th 55 IETF syslog WG Chair: Chris Lonvick <clonvick@cisco.com> mailing list: syslog-sec@employees.org Agenda ● Agenda Bashing - 2m ● Review of Charter and Status Update - 8m ● Review of syslog-sign - 30 m ● Plea for New Author of syslog-device-mib - 10m ● Wrap Up - 10 m Syslog WG Charter (1/3) ● Syslog is a de-facto standard for logging system events. However, the protocol component of this event logging system has not been formally documented. While the protocol has been very useful and scaleable, it has some known but undocumented security problems. For instance, the messages are unauthenticated and there is no mechanism to provide verified delivery and message integrity. Syslog WG Charter (2/3) ● The goal of this working group is to document and address the security and integrity problems of the existing Syslog mechanism. In order to accomplish this task we will document the existing protocol. The working group will also explore and develop a standard to address the security problems. Syslog WG Charter (3/3) ● Beyond documenting the Syslog protocol and its problems, the working group will work on ways to secure the Syslog protocol. At a minimum this group will address providing authenticity, integrity and confidentiality of Syslog messages as they traverse the network. The belief being that we can provide mechanisms that can be utilized in existing programs with few modifications to the protocol while providing significant security enhancements. WG Status ● ● “The BSD syslog Protocol” - RFC 3164 produced August 2001. “Reliable Delivery for syslog” - RFC 3195 produced November 2001. ● draft-ietf-syslog-sign-07.txt - wip ● draft-ietf-syslog-device-mib-01.txt - wip Update to Syslog-Sign Jon Callas <jon@callas.org> Syslog-Sign History ● ● ● Improvements to syslog, layered on existing protocol(s) Signed information inserted into log stream and can be retained in a repository Sliding window over messages supports reliable and unreliable logging Document Status ● Finalizing for RFC – ● “penultimate call” Adding language for – Replacements of “PRI” function in signature groups called Signature Pri Value ● – Denotes differences between syslog message stream and the signature stream Transport agnosticism Signature Pri Value ● Consider five messages ● PRI of 10, 20, 30, 40, 50 ● Sig Group of 0 means – signature message generated over all five entries, one sig message created ● May be nice to use 46 as PRI value, facility = 5 (syslogd) and severity 6 (informational) SPV (continued) ● Sig Group of 1 means – Five signature messages created, one for each entry – Sig Group value is PRI of message SPV (continued) ● Sig Group of 2 means – Each group contains a range of PRI values, SPV defines top of range – If we pick 46 again, then two signature messages are generated, one over 10-40, and one over 50. – You get to arbitrarily pick a PRI of those signature messages SPV (continued) ● Sig Group of 3 means – Network administrators think they know best – Completely implementation dependent, potential opportunity for plugins, etc. – Actual messages dependent on implementor's whim.