syslog Working Group A. Okmianski Internet-Draft Cisco Systems, Inc. Expires: August 1, 2004 February 2004 Transmission of syslog messages over UDP draft-ietf-syslog-transport-udp-00 Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http:// www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on August 1, 2004. Copyright Notice Copyright (C) The Internet Society (2004). All Rights Reserved. Abstract This document describes the UDP transport for the syslog protocol. Okmianski Expires August 1, 2004 [Page 1] Internet-Draft syslog udp transport February 2004 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Transport Protocol . . . . . . . . . . . . . . . . . . . . . . 4 2.1 Definitions and Architecture . . . . . . . . . . . . . . . . . 4 2.2 Required Transport Protocol . . . . . . . . . . . . . . . . . 4 2.3 Datagram Content . . . . . . . . . . . . . . . . . . . . . . . 4 2.4 Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Reliability Considerations . . . . . . . . . . . . . . . . . . 5 3.1 Lost Datagrams . . . . . . . . . . . . . . . . . . . . . . . . 5 3.2 Message Corruption and Checksums . . . . . . . . . . . . . . . 5 3.3 Congestion Control . . . . . . . . . . . . . . . . . . . . . . 6 3.4 Sequenced Delivery . . . . . . . . . . . . . . . . . . . . . . 6 3.5 IP Fragmentation . . . . . . . . . . . . . . . . . . . . . . . 6 4. Security Considerations . . . . . . . . . . . . . . . . . . . 8 4.1 Message Authenticity . . . . . . . . . . . . . . . . . . . . . 8 4.2 Authentication Problems . . . . . . . . . . . . . . . . . . . 8 4.3 Message Forgery . . . . . . . . . . . . . . . . . . . . . . . 8 4.4 Message Observation . . . . . . . . . . . . . . . . . . . . . 9 4.5 Replaying . . . . . . . . . . . . . . . . . . . . . . . . . . 9 4.6 Reliable Delivery . . . . . . . . . . . . . . . . . . . . . . 9 4.7 Message Prioritization and Differentiation . . . . . . . . . . 9 4.8 Denial of Service . . . . . . . . . . . . . . . . . . . . . . 10 4.9 Covert Channels . . . . . . . . . . . . . . . . . . . . . . . 10 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 6. Notice to RFC Editor . . . . . . . . . . . . . . . . . . . . . 12 7. Authors and Working Group Chair . . . . . . . . . . . . . . . 13 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14 References . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Author's Address . . . . . . . . . . . . . . . . . . . . . . . 15 Intellectual Property and Copyright Statements . . . . . . . . 16 Okmianski Expires August 1, 2004 [Page 2] Internet-Draft syslog udp transport February 2004 1. Introduction The original syslog protocol has been described in an informational RFC 3164 [1] as it has been observed in existing implementations. Subsequently, the syslog protocol has been formally described in a standards track RFC-protocol [2], which obsoleted RFC 3164 [1]. The RFC-protocol [2] has provided for support of any number of transport layer protocols for transmitting syslog messages and left it to subsequent RFCs to specify transport protocols. This standards track RFC describes the UDP transport for the syslog protocol and establishes this transport protocol as REQUIRED for all syslog protocol implementations. The UDP protocol has been described in RFC 768 [3] and additional clarifications have been provided in RFC 1122 [4]. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [5]. Okmianski Expires August 1, 2004 [Page 3] Internet-Draft syslog udp transport February 2004 2. Transport Protocol 2.1 Definitions and Architecture The following definitions will be used in this document: An application that can generate syslog messages will be called a "client"; An application that can receive syslog messages will be called a "server". A given host or an application can function in dual capacity. For example, a syslog relay may receive and forward messages. In this case, the relay is functioning as a server when receiving messages and as a client when sending messages it intends to forward. 2.2 Required Transport Protocol This document describes the UDP transport layer protocol for the syslog protocol RFC-protocol [2]. Every syslog client and server implementation which adheres to the RFC-protocol [2], MUST implement the UDP transport protocol specified in this document. 2.3 Datagram Content Each syslog message MUST be transmitted in a separate UDP datagram. When syslog messages are broken into multiple parts as permitted in the RFC-protocol [2], then each syslog message part MUST be sent in a separate datagram. Each UDP datagram MUST adhere to the structure specified in UDP RFC 768 [3]. The UDP datagram data field MUST NOT include any extra data such as additional headers or trailer other than the well-formatted syslog message. 