Datagram Transport Layer Security (DTLS) Transport Mapping for Syslog
draft-ietf-syslog-dtls-06

[Ballot discuss]
I am not a security expert so I would like to discuss with the Security ADs whether this work shouldn't also discuss (automatic) key management in the context of RFC 4107.

[Ballot comment]
Nit...in the following text from section 5.1:

  Transports, such as UDP or DCCP do not provide
  session multiplexing and session-demultiplexing.

use either 0 or 2 commas around "such as UDP or DCCP".

[Ballot comment]
I support Jari's and Tim's DISCUSSes.

Section 8., paragraph 1:
>    IANA is requested to assign a registered UDP and DCCP port number for
>    syslog over DTLS.  The same value as for syslog over TLS (6514) is
>    requested.

  Do you also want the same service name (i.e., syslog-tls) for 6514/udp
  and 6514/dccp?

[Ballot comment]
Please consider the proposed change in the Gen-ART Review by
  Miguel Garcia on 17-May-2010:

  In Section 5.3, the last sentence of the first paragraph reads:

  "When the DTLS handshake has
  finished, the transport sender MAY then send the first syslog
  message."

  I think what you really want to say is:

  "The transport sender MUST NOT send any syslog message before the
    DTLS handshake has successfully completed."

[Ballot comment]
Please consider the minor issues raised in the Gen-ART Review by
  Pete McCann on 17 May 2010.

  Section 7:
    The configured values for these four
    6rd elements are identical for all CEs and BRs within a given 6rd
    domain.
    ...
    6rdBRIPv4Address    The IPv4 address of the 6rd Border Relay for a
                        given 6rd domain.

  Taken together, these statements seem to imply that there can only be
  one BR for a given domain, or at least that all CEs must be configured
  to have the same set of BRs.  I note that in section 7.1.1 it is
  possible to provision more than one BR address.  Can this set be
  different for different CEs?  I can imagine a situation where
  different CEs are homed on different BRs. 

  Section 9.2:
    In order to prevent spoofing of IPv6 addresses, the 6rd BR and CE
    MUST validate the source address of the encapsulated IPv6 packet with
    the IPv4 source address it is encapsulated by according to the
    configured parameters of the 6rd domain. 

  This seems to say that the CE should match the source IPv4 address of
  the BR to the source address of the encapsulated IPv6 packet, when
  receiving traffic from a BR.  I assume that isn't what you meant.

[Ballot discuss]
This is an excellent document and I was ready to post a Yes vote
on the ballot. However, there is one detail. The document says:

  When mapping onto different
  transports, DTLS has different record size limitations.  The
  application implementer SHOULD determine the maximum record size
  allowed by DTLS protocol running over the transport in use.  The
  message size SHOULD NOT exceed the DTLS maximum record size
  limitation of 2^14 bytes.  To be consistent with RFC 5425, in
  establishing a baseline for interoperability, this specification
  requires that a transport receiver MUST be able to process messages
  with a length up to and including 2048 octets.  Transport receivers
  SHOULD be able to process messages with lengths up to and including
  8192 octets.

This guidance seems quite weak in terms of avoiding excessive
fragmentation. Or am I misunderstanding how DTLS records map to
UDP packets? I am assuming its a 1-1 mapping, but maybe I'm
mistaken.

In any case, the document should say something about tuning applications
and configurations to avoid excessively long packets due to
inefficiencies and other problems that fragmentation may cause.

[Ballot comment]
Given that disclosure is one of the primary threats described in Section 4, shouldn't the security considerations prohibit the use of cipher suites with NULL encryption?

[Ballot discuss]
There seems to be an essential disconnect between the conformance rquirements and the
deployment guidance in this specification

The second paragraph of Section 6 Congestion Control states:

  DCCP has congestion control.  For this reason the syslog over DTLS
  over DCCP option is recommended in preference to the syslog over the
  DTLS over UDP option.

However, in Section 5.1,  Transport

  DTLS can run over multiple transports.  Implementations of this
  specification MUST support DTLS over UDP and SHOULD support DTLS over
  DCCP [RFC5238].

For alignment with Section 6, it would seem that "MUST support DTLS over DCCP" would
be more appropriate.

[Ballot comment]
Given that disclosure is one of the primary threats described in Section 4, shouldn't the security considerations prohibit the use of cipher suites with NULL encryption?

