I think that you are leaping too soon into implementation space. That is why the threat model is requested first. Off the top of my head here are some components of the threat model. I organize these in terms of "Asset, Threat, Mitigation". There are certainly more threats because I know I have left off all the environmental threats like fire, earthquake, backhoe, etc. There are probably more assets to consider. And each of these descriptions is very incomplete.
Asset: Secrecy of message contents Threat: Network eavesdropping Mitigation: Encrypted transport or encrypted message Asset: Operational Characteristics of the network Threat: Traffic Analysis Mitigations: a) Encryption of identifying header contents (e.g., source identification) b) Encryption of transport c) "blinding" with random meaningless traffic between genuine end-points d) "blinding" with random meaningless traffic between falsified end-points Asset: Proper functioning of syslog receivers (data sinks) Threat: DoS attack (there are actually many) Mitigation: need to be enumerated. Asset: Messages reaching desired receivers Threat: Bogus masquerading receivers Mitigation: Transport with node identification. Note that message encryption prevents the receiver from reading the message, but it does not mitigate the issue that the message is lost because it goes to the wrong destination. Asset: Message integrity Threat: Message modification Mitigation: Digital checksums/ hash codes; digital signatures. and so forth. R Horn _______________________________________________ Syslog mailing list [email protected] https://www1.ietf.org/mailman/listinfo/syslog