2.4 Port Syslog servers MUST support accepting syslog message datagrams on a well-known UDP port 514. Syslog clients MUST support sending syslog message datagrams to UDP port 514. Syslog clients can use any originating port for transmitting messages. Okmianski Expires August 1, 2004 [Page 4] Internet-Draft syslog udp transport February 2004 3. Reliability Considerations The UDP is an unreliable low-overhead protocol. This section discusses reliability issues inherent to the UDP that implementers and users must be aware of. 3.1 Lost Datagrams Neither UDP nor syslog protocol provide any mechanism to detect loss of datagrams and request a resend. Datagrams may be lost in transit due to congestion, corruption or any other intermittent network problem. The server and client applications may not get any notifications of such loss. In some circumstances the client application may receive an ICMP error message or other indication of a transmission problem. If client application receives a reasonable indication that some messages could have been lost, it MAY retransmit previously sent messages. When transmitting multi-part syslog messages according to RFC-protocol [2], the syslog server is required to re-assemble the complete syslog message out multiple parts. In this case, if only some datagrams are missing, the server will detect the loss of datagrams. However, there is no mechanism for the syslog server to request missing syslog message datagrams. The expected behavior of the syslog server when it can not reassemble the multi-part syslog message is described in RFC-protocol [2]. 3.2 Message Corruption and Checksums The UDP datagrams may get corrupted in transit due to software, hardware or network errors. Some errors can be detected by the lower network (i.e. IP) or datalink (i.e. Ethernet) layers. When corruption is detected, the packet or frame is normally discarded. Typically, corruption detection features of the network and datalink layer protocols do not guarantee corruption detection in every case. The UDP provides for an additional mechanism to detect corruption. The UDP RFC 768 [3] provides for using checksums, but does not require them. The UDP checksums have been made mandatory by the RFC 1122 [4]. In light of potential presence of legacy infrastructure, we can not require checksums, but their use is RECOMMENDED. Syslog clients SHOULD provide the UDP checksum in each UDP datagram and syslog servers SHOULD validate checksums. Datagrams with invalid checksums SHOULD be discarded by the syslog server implementations. Even when properly utilized, the UDP checksums do not provide an Okmianski Expires August 1, 2004 [Page 5] Internet-Draft syslog udp transport February 2004 absolute guarantee of corruption detection. Users of syslog protocol must be aware of potential corruption inherent in the UDP transport. 3.3 Congestion Control The UDP transport does not provide for congestion control. Some systems (hosts or routers) may generate ICMP source quench error, but they are not required to do so according to Stevens94 [6]. Regardless of whether or not the system sends diagnostic ICMP messages, it can discard UDP packets when it is overloaded. The UDP does not have any inherent features for congestion control. Therefore, one or multiple syslog clients can maliciously or inadevertently overload the server or the network infrastructure and cause loss of legitimate syslog messages. 3.4 Sequenced Delivery The IP transport utilized by the UDP does not guarantee that the sequence of datagram delivery will match the order in which the datagrams have been sent. The time stamp contained within each syslog message may serve as some guide in establishing sequence order, but it will not help in cases when multiple messages were generated during the same time slot or when messages originated from different hosts whose clocks are not synchronized. The order of syslog message arrival via the UDP transport SHOULD NOT be used as an authoritative guide in establishing the sequence of events on the syslog client hosts. 3.5 IP Fragmentation The UDP IP packets can be fragmented by the IP layer transport at the sending host or in transit in order to satisfy the Maximum Transmission Unit (MTU) size of a particular network. Fragmented packets are then reassembled into a single datagram at the syslog server host by the IP layer. Fragmentation is generally considered harmful for several reasons which have been described in Kent87 [7]. Fragmentation introduces performance overhead for fragmenting and reassembling packets. Fragmentation also increases the risk that datagram will need to be discarded by the IP layer implementation because one fragment of the datagram packet got lost. Syslog client implementers and users SHOULD try to avoid IP fragmentation. It is RECOMMENDED that syslog messages which are transmitted using this transport are kept to a total size of 548 bytes or less. This