55th IETF

1
55th IETF

• syslog WG
• Chair Chris Lonvick ltclonvick_at_cisco.comgt
• mailing list syslog-sec_at_employees.org

2
Agenda

• Agenda Bashing
  - 2 m
• Review of Charter and Status Update -
  8 m
• Review of syslog-sign
  - 30 m
• Plea for New Author of syslog-device-mib - 10m
• Wrap Up
  - 10 m

3
Syslog WG Charter (1/3)

• Syslog is a de-facto standard for logging system
  events. However, the protocol component of this
  event logging system has not been formally
  documented. While the protocol has been very
  useful and scaleable, it has some known but
  undocumented security problems. For instance, the
  messages are unauthenticated and there is no
  mechanism to provide verified delivery and
  message integrity.

4
Syslog WG Charter (2/3)

• The goal of this working group is to document and
  address the security and integrity problems of
  the existing Syslog mechanism. In order to
  accomplish this task we will document the
  existing protocol. The working group will also
  explore and develop a standard to address the
  security problems.

5
Syslog WG Charter (3/3)

• Beyond documenting the Syslog protocol and its
  problems, the working group will work on ways to
  secure the Syslog protocol. At a minimum this
  group will address providing authenticity,
  integrity and confidentiality of Syslog messages
  as they traverse the network. The belief being
  that we can provide mechanisms that can be
  utilized in existing programs with few
  modifications to the protocol while providing
  significant security enhancements.

6
WG Status

• The BSD syslog Protocol - RFC 3164 produced
  August 2001.
• Reliable Delivery for syslog - RFC 3195
  produced November 2001.
• draft-ietf-syslog-sign-07.txt - wip
• draft-ietf-syslog-device-mib-01.txt - wip

7
Update to Syslog-Sign

• Jon Callas ltjon_at_callas.orggt

8
Syslog-Sign History

• Improvements to syslog, layered on existing
  protocol(s)
• Signed information inserted into log stream and
  can be retained in a repository
• Sliding window over messages supports reliable
  and unreliable logging

9
Document Status

• Finalizing for RFC
• penultimate call
• Adding language for
• Replacements of PRI function in signature
  groups called Signature Pri Value
• Denotes differences between syslog message stream
  and the signature stream
• Transport agnosticism

10
Signature Pri Value

• Consider five messages
• PRI of 10, 20, 30, 40, 50
• Sig Group of 0 means
• signature message generated over all five
  entries, one sig message created
• May be nice to use 46 as PRI value, facility 5
  (syslogd) and severity 6 (informational)

11
SPV (continued)

• Sig Group of 1 means
• Five signature messages created, one for each
  entry
• Sig Group value is PRI of message

12
SPV (continued)

• Sig Group of 2 means
• Each group contains a range of PRI values, SPV
  defines top of range
• If we pick 46 again, then two signature messages
  are generated, one over 10-40, and one over 50.
• You get to arbitrarily pick a PRI of those
  signature messages

13
SPV (continued)

• Sig Group of 3 means
• Network administrators think they know best
• Completely implementation dependent, potential
  opportunity for plugins, etc.
• Actual messages dependent on implementor's whim.