truncated. The message MUST be formatted and > truncated according to the RFC-protocol [2]. Additional data MUST > NOT be present in the datagram payload." > > Does this look ok? OK with me. Any other comments? > > > Also, there seems to be a problem with this. > > It seems to state that sending IPv4 hosts don't have to send > > accurate udp checksums but that recieveing IPv4 hosts must > > discard datagrams with inaccurate udp checksums. > > This is correct. I don't see a problem with that. There is a way to > distinguish accurate checksum from one that was not computed at all. > > > Use of UDP checksums was defined as optional in RFC 768[1]. > > and > > Syslog senders SHOULD use UDP checksums when sending > > messages over IPv4. > > but then > > Syslog receivers MUST check the checksums whenever they are present > > and discard messages with incorrect checksums. > > As stated in the last sentence, the receivers must only check the checksums > whenever they are present. So, if the checksum is 0, it indicates the sender > did not compute the checksum per UDP RFC. In this case, we do not require > the receiver to discard the message. But if checksums are there, the receiver > MUST validate them. > > > Can we get this addressed? (Probably the section should say > > that it is RECOMMENDED that both senders and receivers use > > the checksums. It's probably worth a comment in the Security > > Considerations section as well.) > > I could go for that, it you still think it is needed. Or could just clarify > the requirement further. However, I think given a requirement on Internet > hosts to support UDP checksums (if not always enabled), it is a good idea to > take advantage of that feature for syslog to ensure better robustness. What > do you think? Clarity here is good. A clear recommendation for better robustness is also a good thing. :) Thanks, Chris _______________________________________________ Syslog-sec mailing list [email protected] http://www.employees.org/mailman/listinfo/syslog-sec
