Syslog Working Group F. Wang Internet-Draft M. Chen Updates: RFC5424 (if approved) L. Su Intended status: Standards Track China Mobile Expires: 7 September 2022 6 March 2022 Improve logging credibility by adding synchronization time information draft-chen-syslog-syscinfo-credibility-00 Abstract This document proposes a scheme to improve the credibility of log reporting time by adding time synchronization information. This document updates the "timeQuality" structured Data in RFC 5424 [RFC5424], The Syslog Protocol. By appending "SYNCINFO" information after the "isSynced" parameter, the log collector can judge the credibility of logs when correlating logs of different devices. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 7 September 2022. Copyright Notice Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved. Wang, et al. Expires 7 September 2022 [Page 1] Internet-Draft syslog syscinfo March 2022 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Setting syncInfo . . . . . . . . . . . . . . . . . . . . . . 3 3.1. Setting new parameter . . . . . . . . . . . . . . . . . . 3 3.2. Examples . . . . . . . . . . . . . . . . . . . . . . . . 4 3.3. Handling of the collectors . . . . . . . . . . . . . . . 4 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 5. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 5 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 7. Normative References . . . . . . . . . . . . . . . . . . . . 5 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction The following content is from RFC 5424[RFC5424] In the protocol, the timestamp parameter of the reported log and the parameter of whether the time has been synchronized have been set to indicate whether the reported time has been synchronized with the external time source. Although the standard has considered the accuracy requirements of time recording and designed a time "isSynced" parameter, it is impossible to ensure the credibility of time recording only through the synchronization flag parameters. If the external time source of the originator is attacked or a fake time source, the log reported by the originator only records whether the time is synchronized, but does not report the synchronization time source information.By constructing a higher-level fake source time synchronization server, the attacker can easily affect the credibility of the log reporting time. Wang, et al. Expires 7 September 2022 [Page 2] Internet-Draft syslog syscinfo March 2022 +-----------+ +-----------+ +---------+ | FakeNTP |-->--|Originator1|-->--|Collector| +-----------+ +-----------+ +---------+ Stratum 0 / +-------+ +-----------+ +-----------+ / | GPS |-->--| NTP |-->--|Originator2|-->--/ +-------+ +-----------+ +-----------+ Stratum 0 Stratum 1 Figure 1: Attack Scenario Take the above figure as an example. If Originator1 synchronizes to a fake NTP time source and Originator2 synchronizes to an NTP time source whose superior external time source is GPS, attacker can modify the system time of the fake NTP time source to affect the log reporting time of Originator1, which can further affect the time accuracy of Collector when correlating logs of different devices. In order to solve the problem of the credibility of log reporting time, it is proposed to add synchronization time information after the synchronization flag parameter. 2. Terminology The readers should be familiar with the terms defined in. In addition, this document makes use of the following terms: syncInfo: The syncInfo parameter is used to record current synchronization NTP source host IP or host name, remote refers to the NTP upper-level source host address, and stratum class; 3. Setting syncInfo The parameters in RFC 5424 [RFC5424]does not have the function of Setting synchronization NTP information. This chapter proposes to add this new parameter after the "isSynced" parameter. 3.1. Setting new parameter The following new parameter is defined. SYNCINFO: The parameter indicates the synchronization time source information of the originator. The syncInfo parameter is included current synchronization NTP source host IP or host name, remote refers to the NTP upper-level source host address, and stratum class. Wang, et al. Expires 7 September 2022 [Page 3] Internet-Draft syslog syscinfo March 2022 If the value "0" is used for "isSynced", this parameter MUST NOT be specified. If the value "1" is used for "isSynced" ,the originator's synchronization time source information needs to be added. 3.2. Examples The following is an example of an originator that knows both its synchronization time source information and that it is externally synchronized: [timeQuality isSynced="1" syncInfo="remote:time- d.nist.gov|refid:NIST|st:1"] The syncInfo parameter records that the current synchronization NTP source host name is time-d.nist.gov, the remote refers to the NTP upper-level source host address is NIST, and the stratum class is 1. 3.3. Handling of the collectors When the log collector merges logs reported by different originators, it compares the synchronization time source information and the stratum class information in the logs: If the different are synchronized with same time sources, the log time reported by different originators is credible; +---------+ +-----------+ +---------+ | NTP1 |->--|Originator1|->-|Collector| +---------+ +-----------+ +---------+ / Stratum 1 / +------------------+ / +---------+ +-----------+ / | GPS/Atomic clock |-->--| NTP2 |->--|Originator2|->-/ +------------------+ +---------+ +-----------+ Stratum 0 Stratum 1 Figure 2: Trusted Scenario 1 for Log Reporting Time If the different originators are synchronized with different time sources, it is necessary to determine whether the time source refers to a higher-quality external time source. If a higher-quality external time source is cited, the log time is credible. This log time cannot be trusted if a higher quality external time source is not referenced or the time is not synchronized. Wang, et al. Expires 7 September 2022 [Page 4] Internet-Draft syslog syscinfo March 2022 +--------------+ +-----------+ +-----------+ +---------+ | Atomic clock |->-| NTP1 |->--|Originator1|->--|Collector| +--------------+ +-----------+ +-----------+ +---------+ Stratum 0 Stratum 1 / +--------------+ +-----------+ +-----------+ / | GPS |->-| NTP2 |->--|Originator2|->--/ +--------------+ +-----------+ +-----------+ Stratum 0 Stratum 1 Figure 3: Trusted Scenario 2 for Log Reporting Time +------------------+ +--------+ +-----------+ +---------+ | Other time source|->-| NTP1 |->-|Originator1|->-|Collector| +------------------+ +--------+ +-----------+ +---------+ Stratum 2 Stratum 3 / +------------------+ +--------+ +-----------+ / | GPS/Atomic clock|->-| NTP2 |->-|Originator2|->-/ +------------------+ +--------+ +-----------+ Stratum 0 Stratum 1 Figure 4: Untrusted Scenarios for Log Reporting Time 4. IANA Considerations This requires registering a new parameter with IANA. This parameter is the same as the "isSynced" parameter and should be an optional parameter. 5. Contributors TBD 6. Acknowledgements TBD 7. Normative References [RFC5424] Gerhards, R., "The Syslog Protocol", RFC 5424, DOI 10.17487/RFC5424, March 2009, . Authors' Addresses Wang, et al. Expires 7 September 2022 [Page 5] Internet-Draft syslog syscinfo March 2022 Fengsheng Wang China Mobile 32, Xuanwumen West BeiJing 100053 China Email: wangfengsheng@chinamobile.com Meiling Chen China Mobile 32, Xuanwumen West BeiJing 100053 China Email: chenmeiling@chinamobile.com Li Su China Mobile 32, Xuanwumen West BeiJing 100053 China Email: suli@chinamobile.com Wang, et al. Expires 7 September 2022 [Page 6]