recommendation is based on RFC 1122 Section 3.3.3 [4] which recommends a default IP packet MTU of 576 bytes. Subtracting the IPv4 header of 20 bytes and UDP header of 8 bytes, we have 548 bytes remaining for the UDP datagram data field. Okmianski Expires August 1, 2004 [Page 6] Internet-Draft syslog udp transport February 2004 It is RECOMMENDED that syslog client implementations provide a mechanism to set the MTU size and that they fragment the IP packets according to this size. This would allow an administrator to manually configure MTU instead of relying on the IP protocol stack to auto-discover it and risk the datagrams being truncated or lost when wrong MTU is used. Okmianski Expires August 1, 2004 [Page 7] Internet-Draft syslog udp transport February 2004 4. Security Considerations Several syslog security considerations have been discussed in RFC-protocol [2] . This section focuses on security considerations specific to the UDP transport. 4.1 Message Authenticity The UDP syslog transport does not strongly associate the message with the message sender. The receiver of the syslog message will not be able to ascertain that the message was indeed sent from the reported sender, or if the packet was sent from another device. It should be noted here that the message receiver does not need to verify that the HOSTNAME field in the syslog HEADER matches the name of the IP address contained in the Source Address field of the IP packet. 4.2 Authentication Problems One possible consequence of this behavior is that a misconfigured machine may send syslog messages to a collector representing itself as another machine. The administrative staff may become confused that the status of the supposed sender of the messages may not be accurately reflected in the received messages. The administrators may not be able to readily discern that there are two or more machines representing themselves as the same machine. 4.3 Message Forgery Malicious exploits of this behavior have also been noted. An attacker may transmit syslog messages (either from the machine from which the messages are purportedly sent or from any other machine) to a collector. In one case, an attacker may hide the true nature of an attack amidst many other messages. As an example, an attacker may start generating forged messages indicating a problem on some machine. This may get the attention of the system administrators who will spend their time investigating the alleged problem. During this time, the attacker may be able to compromise a different machine, or a different process on the same machine. Additionally, an attacker may generate false syslog messages to give untrue indications of status or of events. As an example, an attacker may stop a critical process on a machine, which may generate a notification of exit. The attacker may subsequently generate a forged notification that the process had been restarted. The system administrators may accept that misinformation and not verify that the process had indeed been restarted. Okmianski Expires August 1, 2004 [Page 8] Internet-Draft syslog udp transport February 2004 4.4 Message Observation The UDP syslog transport specified in this document does not provide confidentiality of the messages in transit. In most cases passing clear-text human-readable messages is a benefit to the administrators. Unfortunately, an attacker may also be able to observe the human-readable contents of syslog messages. The attacker may then use the knowledge gained from those messages to compromise a machine or do other damage. It is RECOMMENDED that no sensitive information is transmitted via the UDP syslog transport or that transmission of such information is restricted to properly secured network. 4.5 Replaying Message forgery and observation can be combined into a replay attack. An attacker may record a set of messages that indicate normal activity of a machine. At a later time, that attacker may remove that machine from the network and replay the syslog messages to the collector with new time stamps. The administrators may find nothing unusual in the received messages and their receipt would falsely indicate normal activity of the machine. 4.6 Reliable Delivery As was previously discussed in the Reliability Considerations section, the UDP transport is not reliable and packets containing syslog message datagrams can be dropped in transit. There can be security consequences of the loss of one or more syslog messages. Administrators may not become aware of a developing and potentially serious problem. Messages may also be intercepted and discarded by an attacker as a way to hide unauthorized activities. 