[Ballot discuss]
Theer seems to be an essential disconnect between the conformance rquirements and the
deployment guidance in this specification

The second paragraph of Section 6 Congestion Control states:

  DCCP has congestion control.  For this reason the syslog over DTLS
  over DCCP option is recommended in preference to the syslog over the
  DTLS over UDP option.

However, in Section 5.1,  Transport

  DTLS can run over multiple transports.  Implementations of this
  specification MUST support DTLS over UDP and SHOULD support DTLS over
  DCCP [RFC5238].

For alignment with Section 6, it would seem that "MUST support DTLS over DCCP" would
be more appropriate.

IANA comments:

ACTION 1:

Upon approval of this document, IANA will make the following assignments
in the "PORT NUMBERS" registry at
http://www.iana.org/assignments/port-numbers

Keyword Decimal Description References
------- ------- ----------- ----------
syslog-dtls 6514/udp Syslog over DTLS [RFC-syslog-dtls-05]
syslog-dtls 6514/dccp Syslog over DTLS [RFC-syslog-dtls-05]


Action 2:

Upon approval of this document, IANA will make the following assignment
in the "Service Codes" registry at
http://www.iana.org/assignments/service-codes/service-codes.xhtml

Service Code ASCII Description Reference
------------ ----- ----------- ---------
1398361159 SYLG Syslog Protocol [RFC-syslog-dtls-05]


We understand the above to be the only IANA Actions for this document.

[Ballot comment]
5.4.1.  Message Size

  There is no upper limit for a message
  length per se.  As stated in [RFC4347], each DTLS record MUST fit
  within a single DTLS datagram.  When mapping onto different
  transports, DTLS has different record size limitations.  The
  application implementer SHOULD determine the maximum record size
  allowed by DTLS protocol running over the transport in use.  The
  message size SHOULD NOT exceed the DTLS maximum record size
  limitation of 2^14 bytes.

Why is this "SHOULD NOT" and not a "MUST NOT"? The quoted requirement
from [RFC4347] doesn't seem to give any excuses.

  (1.a) Who is the Document Shepherd for this document? Has the
        Document Shepherd personally reviewed this version of the
        document and, in particular, does he or she believe this
        version is ready for forwarding to the IESG for publication?

Chris Lonvick
I have personally reviewed this version of the document.
I believe that this version is ready for publication.


  (1.b) Has the document had adequate review both from key WG members
        and from key non-WG members? Does the Document Shepherd have
        any concerns about the depth or breadth of the reviews that
        have been performed?

The document has been reviewed by the Working Group and by people outside of the Working Group.  The notable reviewers are listed in the Acknowledgements section (Section 10) of the ID.  Special mention should be given to Juergen Schoenwaelder, Anton Okmianski and Richard Graveman. The authors were very proactive in addressing the issues raised, especially Joe Salowy, Tom Petch and Rainer Gerhards.


  (1.c) Does the Document Shepherd have concerns that the document
        needs more review from a particular or broader perspective,
        e.g., security, operational complexity, someone familiar with
        AAA, internationalization or XML?

I recommend this document be reviewed by the OPS area directorate, especially for consistency with other NM protocols over DTLS, such as snmp/dtls.  I recommend this document be reviewed by the security directorate, especially for consistency with other certificate and fingerprint processing approaches, and mandatory-to-implement ciphersuites.

Several issues were brought up when the WG was producing RFCs 5425 and 5426 [syslog/tls and syslog/udp respectively].  Text was inserted in those documents to address those issues.  Since many of the same issues are present in this specification, notably security and transport issues, text was often copied from those documents into this one, or references to specific sections of those documents is noted.


  (1.d) Does the Document Shepherd have any specific concerns or
        issues with this document that the Responsible Area Director
        and/or the IESG should be aware of? For example, perhaps he
        or she is uncomfortable with certain parts of the document, or
        has concerns whether there really is a need for it. In any
        event, if the WG has discussed those issues and has indicated
        that it still wishes to advance the document, detail those
        concerns here. Has an IPR disclosure related to this document
        been filed? If so, please include a reference to the
        disclosure and summarize the WG discussion and conclusion on
        this issue.

