PPT Version

advertisement
th
55
IETF
syslog WG
Chair: Chris Lonvick <clonvick@cisco.com>
mailing list: syslog-sec@employees.org
Agenda
●
Agenda Bashing
- 2m
●
Review of Charter and Status Update
- 8m
●
Review of syslog-sign
- 30 m
●
Plea for New Author of syslog-device-mib - 10m
●
Wrap Up
- 10 m
Syslog WG Charter (1/3)
●
Syslog is a de-facto standard for logging system
events. However, the protocol component of this
event logging system has not been formally
documented. While the protocol has been very
useful and scaleable, it has some known but
undocumented security problems. For instance,
the messages are unauthenticated and there is no
mechanism to provide verified delivery and
message integrity.
Syslog WG Charter (2/3)
●
The goal of this working group is to document
and address the security and integrity problems of
the existing Syslog mechanism. In order to
accomplish this task we will document the
existing protocol. The working group will also
explore and develop a standard to address the
security problems.
Syslog WG Charter (3/3)
●
Beyond documenting the Syslog protocol and its
problems, the working group will work on ways
to secure the Syslog protocol. At a minimum this
group will address providing authenticity,
integrity and confidentiality of Syslog messages
as they traverse the network. The belief being that
we can provide mechanisms that can be utilized
in existing programs with few modifications to
the protocol while providing significant security
enhancements.
WG Status
●
●
“The BSD syslog Protocol” - RFC 3164 produced
August 2001.
“Reliable Delivery for syslog” - RFC 3195
produced November 2001.
●
draft-ietf-syslog-sign-07.txt - wip
●
draft-ietf-syslog-device-mib-01.txt - wip
Update to Syslog-Sign
Jon Callas <jon@callas.org>
Syslog-Sign History
●
●
●
Improvements to syslog, layered on existing
protocol(s)
Signed information inserted into log stream and
can be retained in a repository
Sliding window over messages supports reliable
and unreliable logging
Document Status
●
Finalizing for RFC
–
●
“penultimate call”
Adding language for
–
Replacements of “PRI” function in signature groups
called Signature Pri Value
●
–
Denotes differences between syslog message stream and
the signature stream
Transport agnosticism
Signature Pri Value
●
Consider five messages
●
PRI of 10, 20, 30, 40, 50
●
Sig Group of 0 means
–
signature message generated over all five entries, one
sig message created
●
May be nice to use 46 as PRI value, facility = 5 (syslogd)
and severity 6 (informational)
SPV (continued)
●
Sig Group of 1 means
–
Five signature messages created, one for each entry
–
Sig Group value is PRI of message
SPV (continued)
●
Sig Group of 2 means
–
Each group contains a range of PRI values, SPV
defines top of range
–
If we pick 46 again, then two signature messages are
generated, one over 10-40, and one over 50.
–
You get to arbitrarily pick a PRI of those signature
messages
SPV (continued)
●
Sig Group of 3 means
–
Network administrators think they know best
–
Completely implementation dependent, potential
opportunity for plugins, etc.
–
Actual messages dependent on implementor's whim.
Download