1. Helpful Reading

Syslog RFCs 3164, RFC 3195

Syslog I-D draft-ietf-syslog-sign

BEEP RFCs 3080, 3081

2. Introduction

syslog is unreliable, using UDP

TCP is reliable enough

Syslog-reliable uses the BEEP framework

BEEP provides reliability, transmission privacy, authentication

SYSLOG over BEEP is relatively easy to standardize and implement

3. syslog

Traditional UDP mechanism

• Device, Relay, Collector
• Priorities (Functionality + severity)
• Mostly free-format, max 1024 bytes

syslog-sign - Authenticated, safe storage

syslog-reliable - Secure reliable transmission

4. syslog Secure Transmission

Message Authenticity Assured

Message Replay Prevented

Message Integrity Assured

Message Observation Prevented

5. BEEP - Introduction

Connection-oriented

• Ordered
• Reliable
• Flow-controlled

Message-oriented

• Loosely-coupled
• Application-specific syntax
• 1 <-> 1 or 1 <-> N

Peer-to-peer

• Asynchronous
• Bidirectional
• Multi-channel
• Client-server if so specified
• (Which it is, for syslog-reliable)

6. BEEP - Architecture

Sessions

• One or more connections (right now, just TCP)
• One user identity
• One privacy policy
• One or more channels

Channels

• Control channel always open
• Zero or more application channels
• Messages pass both ways on channels
• Intra-channel is sequential
• Inter-channel is unsynchronized

Default channel is control

• Greeting offers other channels
• Provides extensibility thru profiles
• Create other channels with message on default channel

Privacy and Authentication

• Greeting can offer TLS
• All channels closed, encryption starts
• Greeting can offer any SASL
• All channels take on new user identity
• Either end can start TLS
• Either end (or both) can start SASL

Other goodies

• Error reporting (and "OK")
• Segmentation and flow-control management
• Implementation-checking redundancy

Not addressed directly by BEEP:

• Naming
• Authorization

7. BEEP - Message types

MSG, RPY, ERR, ANS, NUL

MSG -> RPY

MSG -> ERR

MSG -> ANS,ANS,...,NUL

8. SYSLOG-RELIABLE

Two syslog profiles: RAW and COOKED

Two integrity profiles: TLS and SASL/DIGEST-MD5

Selections are orthogonal

9. TLS and SASL/DIGEST-MD5

TLS is essentially SSLv3 plus provisioning

DIGEST-MD5 hashes nonce+password, proves password without revealing it

DIGEST-MD5 adds hash to message

Password is shared secret, not public key

10. RAW Profile

MSG from collector

ANS, ANS, ANS ... from device

Each ANS carries one traditional message

Each ANS may carry multiple messages, separated by CRLF

Messages have same format as traditional

11. COOKED Profile

Basic XML formatting/wrapper

MSG from device

RPY (or ERR) from collector

MSG is <iam> or <entry> or <path>

Reply is <ok> or <error>

12. COOKED iam

Attributes:

FQDN

IP

Type - Device, relay, or collector

#PCDATA - commentary

13. COOKED entry

Attributes:

xml:lang

facility - coded as digits

severity - coded as digits

timestamp - textual timestamp

tag - optional

deviceFQDN

deviceIP

pathID - where it came from

#PCDATA - Original data

14. COOKED path

Attributes:

Nested <path>

PathID - Matches with <entry>

fromFQDN - source FQDN of this hop

fromIP - source IP of this hop

toFQDN - destination FQDN of this hop

toIP - destination IP of this hop

linkprops - security attributes on this hop