idnits 2.17.1 draft-chen-syslog-syscinfo-credibility-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** There are 3 instances of too long lines in the document, the longest one being 2 characters in excess of 72. ** The abstract seems to contain references ([RFC5424]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 2 instances of lines with non-RFC2606-compliant FQDNs in the document. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 132: '..."isSynced", this parameter MUST NOT be...' == The 'Updates: ' line in the draft header should list only the _numbers_ of the RFCs which will be updated by this document (if approved); it should not include the word 'RFC' in the list. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (6 March 2022) is 782 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 4 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Syslog Working Group F. Wang 3 Internet-Draft M. Chen 4 Updates: RFC5424 (if approved) L. Su 5 Intended status: Standards Track China Mobile 6 Expires: 7 September 2022 6 March 2022 8 Improve logging credibility by adding synchronization time information 9 draft-chen-syslog-syscinfo-credibility-00 11 Abstract 13 This document proposes a scheme to improve the credibility of log 14 reporting time by adding time synchronization information. 16 This document updates the "timeQuality" structured Data in RFC 5424 17 [RFC5424], The Syslog Protocol. By appending "SYNCINFO" information 18 after the "isSynced" parameter, the log collector can judge the 19 credibility of logs when correlating logs of different devices. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at https://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on 7 September 2022. 38 Copyright Notice 40 Copyright (c) 2022 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 45 license-info) in effect on the date of publication of this document. 46 Please review these documents carefully, as they describe your rights 47 and restrictions with respect to this document. Code Components 48 extracted from this document must include Revised BSD License text as 49 described in Section 4.e of the Trust Legal Provisions and are 50 provided without warranty as described in the Revised BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 55 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 3. Setting syncInfo . . . . . . . . . . . . . . . . . . . . . . 3 57 3.1. Setting new parameter . . . . . . . . . . . . . . . . . . 3 58 3.2. Examples . . . . . . . . . . . . . . . . . . . . . . . . 4 59 3.3. Handling of the collectors . . . . . . . . . . . . . . . 4 60 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 61 5. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 5 62 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 63 7. Normative References . . . . . . . . . . . . . . . . . . . . 5 64 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5 66 1. Introduction 68 The following content is from RFC 5424[RFC5424] 70 In the protocol, the timestamp parameter of the reported log and the 71 parameter of whether the time has been synchronized have been set to 72 indicate whether the reported time has been synchronized with the 73 external time source. Although the standard has considered the 74 accuracy requirements of time recording and designed a time 75 "isSynced" parameter, it is impossible to ensure the credibility of 76 time recording only through the synchronization flag parameters. 78 If the external time source of the originator is attacked or a fake 79 time source, the log reported by the originator only records whether 80 the time is synchronized, but does not report the synchronization 81 time source information.By constructing a higher-level fake source 82 time synchronization server, the attacker can easily affect the 83 credibility of the log reporting time. 85 +-----------+ +-----------+ +---------+ 86 | FakeNTP |-->--|Originator1|-->--|Collector| 87 +-----------+ +-----------+ +---------+ 88 Stratum 0 / 89 +-------+ +-----------+ +-----------+ / 90 | GPS |-->--| NTP |-->--|Originator2|-->--/ 91 +-------+ +-----------+ +-----------+ 92 Stratum 0 Stratum 1 94 Figure 1: Attack Scenario 96 Take the above figure as an example. If Originator1 synchronizes to 97 a fake NTP time source and Originator2 synchronizes to an NTP time 98 source whose superior external time source is GPS, attacker can 99 modify the system time of the fake NTP time source to affect the log 100 reporting time of Originator1, which can further affect the time 101 accuracy of Collector when correlating logs of different devices. 