Technical Summary
This document describes the use of Transport Layer Security (TLS)
to provide a secure connection for the transport of syslog
messages. This document describes the security threats to Syslog
and how TLS can be used to counter such threats.
Working Group Summary
There was controversy around the IPR statement from Huawei from
this document. The Working Group examined the issue and came to
consensus that the statement would be accepted.
There was some controversy around the use of a special character to
denote the end of the payload, or a counter at the start of the
payload to indicate the length of the payload. The Working Group
has consent that a counter is the best mechanism.
There was also some controversy about the use of a dedicated port
for this initial version of syslog over TLS. The consensus was that
a dedicated port should be requested and that there should be no
indication of version. The consequence of this is that any future
change to the mapping of syslog over TLS, which is considered very
unlikely, might require a different port number. This lack of a
version number in the mapping of the application protocol to a
transport is consistent in how syslog is mapped to UDP, and is also
consistent with similar mappings of ISMS and netconf.
Support for certificate fingerprint matching was added to address
concerns from the ADs (Sam and Pasi) about deployability in small
environments without a PKI. Other alternatives for providing "good
enough" level of security without a PKI were discussed as well.
Document Quality
This protocol has very similar characteristics to implementations
of syslog over SSL that are available at this time. Members of the
Working Group have noted that it should be a very small change to
bring those implementations in line with this specification.
No vendors have announced that they will utilize this
protocol. Some vendors have indicated interest in supporting this
document. A group of university researchers have implemented this
protocol and found that it is practicable. Another member of the WG
has indicated that he is currently implementing the protocol as
well.
Personnel
Chris Lonvick is the Document Shepherd; Pasi Eronen is the
Responsible AD.