Re: [Syslog] Matters arising was: Re: syslog WG meetingminutes(proposed)

["David Harrington" <ietfdbh at comcast.net>]

whoops
/with/without/

dbh 

> -----Original Message-----
> From: syslog-bounces at ietf.org 
> [mailto:syslog-bounces at ietf.org] On Behalf Of David Harrington
> Sent: Wednesday, August 05, 2009 10:16 PM
> To: 'tom.petch'; 'Chris Lonvick'
> Cc: 'syslog'; pasi.eronen at nokia.com
> Subject: Re: [Syslog] Matters arising was: Re: syslog WG 
> meetingminutes(proposed)
> 
> Hi,
> 
> To clarify a point ...
> syslog/tls is not simply RECOMMENDED; it is MANDATORY TO IMPLEMENT.
> 
> syslog/dtls will be an optional transport; we do not need to
RECOMMEND
> it.
> Implementers can decide for themselves whether to implement it.
> I agree that the IESG may not approve it with congestion control
> considerations.
> 
> dbh 
> 
> > -----Original Message-----
> > From: syslog-bounces at ietf.org 
> > [mailto:syslog-bounces at ietf.org] On Behalf Of tom.petch
> > Sent: Wednesday, August 05, 2009 5:32 PM
> > To: Chris Lonvick
> > Cc: syslog; pasi.eronen at nokia.com
> > Subject: Re: [Syslog] Matters arising was: Re: syslog WG 
> > meeting minutes(proposed)
> > 
> > ----- Original Message -----
> > From: "Chris Lonvick" <clonvick at cisco.com>
> > To: "tom.petch" <cfinss at dial.pipex.com>
> > Cc: "syslog" <syslog at ietf.org>; <pasi.eronen at nokia.com>
> > Sent: Monday, August 03, 2009 3:52 PM
> > 
> > > On Mon, 3 Aug 2009, tom.petch wrote:
> > >
> > > > Picking up on the point of commonality between DTLS for 
> > IPFIX, ISMS and
> > syslog:
> > > >
> > > > - having a common statement of how to check certificates 
> > would save work
> > here
> > > > and elsewhere ie get 
> > draft-hodges-server-ident-check-00.txt to include as a
> > > > minimum the cases covered in syslog-tls and get that I-D 
> > progressing onto
> > > > standards track so as to use it as a normative reference 
> > (can we steal it
> > from
> > > > apps into security:-).
> > >
> > > Sounds good.
> > >
> > > >
> > > > - syslog has tls as RECOMMENDED transport at the 
> > insistence of the IESG
> > because
> > > > it has flow control and the others do not.  DTLS over UDP 
> > has no flow
> > control
> > > > and so, by analogy,  I would expect it to be unacceptable 
> > to the IESG ie it
> > will
> > > > have to be DTLS over SCTP that will have to be there as 
> > well or instead
> > > > (something I did not think of in 2006).
> > >
> > > I'm not that familiar with DTLS.  Can we just specify how 
> > to put syslog
> > > over it, or do we need to also state how it is to be layered
above
> a
> > > substrate tranport such as sctp?  My preference would be to 
> > just define
> > > syslog/dtls and then have a pointer back to RFC 5424 
> > (syslog Protocol)
> > > Section 8.6. (Congestion Control) which spells out the 
> > reason for choosing
> > > properly.  I'm really hoping that we don't have to create a 
> > document for
> > > anything other than syslog/dtls.
> > >
> > > > - having written a DTLS I-D (and looked at many more), I 
> > am inclined to
> > agree
> > > > with Wes that there will not be much in common (apart 
> > from certificate
> > > > checking - see above)
> > >
> > > If we _can_ just do XYZ/dtls (without having to go through the
> lower
> > > substrate definition) then the pieces of work are (imho):
> > > - state how the specification addresses the threats identified
in
> > > syslog/tls,
> > > - explain certificate checking (as you note above)
> > > - explain how records will be separated.
> > >
> > > Can anyone think of anything else that needs to be defined 
> > in this work?
> > >
> > > Tom, can a document just do XYZ/dtls, or does it also _really_
> need
> > > definition for the substrate?
> > 
> > I can write such a document, but will the IESG accept it?  I 
> > don't know; I was
> > surprised at Magnus's DISCUSS two years ago on 
> > syslog-protocol that led us to
> > RECOMMEND a TLS transport, as opposed to UDP, on the grounds that
it
> > offered congestion control and I doubt that concerns about 
> > congestion have
> > decreased since then.
> > 
> > So I am anticipating that syslog over DTLS with no mention of 
> > underlying
> > transport cannot be RECOMMENDED; perhaps a question for our 
> > AD to ponder, and
> > bounce off his transport area opposite numbers.
> > 
> > As to other points, my list, of what xxx-over-DTLS must consider
is
> >     - authentication
> >     - connection set up
> >     - connection termination
> >     - choice of ciphersuite
> >     - choice of (D)TLS extensions
> >     - delineation of datagrams
> >     - invoking DTLS
> >     - fragmentation
> > and nowadays I must add
> >     - congestion control.
> > 
> > Tom Petch
> > 
> > > Thanks,
> > > Chris
> > >
> > > >
> > > > Tom Petch
> > <snip>
> > 
> > _______________________________________________
> > Syslog mailing list
> > Syslog at ietf.org
> > https://www.ietf.org/mailman/listinfo/syslog
> > 
> 
> _______________________________________________
> Syslog mailing list
> Syslog at ietf.org
> https://www.ietf.org/mailman/listinfo/syslog
>