Some additional thoughts: > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Joseph Salowey (jsalowey) > Sent: Wednesday, October 14, 2009 11:24 PM > To: [email protected] > Subject: [Syslog] FW: I-D Action:draft-ietf-syslog-dtls-00.txt > > I Just posted a -00 version of the syslog DTLS draft > (http://www.ietf.org/internet-drafts/draft-ietf-syslog-dtls-00.txt). I > tried to merge the two proposals together and keep consistent with the > Syslog TLS draft. Below are some issues I have identified, I'm sure > there are others. > > 1. Transport > > DTLS can run over several different transports, right now the draft > requires UDP and recommends DCCP. I think these are the most well > defined. The draft also forbids DTLS over TCP and favors TLS over TCP > to keep things consistent. I left out SCTP, I'm not sure where SCTP > over DTLS is in the process and there also is a TLS option for SCTP.
I think we should limit the scope to pure datagram services. Rest as in reply to Tom. > > 2. Port Number > > DTLS could use the same port and TLS, which seems simple. The > difficulty could be that for some transports you could use either TLS > or > DTLS (SCTP for example). In theory you could tell the difference > between TLS and DTLS by version number so maybe this isn't a problem. The problem would be resolved if we disallow stream bindings - can we? > 3. Initiation > > One of the drafts allowed either side to initiate. I did not include > this. If we have a use case for it we could bring it back in. I thought a bit more about this. I do not see any use case where a server-side open would be required. > 4. Dead Peer Detection > > There has been a lot of discussion on DPD on the list. I don't have > any > specific remedy in the draft, just a warning that it could be a > problem. > Its likely that some work on this will happen in DTLS, but I'm not > confident on the timeframe at this point. I think the best solution is to simply include a warning and leave the rest to future DTLS work. Doesn't make sense to (re-)invent that wheel. > > 5. Message Size > > The text on message size could use some review. commented on that in reply to Tom as well. I have one more comment to 5.1.2, especially "If reliability is required, then Syslog over TLS may be used" This comes with the co-notation that Syslog over TLS is reliable. However, as no app-level ACKs are used, it is not totally reliable. RFC5425 contains such a note. I find it important to not create the impression that RFC5425 is a fully reliable protocol. All too often in practice I work with folks that try to build an audit-grade syslog system and, often late enough, then find out the hard way that some message loss can currently not be prevented. This creates a lot of frustration and wastes many resources. We have not yet managed to create an audit-grade syslog transport other than RFC3195. I, too, was an advocate for the simple model RFC5425 utilizes, and there were good reasons for doing so (all those that seemingly make RFC3195 so far a failure). When we are through with -sign and -dtls, we should probably look into rechartering for RFC3195bis and/or an extension to RFC5425 to provide the missing bits for reliability, but I think getting -sign and -DTLS out of the door should have priority. All in all, I really like the good work Joe has done! I think (and hope) we do not need too many revisions to create a version that can be published. Rainer > > Cheers, > > Joe > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf > Of [email protected] > Sent: Wednesday, October 14, 2009 1:15 PM > To: [email protected] > Cc: [email protected] > Subject: [Syslog] I-D Action:draft-ietf-syslog-dtls-00.txt > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Security Issues in Network Event > Logging Working Group of the IETF. > > > Title : Datagram Transport Layer Security (DTLS) > Transport Mapping for Syslog > Author(s) : J. Salowey, et al. > Filename : draft-ietf-syslog-dtls-00.txt > Pages : 18 > Date : 2009-10-14 > > This document describes the transport of syslog messages over DTLS > (Datagram Transport Level Security). It provides a secure transport > for > syslog messages in cases where a connection-less transport is desired. > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-ietf-syslog-dtls-00.txt > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > Below is the data which will enable a MIME compliant mail reader > implementation to automatically retrieve the ASCII version of the > Internet-Draft. _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