4.7 Message Prioritization and Differentiation The UDP syslog transport described in this document does not require prioritiziation of syslog messages on the wire or when processed on the receiving host based on their severity. The security implication of such behavior is that the syslog server or network devices may get overwhelmed with low severity messages and be forced to discard messages among which could be high severity messages. High severity messages may contain indication about serious security problems, but they will not get a higher priority. It is difficult to make sure that high severities messages get higher end-to-end delivery priority, especially over an unreliable UDP transport. On a case-by-case basis, device operators may find some way to associate the different severity levels with the quality of service Okmianski Expires August 1, 2004 [Page 9] Internet-Draft syslog udp transport February 2004 identifiers. As an example, the operators may elect to define some linkage between syslog messages that have a specific Priority value with a specific value to be used in the IPv4 Precedence field [8], the IPv6 Traffic Class octet [9], or the Differentiated Services field [10]. However, even with this prioritization on the network, high load can lead to buffer starvation on the receiving host and result in dropped messages. 4.8 Denial of Service An attacker may overwhelm a receiver by sending more messages to it than can be handled by the infrastructure or the device itself. Implementers SHOULD attempt to provide features that minimize this threat such as only receiving syslog messages from known IP addresses. 4.9 Covert Channels This protocol does not attempts to eliminate covert channels. Indeed, syslog message syntax could be very amenable to sending embedded secret messages. In fact, just about every aspect of syslog messages lends itself to the conveyance of covert signals. For example, a collusionist could send odd and even severity values to indicate Morse Code dashes and dots. Okmianski Expires August 1, 2004 [Page 10] Internet-Draft syslog udp transport February 2004 5. IANA Considerations IANA must reserve UDP port 514 for this transport. Okmianski Expires August 1, 2004 [Page 11] Internet-Draft syslog udp transport February 2004 6. Notice to RFC Editor This is a notice to the RFC editor. This ID is submitted along with ID draft-ietf-syslog-protocol and they cross-reference each other. When RFC numbers are determined for each of these IDs, please replace all references to "RFC-protocol" with the RFC number of draft-ietf-syslog-protocol ID. Please remove this section after editing. Okmianski Expires August 1, 2004 [Page 12] Internet-Draft syslog udp transport February 2004 7. Authors and Working Group Chair The working group can be contacted via the mailing list: syslog-sec@employees.org The current Chair of the Working Group may be contacted at: Chris Lonvick Cisco Systems Email: clonvick@cisco.com The author of this draft is: Anton Okmianski Email: aokmians@cisco.com Phone: (978) 936-1612 Fax: (978) 936-2225 Cisco Systems, Inc 1414 Massachusetts Ave. Boxborough, MA 01719-2205 USA Okmianski Expires August 1, 2004 [Page 13] Internet-Draft syslog udp transport February 2004 8. Acknowledgements The author wishes to thank Chris Lonvick, Rainer Gerhards, David Harrington, Andrew Ross, and all others who have commented on the various versions of this proposal. Okmianski Expires August 1, 2004 [Page 14] Internet-Draft syslog udp transport February 2004 References [1] Lonvick, C., "The BSD Syslog Protocol", RFC 3164, August 2001. [2] Gerhards, R., "The syslog Protocol", RFC RFC-protocol. [3] Postel, J., "User Datagram Protocol", STD 6, RFC 768, August 1980. [4] Braden, R., "Requirements for Internet Hosts - Communication Layers", STD 3, RFC 1122, October 1989. [5] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [6] Stevens, W., "TCP/IP Illustrated Volume 1. The Protocols.", January 1994. [7] Kent, C. and J. Mogul, ""Fragmentations Considered Harmful," Computer Communications Review, vol.17, no.5, pp.390-401", August 1987. [8] Postel, J., "Internet Protocol", STD 5, RFC 791, September 1981. [9] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998. [10] Nichols, K., Blake, S., Baker, F. and D. Black, "Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers", RFC 2474, December 1998. Author's Address Anton Okmianski Cisco Systems, Inc. 1414 Massachusetts Ave Boxborough, MA 01719-2205 USA EMail: aokmians@cisco.com Okmianski Expires August 1, 2004 [Page 15] Internet-Draft syslog udp transport February 2004 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. Full Copyright Statement Copyright (C) The Internet Society (2004). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assignees. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION Okmianski Expires August 1, 2004 [Page 16] Internet-Draft syslog udp transport February 2004 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Okmianski Expires August 1, 2004 [Page 17]