idnits 2.17.1 

draft-ietf-syslog-transport-udp-08.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** It looks like you're using RFC 3978 boilerplate.  You should update this
     to the boilerplate described in the IETF Trust License Policy document
     (see https://trustee.ietf.org/license-info), which is required now.

  -- Found old boilerplate from RFC 3978, Section 5.1 on line 15.

  -- Found old boilerplate from RFC 3978, Section 5.5 on line 422.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 433.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 440.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 446.

  ** This document has an original RFC 3978 Section 5.4 Copyright Line,
     instead of the newer IETF Trust Copyright according to RFC 4748.

  ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead
     of the newer disclaimer which includes the IETF Trust according to RFC
     4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (November 21, 2006) is 6366 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  -- Possible downref: Non-RFC (?) normative reference: ref. '2'

  ** Obsolete normative reference: RFC 2460 (ref. '4') (Obsoleted by RFC 8200)

  -- Obsolete informational reference (is this intentional?): RFC 3164 (ref.
     '6') (Obsoleted by RFC 5424)


     Summary: 4 errors (**), 0 flaws (~~), 1 warning (==), 9 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	syslog Working Group                                        A. Okmianski
3	Internet-Draft                                       Cisco Systems, Inc.
4	Intended status: Standards Track                       November 21, 2006
5	Expires: May 25, 2007

7	                Transmission of syslog messages over UDP
8	                   draft-ietf-syslog-transport-udp-08

10	Status of this Memo

12	   By submitting this Internet-Draft, each author represents that any
13	   applicable patent or other IPR claims of which he or she is aware
14	   have been or will be disclosed, and any of which he or she becomes
15	   aware will be disclosed, in accordance with Section 6 of BCP 79.

17	   Internet-Drafts are working documents of the Internet Engineering
18	   Task Force (IETF), its areas, and its working groups.  Note that
19	   other groups may also distribute working documents as Internet-
20	   Drafts.

22	   Internet-Drafts are draft documents valid for a maximum of six months
23	   and may be updated, replaced, or obsoleted by other documents at any
24	   time.  It is inappropriate to use Internet-Drafts as reference
25	   material or to cite them other than as "work in progress."

27	   The list of current Internet-Drafts can be accessed at
28	   http://www.ietf.org/ietf/1id-abstracts.txt.

30	   The list of Internet-Draft Shadow Directories can be accessed at
31	   http://www.ietf.org/shadow.html.

33	   This Internet-Draft will expire on May 25, 2007.

35	Copyright Notice

37	   Copyright (C) The Internet Society (2006).

39	Abstract

41	   This document describes the transport for syslog messages over UDP/
42	   IPv4 or UDP/IPv6.  The syslog protocol layered architecture provides
43	   for support of any number of transport mappings.  However, for
44	   interoperability purposes, syslog protocol implementers are required
45	   to support this transport mapping.

47	Table of Contents

49	   1  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . .  3
50	   2  Conventions Used in This Document . . . . . . . . . . . . . . .  3
51	   3  Transport Protocol  . . . . . . . . . . . . . . . . . . . . . .  3
52	     3.1  One Message Per Datagram  . . . . . . . . . . . . . . . . .  3
53	     3.2  Message Size  . . . . . . . . . . . . . . . . . . . . . . .  3
54	     3.3  Source and Target Ports . . . . . . . . . . . . . . . . . .  4
55	     3.4  Source IP Address . . . . . . . . . . . . . . . . . . . . .  4
56	     3.5  UDP/IP Structure  . . . . . . . . . . . . . . . . . . . . .  4
57	     3.6  UDP Checksums . . . . . . . . . . . . . . . . . . . . . . .  5
58	   4  Reliability Considerations  . . . . . . . . . . . . . . . . . .  5
59	     4.1  Lost Datagrams  . . . . . . . . . . . . . . . . . . . . . .  5
60	     4.2  Message Corruption  . . . . . . . . . . . . . . . . . . . .  5
61	     4.3  Congestion Control  . . . . . . . . . . . . . . . . . . . .  6
62	     4.4  Sequenced Delivery  . . . . . . . . . . . . . . . . . . . .  6
63	   5  Security Considerations . . . . . . . . . . . . . . . . . . . .  6
64	     5.1  Sender Authentication and Message Forgery . . . . . . . . .  6
65	     5.2  Message Observation . . . . . . . . . . . . . . . . . . . .  7
66	     5.3  Replaying . . . . . . . . . . . . . . . . . . . . . . . . .  7
67	     5.4  Unreliable Delivery . . . . . . . . . . . . . . . . . . . .  8
68	     5.5  Message Prioritization and Differentiation  . . . . . . . .  8
69	     5.6  Denial of Service . . . . . . . . . . . . . . . . . . . . .  8
70	   6  IANA Considerations . . . . . . . . . . . . . . . . . . . . . .  8
71	   7  Notice to RFC Editor  . . . . . . . . . . . . . . . . . . . . .  8
72	   8  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . .  8
73	   9. References  . . . . . . . . . . . . . . . . . . . . . . . . . .  9
74	     9.1  Normative References  . . . . . . . . . . . . . . . . . . .  9
75	     9.2  Informative References  . . . . . . . . . . . . . . . . . .  9
76	   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . .  9
77	   Intellectual Property and Copyright Statements . . . . . . . . . . 11

