Transport Layer Security (TLS) Transport Mapping for Syslog
Draft of message to be sent after approval:
From: The IESG <email@example.com> To: IETF-Announce <firstname.lastname@example.org> Cc: Internet Architecture Board <email@example.com>, RFC Editor <firstname.lastname@example.org>, syslog mailing list <email@example.com>, syslog chair <firstname.lastname@example.org> Subject: Protocol Action: 'TLS Transport Mapping for Syslog' to Proposed Standard The IESG has approved the following document: - 'TLS Transport Mapping for Syslog ' <draft-ietf-syslog-transport-tls-14.txt> as a Proposed Standard This document is the product of the Security Issues in Network Event Logging Working Group. The IESG contact persons are Pasi Eronen and Tim Polk. A URL of this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-syslog-transport-tls-14.txt
Technical Summary This document describes the use of Transport Layer Security (TLS) to provide a secure connection for the transport of syslog messages. This document describes the security threats to Syslog and how TLS can be used to counter such threats. Working Group Summary There was controversy around the IPR statement from Huawei from this document. The Working Group examined the issue and came to consensus that the statement would be accepted. There was some controversy around the use of a special character to denote the end of the payload, or a counter at the start of the payload to indicate the length of the payload. The Working Group has consent that a counter is the best mechanism. There was also some controversy about the use of a dedicated port for this initial version of syslog over TLS. The consensus was that a dedicated port should be requested and that there should be no indication of version. The consequence of this is that any future change to the mapping of syslog over TLS, which is considered very unlikely, might require a different port number. This lack of a version number in the mapping of the application protocol to a transport is consistent in how syslog is mapped to UDP, and is also consistent with similar mappings of ISMS and netconf. Support for certificate fingerprint matching was added to address concerns from the ADs (Sam and Pasi) about deployability in small environments without a PKI. Other alternatives for providing "good enough" level of security without a PKI were discussed as well. Document Quality This protocol has very similar characteristics to implementations of syslog over SSL that are available at this time. Members of the Working Group have noted that it should be a very small change to bring those implementations in line with this specification. No vendors have announced that they will utilize this protocol. Some vendors have indicated interest in supporting this document. A group of university researchers have implemented this protocol and found that it is practicable. Another member of the WG has indicated that he is currently implementing the protocol as well. Personnel Chris Lonvick is the Document Shepherd; Pasi Eronen is the Responsible AD.