103 In order to solve the problem of the credibility of log reporting 104 time, it is proposed to add synchronization time information after 105 the synchronization flag parameter. 107 2. Terminology 109 The readers should be familiar with the terms defined in. 111 In addition, this document makes use of the following terms: 113 syncInfo: The syncInfo parameter is used to record current 114 synchronization NTP source host IP or host name, remote refers to 115 the NTP upper-level source host address, and stratum class; 117 3. Setting syncInfo 119 The parameters in RFC 5424 [RFC5424]does not have the function of 120 Setting synchronization NTP information. This chapter proposes to 121 add this new parameter after the "isSynced" parameter. 123 3.1. Setting new parameter 125 The following new parameter is defined. 127 SYNCINFO: The parameter indicates the synchronization time source 128 information of the originator. The syncInfo parameter is included 129 current synchronization NTP source host IP or host name, remote 130 refers to the NTP upper-level source host address, and stratum class. 132 If the value "0" is used for "isSynced", this parameter MUST NOT be 133 specified. If the value "1" is used for "isSynced" ,the originator's 134 synchronization time source information needs to be added. 136 3.2. Examples 138 The following is an example of an originator that knows both its 139 synchronization time source information and that it is externally 140 synchronized: 142 [timeQuality isSynced="1" syncInfo="remote:time- 143 d.nist.gov|refid:NIST|st:1"] 145 The syncInfo parameter records that the current synchronization NTP 146 source host name is time-d.nist.gov, the remote refers to the NTP 147 upper-level source host address is NIST, and the stratum class is 1. 149 3.3. Handling of the collectors 151 When the log collector merges logs reported by different originators, 152 it compares the synchronization time source information and the 153 stratum class information in the logs: 155 If the different are synchronized with same time sources, the log 156 time reported by different originators is credible; 158 +---------+ +-----------+ +---------+ 159 | NTP1 |->--|Originator1|->-|Collector| 160 +---------+ +-----------+ +---------+ 161 / Stratum 1 / 162 +------------------+ / +---------+ +-----------+ / 163 | GPS/Atomic clock |-->--| NTP2 |->--|Originator2|->-/ 164 +------------------+ +---------+ +-----------+ 165 Stratum 0 Stratum 1 167 Figure 2: Trusted Scenario 1 for Log Reporting Time 169 If the different originators are synchronized with different time 170 sources, it is necessary to determine whether the time source refers 171 to a higher-quality external time source. If a higher-quality 172 external time source is cited, the log time is credible. This log 173 time cannot be trusted if a higher quality external time source is 174 not referenced or the time is not synchronized. 176 +--------------+ +-----------+ +-----------+ +---------+ 177 | Atomic clock |->-| NTP1 |->--|Originator1|->--|Collector| 178 +--------------+ +-----------+ +-----------+ +---------+ 179 Stratum 0 Stratum 1 / 180 +--------------+ +-----------+ +-----------+ / 181 | GPS |->-| NTP2 |->--|Originator2|->--/ 182 +--------------+ +-----------+ +-----------+ 183 Stratum 0 Stratum 1 185 Figure 3: Trusted Scenario 2 for Log Reporting Time 187 +------------------+ +--------+ +-----------+ +---------+ 188 | Other time source|->-| NTP1 |->-|Originator1|->-|Collector| 189 +------------------+ +--------+ +-----------+ +---------+ 190 Stratum 2 Stratum 3 / 191 +------------------+ +--------+ +-----------+ / 192 | GPS/Atomic clock|->-| NTP2 |->-|Originator2|->-/ 193 +------------------+ +--------+ +-----------+ 194 Stratum 0 Stratum 1 196 Figure 4: Untrusted Scenarios for Log Reporting Time 198 4. IANA Considerations 200 This requires registering a new parameter with IANA. This parameter 201 is the same as the "isSynced" parameter and should be an optional 202 parameter. 204 5. Contributors 206 TBD 208 6. Acknowledgements 210 TBD 212 7. Normative References 214 [RFC5424] Gerhards, R., "The Syslog Protocol", RFC 5424, 215 DOI 10.17487/RFC5424, March 2009, 216 . 218 Authors' Addresses 219 Fengsheng Wang 220 China Mobile 221 32, Xuanwumen West 222 BeiJing 100053 223 China 224 Email: wangfengsheng@chinamobile.com 226 Meiling Chen 227 China Mobile 228 32, Xuanwumen West 229 BeiJing 100053 230 China 231 Email: chenmeiling@chinamobile.com 233 Li Su 234 China Mobile 235 32, Xuanwumen West 236 BeiJing 100053 237 China 238 Email: suli@chinamobile.com