WARNING: This server is unstable and will be retired in the next days.
If you want to keep this forum available, please request immediately a migration
on the Nabble Support forum.
Forums that don't receive any migration request will be deleted forever.
One difference between the security considerations for syslog over
DTLS and those for syslog over TLS (unnoted in the current Security
Considerations section) is that DTLS does not provide retransmission.
If an attacker can cause a packet to be dropped (especially one
carrying significant information about an attack), the transport
receiver may not consider this a significant event and so the syslog
server may be completely unaware of the occurrence. This contrasts
with syslog over TLS where a dropped packet would be retransmitted
until acknowledged or until the TLS connection goes down (indicating
to the transport sender and receiver and perhaps to the syslog client
and server that a significant event has occurred). Maybe it would be
a good idea to recommend that the transport receiver notice gaps in
the DTLS sequence numbers and notify the syslog server. Still, this
is not as good from a security standpoint as syslog over TLS since
none of the client code will be aware that the dropped message was
not received. At least, there should be a discussion of this issue
in the Security Considerations section of this document.
My comments back to the reviewer and the IESG:
It's discussed in section 5.4 (Unreliable Delivery - in the Security
Considerations section) in RFC 5426 and throughout Section 3.1
(Loss-Insensitive Messaging) in RFC 4347. I'm thinking that it would be
good to note this in Section 4 (Using DTLS to Secure Syslog) in the draft.
Overall, the community is comfortable with the loss of information as
they've been using syslog/udp for many years and know the problems with
that. RFC 5424 also notes that implementers who wish a lossless stream
should be using tls/tcp as their transport. From that, it's probably best
to reference RFC 5848 (referenced as draft-ietf-syslog-sign in the draft)
which can also provide an indication of loss of messages. "
ACTION: I'd like to get some discussion going on this. Do people think
that this is good?