An IPR declaration has been filed against this ID.  Since it is by the same company that filed a disclose against the syslog/tls ID [now RFC5425], it may be the same idea.  The Working Group held lengthy discussions around the disclosure filed against RFC5425 when it was an ID. The Working Group was notified about this filing but no discussion ensued on the mailing list.  I expect that the Working Group gained an understanding of the process during the prior discussion and no longer needs to discuss it.
Here is the pointer to the IPR declaration:
  https://datatracker.ietf.org/ipr/1271/


  (1.e) How solid is the WG consensus behind this document? Does it
        represent the strong concurrence of a few individuals, with
        others being silent, or does the WG as a whole understand and
        agree with it?

This work is an additional transport for syslog, to supplement UDP and TLS.  The Working Group as a whole has been quiet. The most active members of the WG understand the need for the additional transport and support moving this document forward.


  (1.f) Has anyone threatened an appeal or otherwise indicated extreme
        discontent? If so, please summarise the areas of conflict in
        separate email messages to the Responsible Area Director. (It
        should be in a separate email because this questionnaire is
        entered into the ID Tracker.)

No appeals have been threatened.


  (1.g) Has the Document Shepherd personally verified that the
        document satisfies all ID nits? (See the Internet-Drafts Checklist
        and http://tools.ietf.org/tools/idnits/). Boilerplate checks are
        not enough; this check needs to be thorough. Has the document
        met all formal review criteria it needs to, such as the MIB
        Doctor, media type and URI type reviews?

Yes. The document was generated using xml2rfc, has passed automated checking using idnits, and passed a manual check by the shepherd. The document does not define a MIB module, media type, or URI.  The RFC Editor needs to update the Section 6b Trust Provisions License Notice which is a current common xml2rfc problem.


  (1.h) Has the document split its references into normative and
        informative? Are there normative references to documents that
        are not ready for advancement or are otherwise in an unclear
        state? If such normative references exist, what is the
        strategy for their completion? Are there normative references
        that are downward references, as described in [RFC3967]? If
        so, list these downward references to support the Area
        Director in the Last Call procedure for them [RFC3967].

The references are split and all referenced documents are RFCs in good standing.


  (1.i) Has the Document Shepherd verified that the document IANA
        consideration section exists and is consistent with the body
        of the document? If the document specifies protocol
        extensions, are reservations requested in appropriate IANA
        registries? Are the IANA registries clearly identified? If
        the document creates a new registry, does it define the
        proposed initial contents of the registry and an allocation
        procedure for future registrations? Does it suggest a
        reasonable name for the new registry? See [RFC5226]. If the
        document describes an Expert Review process has Shepherd
        conferred with the Responsible Area Director so that the IESG
        can appoint the needed Expert during the IESG Evaluation?

The IANA section exists, and appropriately requests a port number. It requests the reuse of the syslog/tls port number. It does not create a new registry or extend any registry. This document does not define a new VERSION or any SDEs, so does not require expert review for syslog parameters.


  (1.j) Has the Document Shepherd verified that sections of the
        document that are written in a formal language, such as XML
        code, BNF rules, MIB definitions, etc., validate correctly in
        an automated checker?

The ABNF was validated using "Bill's ABNF Parser".  bap suggests using other values for some elements but I suggest that these remain as they are to be consistent with the other RFCs in this series: RFCs 5424, 5425 and 5426.


  (1.k) The IESG approval announcement includes a Document
        Announcement Write-Up. Please provide such a Document
        Announcement Write-Up? Recent examples can be found in the
        "Action" announcements for approved documents. The approval
        announcement contains the following sections:

    Technical Summary
        Relevant content can frequently be found in the abstract
        and/or introduction of the document. If not, this may be
        an indication that there are deficiencies in the abstract
        or introduction.

  This document describes the transport of syslog messages over DTLS
  (Datagram Transport Level Security).  It provides a secure transport
  for syslog messages in cases where a connection-less transport is
  desired.


    Working Group Summary
        Was there anything in WG process that is worth noting? For
        example, was there controversy about particular points or
        were there decisions where the consensus was particularly
        rough?

No. This document is the synthesis of two proposals made to the WG.


    Document Quality
        Are there existing implementations of the protocol? Have a
        significant number of vendors indicated their plan to
        implement the specification? Are there any reviewers that
        merit special mention as having done a thorough review,
        e.g., one that resulted in important changes or a
        conclusion that the document had no substantive issues? If
        there was a MIB Doctor, Media Type or other expert review,
        what was its course (briefly)? In the case of a Media Type
        review, on what date was the request posted?

There are no known implementations of this protocol at this time.