Hi Folks,
Pop the champagne corks. :-)
This frees up
draft-ietf-syslog-protocol
draft-ietf-syslog-transport-udp
so that all three can now become standards track RFCs. Our thanks to
Rainer and Anton for being patient with those documents while we worked
our way through -transport-tls.
We now have one more item to complete in our charter: syslog-sign. We've
gotten a list of review items back from Pasi, and Alex is now working on
addressing those. Please review and comment on this when he gets
proposals to the list.
Many thanks,
Chris
---------- Forwarded message ----------
Date: Wed, 8 Oct 2008 08:08:46 -0700 (PDT)
From: The IESG <[EMAIL PROTECTED]>
To: IETF-Announce <[EMAIL PROTECTED]>
Cc: Internet Architecture Board <[EMAIL PROTECTED]>,
RFC Editor <[EMAIL PROTECTED]>,
syslog mailing list <[email protected]>,
syslog chair <[EMAIL PROTECTED]>
Subject: Protocol Action: 'TLS Transport Mapping for Syslog' to
Proposed Standard
The IESG has approved the following document:
- 'TLS Transport Mapping for Syslog '
<draft-ietf-syslog-transport-tls-14.txt> as a Proposed Standard
This document is the product of the Security Issues in Network Event
Logging Working Group.
The IESG contact persons are Pasi Eronen and Tim Polk.
A URL of this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-syslog-transport-tls-14.txt
Technical Summary
This document describes the use of Transport Layer Security (TLS)
to provide a secure connection for the transport of syslog
messages. This document describes the security threats to Syslog
and how TLS can be used to counter such threats.
Working Group Summary
There was controversy around the IPR statement from Huawei from
this document. The Working Group examined the issue and came to
consensus that the statement would be accepted.
There was some controversy around the use of a special character to
denote the end of the payload, or a counter at the start of the
payload to indicate the length of the payload. The Working Group
has consent that a counter is the best mechanism.
There was also some controversy about the use of a dedicated port
for this initial version of syslog over TLS. The consensus was that
a dedicated port should be requested and that there should be no
indication of version. The consequence of this is that any future
change to the mapping of syslog over TLS, which is considered very
unlikely, might require a different port number. This lack of a
version number in the mapping of the application protocol to a
transport is consistent in how syslog is mapped to UDP, and is also
consistent with similar mappings of ISMS and netconf.
Support for certificate fingerprint matching was added to address
concerns from the ADs (Sam and Pasi) about deployability in small
environments without a PKI. Other alternatives for providing "good
enough" level of security without a PKI were discussed as well.
Document Quality
This protocol has very similar characteristics to implementations
of syslog over SSL that are available at this time. Members of the
Working Group have noted that it should be a very small change to
bring those implementations in line with this specification.
No vendors have announced that they will utilize this
protocol. Some vendors have indicated interest in supporting this
document. A group of university researchers have implemented this
protocol and found that it is practicable. Another member of the WG
has indicated that he is currently implementing the protocol as
well.
Personnel
Chris Lonvick is the Document Shepherd; Pasi Eronen is the
Responsible AD.
_______________________________________________
Syslog mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/syslog