79	1  Introduction

81	   The informational RFC 3164 [6] describes the syslog protocol as it
82	   was observed in existing implementations.  It describes both the
83	   format of syslog messages and a UDP [1] transport.  Subsequently, the
84	   syslog protocol has been formally defined in the RFC-protocol [2].

86	   The RFC-protocol specifies a layered architecture that provides for
87	   support of any number of transport layer mappings for transmitting
88	   syslog messages.  This document describes the UDP transport mapping
89	   for the syslog protocol.

91	   The transport described in this document can be used for transmitting
92	   syslog messages over both IPv4 [3] and IPv6 [4].  The IPv4 version of
93	   this transport mapping is REQUIRED for all syslog protocol
94	   implementations on devices supporting IPv4.  The IPv6 version of this
95	   transport mapping is REQUIRED for all syslog protocol implementations
96	   on IPv6-only devices.  These requirements are mandated for
97	   interoperability purposes.

99	   Network administrators and architects should be aware of the
100	   significant reliability and security issues of this transport, which
101	   stem from the use of UDP.  They are documented in this specification.
102	   However, this transport is lightweight and is built upon the existing
103	   popular use of UDP for syslog.

105	2  Conventions Used in This Document

107	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
108	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
109	   document are to be interpreted as described in RFC 2119 [5].

111	3  Transport Protocol

113	3.1  One Message Per Datagram

115	   Each syslog UDP datagram MUST contain only one syslog message, which
116	   MAY be complete or truncated.  The message MUST be formatted and
117	   truncated according to the RFC-protocol [2].  Additional data MUST
118	   NOT be present in the datagram payload.

120	3.2  Message Size

122	   This transport mapping supports transmission of syslog messages up to
123	   65535 octets in size.  This limit stems from the maximum supported
124	   UDP payload of 65535 octets specified in the RFC 768 [1].

126	   IPv4 syslog receivers MUST be able to receive datagrams with message
127	   size up to and including 480 octets.  IPv6 syslog receivers MUST be
128	   able to receive datagrams with message size up to and including 1180
129	   octets.  All syslog receivers SHOULD be able to receive datagrams
130	   with messages size of at least 2048 octets.

132	   The above restrictions and recommendations establish a baseline for
133	   interoperability.  The minimum required message size support was
134	   determined based on the minimum MTU size that internet hosts are
135	   required to support: 576 octets for IPv4 [3] and 1280 octets for IPv6
136	   [4].  Datagrams that fall within these limits have the greatest
137	   chance of being delivered because they do not require fragmentation.

139	   It is RECOMMENDED that syslog senders restrict message sizes such
140	   that IP datagrams do not exceed the smallest MTU of the network in
141	   use.  This avoids datagram fragmentation and possible issues
142	   surrounding fragmentation such as incorrect MTU discovery.
143	   Fragmentation can be undesirable because it increases the risk of the
144	   message being lost due to loss of just one datagram fragment.  When
145	   network MTU is not known in advance and cannot be reliably determined
146	   using path MTU discovery [7], the safest assumption is to restrict
147	   messages to 480 octets for IPv4 and 1180 octets for IPv6.

