Security Issued in Network Event Logging BOF (syslog)

Tuesday, March 28 at 1545-1645
==============================

CHAIR: Chris M. Lonvick <clonvick@cisco.com> 

DESCRIPTION:

Syslog is a de facto standard for logging system events. However, the 
protocol component of this event logging system has not been formerly 
documented. While the protocol has been very useful and scaleable, it 
has some known but undocumented security problems. For instance, the 
messages are unauthenticated and there is no mechanism to provide 
verified delivery and message integrity. 


The goal of this working group is to document and address the security 
and integrity problems of the existing Syslog mechanism. In order to 
accomplish this task we will document the existing protocol. The working 
group will also explore and develop a standard to address the security 
problems.


Message authentication can be addressed in well-known ways using shared 
secrets or public keys. Because an important component of any solution 
will be the ease of transition from the existing mechanism, we will 
initially explore the use of shared secrets within the existing protocol 
with the intent of not impacting non-participants. Verifiable delivery, 
message integrity and authentication can also be explored in a tcp-based 
message delivery protocol.

AGENDA:

Introduction and Level Setting   -30 minutes

o   Syslog as de facto network event logging standard although the 
    protocol has never been described in an Internet Draft.  There
    are security weaknesses in the protocol.  At a high layer, these
    include
      - no authentication of the sender or receiver
      - no verification of delivery of the messages
    On the other hand, it does have a widespread implementation and 
    most users understand its scalability charactersitics.

o   Although machine authentication can be delivered through SSL/TLS 
    or IPSec, a simpler mechanism may be considered for syslog, such 
    as something similar to authenticated RIP or BGP.  Along with this, 
    a lightweight integrity check would be desireable.

o   A feedback mechanism between the message sender and the message
    receiver should be considered for verifiable delivery of the 
    messages.  This mechanism should also have a mechanism for message 
    authentication and integrity.

o   Because an important component of any solution will be the ease of 
    transition from the existing mechanism, we will initially explore 
    the use of shared secrets within the existing protocol with the 
    intent of not impacting non-participants. 

o   IPSec or TLS may be used for confidentiality.

Goals of a Secure Syslog Working Group  -20 minutes

o   Post as an Internet Draft the observed behavior of the Syslog 
    protocol for consideration as a Standards Track RFC.
o   Post as an Internet Draft the specification for an authenticated 
    Syslog for consideration as a Standards Track RFC.
o   Post as an Internet Draft the specification for an authenticated 
    Syslog with verifiable delivery and message integrity for consideration 
    as a Standards Track RFC.
o   Revise drafts as necessary and advance these Internet Drafts to 
    Standards Track RFCs.