Transport Layer Security (TLS) Transport Mapping for Syslog
draft-ietf-syslog-transport-tls-14

[Ballot discuss]
This document does not discuss how to support IDN in domain names
for identity checking as required by BCP 18.  I recommend copying
or referencing:
  draft-hodges-server-ident-check-00
for text on that topic.

The current text related to wildcards could create interopreability
problems.  It is not clear if wildcards are permitted in the middle
of domain names and what their meaning would be in that context.
I also believe system operators who spend the money to purchase a
wildcard certificate (which some CAs charge extra to produce) would
be extremely unhappy if they could not use their purchase with syslog
software.  For interoperability and least astonishment purposes,
shouldn't wildcard matching be mandatory-to-implement?  (It's fine
if it can be disabled by policy or is off-by-default).

The current text does not discuss how to compare IP addresses in an
interoperable fashion. I recommend referencing or copying text from:
  draft-hodges-server-ident-check-00

Question: did the WG consider creating (or reusing) an IANA registry
for hash function ASCII names?  In the event fingerprints algorithms
other than "SHA1" become useful in the future it would be helpful
to have such a registry for interoperability.

Proxy Discuss from Lars (since he's going on vacation):

Section 7.1., paragraph 1:
>    IANA is requested to assign a TCP port number in the range 1..1023
>    in
>    the http://www.iana.org/assignments/port-numbers registry which will
>    be the default port for syslog over TLS, as defined in this document.

  DISCUSS: What is the justification for allocating a system port? Why
  wouldn't a registered port suffice?

  (Note that IANA is changing procedures such that system ports are
  becoming more difficult to obtain, because we're running out of them.)

[Ballot comment]
I find it to be bad design that every time we bind TLS to a particular
protocol we have to duplicate lots of text about server identity checks,
domain name matching, etc.  Often these texts vary slightly in ways that
are unimportant to the underlying problem but will cause
operator/administrator consternation for no technical benefit.

This particular instantiation has some very good text about certificate
handling that probably belongs in all the other instances of this
problem, so I would strongly encourage the authors to contribute to
  draft-hodges-server-ident-check

One thing that could be added to the certificate handling text to
improve it further is a requirement to support importing new trust
anchors and/or removing or disabling any built-in trust anchors.

[Ballot discuss]
This document does not discuss how to support IDN in domain names
for identity checking as required by BCP 18.  I recommend copying
or referencing:
  draft-hodges-server-ident-check-00
for text on that topic.

The current text related to wildcards could create interopreability
problems.  It is not clear if wildcards are permitted in the middle
of domain names and what their meaning would be in that context.
I also believe system operators who spend the money to purchase a
wildcard certificate (which some CAs charge extra to produce) would
be extremely unhappy if they could not use their purchase with syslog
software.  For interoperability and least astonishment purposes,
shouldn't wildcard matching be mandatory-to-implement?  (It's fine
if it can be disabled by policy or is off-by-default).

The current text does not discuss how to compare IP addresses in an
interoperable fashion. I recommend referencing or copying text from:
  draft-hodges-server-ident-check-00

Question: did the WG consider creating (or reusing) an IANA registry
for hash function ASCII names?  In the event fingerprints algorithms
other than "SHA1" become useful in the future it would be helpful
to have such a registry for interoperability.

[Ballot discuss]
Section 7.1., paragraph 1:
>    IANA is requested to assign a TCP port number in the range 1..1023 in
>    the http://www.iana.org/assignments/port-numbers registry which will
>    be the default port for syslog over TLS, as defined in this document.

  DISCUSS: What is the justification for allocating a system port? Why
  wouldn't a registered port suffice?

  (Note that IANA is changing procedures such that system ports are
  becoming more difficult to obtain, because we're running out of them.)

IANA Last Call comments:

Upon approval of this document, the IANA will make the following
assignments in the "PORT NUMBERS" registry located at
http://www.iana.org/assignments/port-numbers
sub-registry "WELL KNOWN PORT NUMBERS"

Keyword Decimal Description References
------- ------- ----------- ----------
syslogs TBD/tcp syslog over TLS [RFC-syslog-transport-tls-13]


We understand the above to be the only IANA Action for this
document.

PROTO Write-up

(1.a) Who is the Document Shepherd for this document? Has the
Document Shepherd personally reviewed this version of the
document and, in particular, does he or she believe this
version is ready for forwarding to the IESG for publication?

Chris Lonvick
Yes; I believe that the document is ready for publication.

===
(1.b) Has the document had adequate review both from key WG members
and from key non-WG members? Does the Document Shepherd have
any concerns about the depth or breadth of the reviews that
have been performed?

Adequate review has occurred from WG members, and it has been
reviewed by others. The reviews of the WG Last Call for this document
(-03 version) may be found here:

Bert Wijnen's review (not a member of the WG mailing list)
http://www1.ietf.org/mail-archive/web/syslog/current/msg01244.html

John Calcote's review
http://www1.ietf.org/mail-archive/web/syslog/current/msg01199.html

Other reviews of particular sections and concepts fill the WG mailing
list. Of note is Eric Rescorla's review (of -02)
http://www1.ietf.org/mail-archive/web/syslog/current/msg01100.html


The issues raised in these reviews have been discussed on the mailing list
and most of them were fixed in version -04. A very few minor issues were
also addressed from that which resulted in version -05. A final editorial
nit was corrected which resulted in version -06. I am satisfied about the
level of review.