149	3.3  Source and Target Ports

151	   Syslog receivers MUST support accepting syslog datagrams on the well-
152	   known UDP port 514, but MAY be configurable to listen on a different
153	   port.  Syslog senders MUST support sending syslog message datagrams
154	   to the UDP port 514, but MAY be configurable to send messages to a
155	   different port.  Syslog senders MAY use any source UDP port for
156	   transmitting messages.

158	3.4  Source IP Address

160	   The source IP address of the UDP datagrams SHOULD NOT be interpreted
161	   as the identifier for the host that originated the syslog message.
162	   The entity sending the syslog message could be merely a relay.  The
163	   syslog message itself contains the identifier of the originator of
164	   the message.

166	3.5  UDP/IP Structure

168	   Each UDP/IP datagram sent by the transport layer MUST completely
169	   adhere to the structure specified in the UDP RFC 768 [1] and either
170	   IPv4 RFC 791 [3] or IPv6 RFC 2460 [4] depending on which protocol is
171	   used.

173	3.6  UDP Checksums

175	   Use of UDP checksums was defined as OPTIONAL in RFC 768 [1].  IPv6
176	   has subsequently made UDP checksums REQUIRED in RFC 2460 [4].

178	   It is RECOMMENDED that syslog senders use valid UDP checksums when
179	   sending messages over IPv4 and IPv6.

181	   It is RECOMMENDED that syslog receivers check the checksums whenever
182	   they are present (i.e. the UDP header checksum field value is not 0)
183	   and discard messages with incorrect checksums.  Note that this is
184	   typically accomplished by the UDP layer implementation, and some UDP
185	   implementations allow for checksum validation to be enabled or
186	   disabled.

188	4  Reliability Considerations

190	   The UDP is an unreliable low-overhead protocol.  This section
191	   discusses reliability issues inherent in UDP that implementers and
192	   users MUST be aware of.

194	4.1  Lost Datagrams

196	   This transport mapping does not provide any mechanism to detect and
197	   correct loss of datagrams.  Datagrams can be lost in transit due to
198	   congestion, corruption, or any other intermittent network problem.
199	   IP fragmentation exacerbates this problem because loss of a single
200	   fragment will result in the entire message being discarded.

202	   In some circumstances the sender can receive an ICMP error message or
203	   other indication of a transmission problem.  If the sender receives a
204	   reasonable indication that a datagram has been lost, it MAY
205	   retransmit the datagram.

207	4.2  Message Corruption

209	   The UDP/IP datagrams can get corrupted in transit due to software,
210	   hardware, or network errors.  This transport mapping specifies use of
211	   UDP checksums to enable corruption detection in addition to checksums
212	   used in IP and Layer 2 protocols.  However, checksums do not
213	   guarantee corruption detection, and this transport mapping does not
214	   provide for message retransmission when a corrupt message is
215	   detected.

217	   A special case of corruption is corruption introduced by the UDP
218	   implementation itself.  For example, several earlier UDP
219	   implementations defaulted to a buffer size of less than 65535 octets
220	   and truncated larger payloads upon receipt [8].  By following the
221	   message size recommendations specified in this document, application
222	   developers can significantly reduce the risk of this type of error.

224	4.3  Congestion Control

226	   The UDP does not provide for congestion control.  Any network host or
227	   router can discard UDP packets when it is overloaded, and can
228	   optionally provide an ICMP error to indicate this.  One or multiple
229	   syslog senders can maliciously or inadvertently overload the receiver
230	   or the network infrastructure and cause loss of syslog messages.

232	   If the potentially unrestricted use of syslog data being transferred
233	   over UDP in a particular deployment can saturate the link, then the
234	   network path should be provisioned so the offered load (including
235	   syslog packets) does not exceed the path capacity.  Otherwise, some
236	   of the syslog packets could be lost, or cause the loss of other UDP
237	   packets.

