[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-shafer-netconf-syslog-00.txt

To: Rainer Gerhards <rgerhards@hq.adiscon.com>
Subject: Re: draft-shafer-netconf-syslog-00.txt
From: Vincent Cridlig <vincent.cridlig@loria.fr>
Date: Wed, 21 Jun 2006 10:43:30 +0200
Cc: Phil Shafer <phil@juniper.net>, netconf@ops.ietf.org, Chris Lonvick <clonvick@cisco.com>, dbharrington@comcast.net
In-reply-to: <577465F99B41C842AAFBE9ED71E70ABA174985@grfint2.intern.adiscon.com>
References: <577465F99B41C842AAFBE9ED71E70ABA174985@grfint2.intern.adiscon.com>
User-agent: Thunderbird 1.5.0.4 (X11/20060614)

Rainer Gerhards a écrit :


I essentially agree, BUT... The syslog WG is working on digitial
signatures for syslog messages (syslog-sign I-D). The intention is to
provide a long-lifed record of the authenticy of the log messages, no
matter which transports and gateways have been used. Thus, this initial
sender will sign the messages and the final destination will store an
exact same copy of that message. Then, the original signature can be
verified even years later (think about evidence in court).

The bottom-line to make this happen is that the orginal message is
available on the final destination. Parsing and XML-formatting it
invalidates the message.

One might argue if this is of concern for netconf. Probably not, if only
syslog is used for long term archiving. But you never know.

Sure. That would be a problem.

I was thinking of an alternative where the agent generates a newsignature of the XML document (the translated syslog message) usingXML-DigitalSignature from W3C.

(Before doing so, the agent may check the original syslog signature.)
As usual with security considerations, it would be more costly both for:
- processing time on agent side (check old and generate new signature),

- storage on the manager side (An XML-DS document might consume morestorage than a signed syslog message).


Vincent

Besides that concern, I think a standard data model for syslog messages
is definitely needed. Unfortunately, the syslog WG is not yet chartered
to provide it. The current syslog-protocol draft has been written with
the data model in mind. It is fairly trivial to define a standard data
model based on it. It even contains hints for parsing RFC 3164 message
in a way consistent with such a model. The data model might also
optionally contain the original message, which solves the signature
problem (at the cost of a large message size, but that should not be too
much of a concern these days).
I personally wouldn't care if that model is created by the netconf or
syslog WG (though this sound like the more appropriate place). Given the
current participation in both WGs, netconf would, practically thinking,
be a better place to do it.

Rainer

begin:vcard
fn:Vincent Cridlig
n:Cridlig;Vincent
org:LORIA - INRIA Lorraine, France;Madynes
adr:;;;Nancy;;;France
email;internet:cridligv@loria.fr
title:PhD Student
tel;work:+33 (0)3 83 59 20 48
url:http://www.loria.fr/~cridligv
version:2.1
end:vcard

Follow-Ups:
- RE: draft-shafer-netconf-syslog-00.txt
  - From: "Rainer Gerhards" <rgerhards@hq.adiscon.com>

References:
- RE: draft-shafer-netconf-syslog-00.txt
  - From: "Rainer Gerhards" <rgerhards@hq.adiscon.com>

Prev by Date: RE: draft-shafer-netconf-syslog-00.txt
Next by Date: RE: draft-shafer-netconf-syslog-00.txt
Previous by thread: RE: draft-shafer-netconf-syslog-00.txt
Next by thread: RE: draft-shafer-netconf-syslog-00.txt
Index(es):
- Date
- Thread