===
(1.c) Does the Document Shepherd have concerns that the document
needs more review from a particular or broader perspective,
e.g., security, operational complexity, someone familiar with
AAA, internationalization or XML?

I have no concerns.

===
(1.d) Does the Document Shepherd have any specific concerns or
issues with this document that the Responsible Area Director
and/or the IESG should be aware of? For example, perhaps he
or she is uncomfortable with certain parts of the document, or
has concerns whether there really is a need for it. In any
event, if the WG has discussed those issues and has indicated
that it still wishes to advance the document, detail those
concerns here.

There are no concerns about the technical merit of the document.

===
(1.e) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with
others being silent, or does the WG as a whole understand and
agree with it?

There is strong consensus to publish this document.

===
(1.f) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in
separate email messages to the Responsible Area Director. (It
should be in a separate email because this questionnaire is
entered into the ID Tracker.)

No appeals have been threatened.

===
(1.g) Has the Document Shepherd personally verified that the
document satisfies all ID nits? (See
http://www.ietf.org/ID-Checklist.html and
http://tools.ietf.org/tools/idnits/). Boilerplate checks are
not enough; this check needs to be thorough. Has the document
met all formal review criteria it needs to, such as the MIB
Doctor, media type and URI type reviews?

===
(1.h) Has the document split its references into normative and
informative? Are there normative references to documents that
are not ready for advancement or are otherwise in an unclear
state? If such normative references exist, what is the
strategy for their completion? Are there normative references
that are downward references, as described in [RFC3967]? If
so, list these downward references to support the Area
Director in the Last Call procedure for them [RFC3967].

There are no informational references.

The document is dependant upon draft-ietf-syslog-protocol-19.txt which
is being submitted along with this document.

===
(1.i) Has the Document Shepherd verified that the document IANA
consideration section exists and is consistent with the body
of the document? If the document specifies protocol
extensions, are reservations requested in appropriate IANA
registries? Are the IANA registries clearly identified? If
the document creates a new registry, does it define the
proposed initial contents of the registry and an allocation
procedure for future registrations? Does it suggested a
reasonable name for the new registry? See
[I-D.narten-iana-considerations-rfc2434bis]. If the document
describes an Expert Review process has Shepherd conferred with
the Responsible Area Director so that the IESG can appoint the
needed Expert during the IESG Evaluation?

The document IANA section is complete. No registries are requested.

===
(1.j) Has the Document Shepherd verified that sections of the
document that are written in a formal language, such as XML
code, BNF rules, MIB definitions, etc., validate correctly in
an automated checker?

The ABNF in the document has been verified through
http://www.apps.ietf.org/abnf.html

===
(1.k) The IESG approval announcement includes a Document
Announcement Write-Up. Please provide such a Document
Announcement Writeup? Recent examples can be found in the
"Action" announcements for approved documents. The approval
announcement contains the following sections:

Technical Summary
Relevant content can frequently be found in the abstract
and/or introduction of the document. If not, this may be
an indication that there are deficiencies in the abstract
or introduction.

This document describes the use of Transport Layer Security (TLS) to
provide a secure connection for the transport of syslog messages.
This document describes the security threats to Syslog and how TLS
can be used to counter such threats.

Working Group Summary
Was there anything in WG process that is worth noting? For
example, was there controversy about particular points or
were there decisions where the consensus was particularly
rough?

There was controversy around the IPR statement from Huawei from this
document. The Working Group examined the issue and came to consensus
that the statement would be accepted.

There was some controversy around the use of a special character to denote
the end of the payload, or a counter at the start of the payload to
indicate the length of the payload. The Working Group has consent that a
counter is the best mechanism.

There was also some controversy about the use of a dedicated port for this
initial version of syslog over TLS. The consensus was that a dedicated
port should be requested and that there should be no indication of
version. The consequence of this is that any future change to the mapping
of syslog over TLS, which is considered very unlikely, might require a
different port number. This lack of a version number in the mapping of
the application protocol to a transport is consistent in how syslog is
mapped to UDP, and is also consistent with similar mappings of ISMS and
netconf.

Document Quality
Are there existing implementations of the protocol? Have a
significant number of vendors indicated their plan to
implement the specification? Are there any reviewers that
merit special mention as having done a thorough review,
e.g., one that resulted in important changes or a
conclusion that the document had no substantive issues? If
there was a MIB Doctor, Media Type or other expert review,
what was its course (briefly)? In the case of a Media Type
review, on what date was the request posted?

This protocol has very similar characteristics to implementations of
syslog over ssl that are available at this time. Members of the Working
Group have noted that it should be a very small change to bring those
implementations in line with this specification.

No vendors have announced that they will utilize this protocol. Some
vendors have indicated interest in supporting this document. A group of
university researchers have implemented this protocol and found that it is
practicable. Another member of the WG has indicated that he is currently
implementing the protocol as well.

The above named reviewers did an outstanding and thorough job.

Personnel
Who is the Document Shepherd for this document? Who is the Responsible
Area Director?
[Area] SECURITY
[WG] syslog
[I-D] draft-ietf-syslog-transport-tls-06.txt
[Qver] draft-ietf-proto-wgchair-doc-shepherding-08.txt
[Shep] Chris Lonvick
[AD] Sam Hartman
===