239	4.4  Sequenced Delivery

241	   The IP transport used by the UDP does not guarantee that the sequence
242	   of datagram delivery will match the order in which the datagrams were
243	   sent.  The time stamp contained within each syslog message can serve
244	   as a rough guide in establishing sequence order, but it will not help
245	   in cases when multiple messages were generated during the same time
246	   slot, the sender cannot generate a time stamp, or messages originated
247	   from different hosts whose clocks are not synchronized.  If present,
248	   Structured Data element 'sequenceId' contained within syslog messages
249	   MAY help in establishing the sequence of messages from a single
250	   sender.  The order of syslog message arrival via this transport
251	   SHOULD NOT be used as an authoritative guide in establishing an
252	   absolute or relative sequence of events on the syslog sender hosts.

254	5  Security Considerations

256	   Several syslog security considerations are discussed in RFC-protocol
257	   [2].  This section focuses on security considerations specific to the
258	   syslog transport over UDP.  Some of the security issues raised in
259	   this section can be mitigated through the use of IPSec as defined in
260	   RFC 4301 [9].

262	5.1  Sender Authentication and Message Forgery

264	   This transport mapping does not provide for strong sender
265	   authentication.  The receiver of the syslog message will not be able
266	   to ascertain that the message was indeed sent from the reported
267	   sender, or whether the packet was sent from another device.  This can
268	   also lead to a case of mistaken identity if an inappropriately
269	   configured machine sends syslog messages to a receiver representing
270	   itself as another machine.

272	   This transport mapping does not provide protection against syslog
273	   message forgery.  An attacker can transmit syslog messages (either
274	   from the machine from which the messages are purportedly sent or from
275	   any other machine) to a receiver.

277	   In one case, an attacker can hide the true nature of an attack amidst
278	   many other messages.  As an example, an attacker can start generating
279	   forged messages indicating a problem on some machine.  This can get
280	   the attention of the system administrators, who will spend their time
281	   investigating the alleged problem.  During this time, the attacker
282	   could be able to compromise a different machine or a different
283	   process on the same machine.

285	   Additionally, an attacker can generate false syslog messages to give
286	   untrue indications of the status of systems.  As an example, an
287	   attacker can stop a critical process on a machine, which could
288	   generate a notification of exit.  The attacker can subsequently
289	   generate a forged notification that the process had been restarted.
290	   The system administrators could accept that misinformation and not
291	   verify that the process had indeed not been restarted.

293	5.2  Message Observation

295	   This transport mapping does not provide confidentiality of the
296	   messages in transit.  If syslog messages are in clear text, this is
297	   how they will be transferred.  In most cases passing clear-text
298	   human-readable messages is a benefit to the administrators.
299	   Unfortunately, an attacker could also be able to observe the human-
300	   readable contents of syslog messages.  The attacker could then use
301	   the knowledge gained from these messages to compromise a machine.  It
302	   is RECOMMENDED that no sensitive information be transmitted via this
303	   transport mapping or that transmission of such information be
304	   restricted to properly secured networks.

306	5.3  Replaying

308	   Message forgery and observation can be combined into a replay attack.
309	   An attacker could record a set of messages that indicate normal
310	   activity of a machine.  At a later time, an attacker could remove
311	   that machine from the network and replay the syslog messages with new
312	   time stamps.  The administrators could find nothing unusual in the
313	   received messages, and their receipt would falsely indicate normal
314	   activity of the machine.

316	5.4  Unreliable Delivery

318	   As was previously discussed in the Reliability Considerations
319	   section, the UDP transport is not reliable, and packets containing
320	   syslog message datagrams can be lost in transit without any notice.
321	   There can be security consequences to the loss of one or more syslog
322	   messages.  Administrators could be unaware of a developing and
323	   potentially serious problem.  Messages could also be intercepted and
324	   discarded by an attacker as a way to hide unauthorized activities.

326	5.5  Message Prioritization and Differentiation

328	   This transport mapping does not mandate prioritization of syslog
329	   messages on the wire or when processed on the receiving host based on
330	   their severity.  Unless some prioritization is implemented by sender,
331	   receiver and/or network, the security implication of such behavior is
332	   that the syslog receiver or network devices could get overwhelmed
333	   with low-severity messages and be forced to discard potentially high-
334	   severity messages.

336	5.6  Denial of Service

338	   An attacker could overwhelm a receiver by sending more messages to it
339	   than could be handled by the infrastructure or the device itself.
340	   Implementers SHOULD attempt to provide features that minimize this
341	   threat such as optionally restricting reception of messages to a set
342	   of know source IP addresses.

344	6  IANA Considerations

346	   IANA MUST reserve UDP port 514 for this transport.

348	7  Notice to RFC Editor

350	   This is a notice to the RFC editor.  This ID is submitted along with
351	   ID draft-ietf-syslog-protocol and they cross-reference each other.
352	   When RFC numbers are determined for each of these IDs, please replace
353	   all references to "RFC-protocol" with the RFC number of
354	   draft-ietf-syslog-protocol ID.  Also, please update the date in the
355	   section referencing the new RFC.  Please remove this section after
356	   editing.

358	8  Acknowledgements

360	   The author gratefully acknowledges the contributions of: Chris
361	   Lonvick, Rainer Gerhards, David Harrington, Andrew Ross, Albert
362	   Mietus, Bernie Volz, Mickael Graham, Greg Morris, Alexandra Fedorova,
363	   Devin Kowatch, Richard Graveman, and all others who have commented on
364	   the various versions of this proposal.

366	9.  References

368	9.1.  Normative References

370	   [1]  Postel, J., "User Datagram Protocol", STD 6, RFC 768,
371	        August 1980.

373	   [2]  Gerhards, R., "The syslog Protocol", RFC RFC-protocol,
374	        January 2007.

376	   [3]  Postel, J., "Internet Protocol", STD 5, RFC 791, September 1981.

378	   [4]  Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6)
379	        Specification", RFC 2460, December 1998.

381	   [5]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
382	        Levels", BCP 14, RFC 2119, March 1997.

384	9.2.  Informative References

386	   [6]  Lonvick, C., "The BSD Syslog Protocol", RFC 3164, August 2001.

388	   [7]  Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191,
389	        November 1990.

391	   [8]  Stevens, W., "TCP/IP Illustrated Volume 1. The Protocols.",
392	        January 1994.

394	   [9]  Kent, S. and K. Seo, "Security Architecture for the Internet
395	        Protocol", RFC 4301, December 2005.

397	Author's Address

399	   Anton Okmianski
400	   Cisco Systems, Inc.
401	   1414 Massachusetts Ave
402	   Boxborough, MA  01719-2205
403	   USA

405	   Phone: +1-978-936-1612
406	   Email: aokmians@cisco.com

408	Full Copyright Statement

410	   Copyright (C) The Internet Society (2006).

412	   This document is subject to the rights, licenses and restrictions
413	   contained in BCP 78, and except as set forth therein, the authors
414	   retain all their rights.

416	   This document and the information contained herein are provided on an
417	   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
418	   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
419	   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
420	   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
421	   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
422	   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

424	Intellectual Property

426	   The IETF takes no position regarding the validity or scope of any
427	   Intellectual Property Rights or other rights that might be claimed to
428	   pertain to the implementation or use of the technology described in
429	   this document or the extent to which any license under such rights
430	   might or might not be available; nor does it represent that it has
431	   made any independent effort to identify any such rights.  Information
432	   on the procedures with respect to rights in RFC documents can be
433	   found in BCP 78 and BCP 79.

435	   Copies of IPR disclosures made to the IETF Secretariat and any
436	   assurances of licenses to be made available, or the result of an
437	   attempt made to obtain a general license or permission for the use of
438	   such proprietary rights by implementers or users of this
439	   specification can be obtained from the IETF on-line IPR repository at
440	   http://www.ietf.org/ipr.

442	   The IETF invites any interested party to bring to its attention any
443	   copyrights, patents or patent applications, or other proprietary
444	   rights that may cover technology that may be required to implement
445	   this standard.  Please address the information to the IETF at
446	   ietf-ipr@ietf.org.

448	Acknowledgment

450	   Funding for the RFC Editor function is provided by the IETF
451	   Administrative Support Activity (IASA).