Hi,
I've got some random thoughts about the secured syslog protocol, and to
start the discussion I include it below:
* since our traffic will eventually be encrypted/hmac protected we need a
binary protocol
* we should support a set of encryption, mac and key exchange algorithms to
be negotiated at startup
* we need to exchange session keys, but due to the complexity of public key
algorithms we should only use symmetric cryptography
* if we want to use session keys (unique between sessions) we need a TCP
based protocol, otherwise shared secret keys should be used directly for
encryption/mac protection
Here's what I've in mind:
1) program/protocol version exchange
a specially formatted log message compatible with earlier syslog messages
which would trigger a reply from conforming implementations. If this
reply arrives within a certain timeout, it's assumed that the remote side
supports this protocol.
2) algorithm negotiation
This could use binary packets, similar to those used in the SECSH protocol.
We should negotiate the followings:
* keyexchange algorithm
* encryption algorithm
* mac algorithm
Since most traffic in system logging occurs in one direction
(client->server) we don't need different algorithms for client->server,
server->client direction, though we should not prohibit communication in
the reverse direction.
The algorithms used should be simple, and should not use assymmetric
ciphers.
3) The protocoll should allow push and pull mode of operation. Push mode
means that the client is sending all messages, pull means that the client
requests a stream of messages, and the server sends it back. (this can be
used in firewalled environments where log is sent to a protected zone)
A client here means the side which tries to connect, and the server which
is accepting a connection.
I've got a specification handy with concrete packet formats, but first I
would like to request comments about the above, and if we can agree, I would
throw in my proposal on packet formats.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
url: http://www.balabit.hu/pgpkey.txt
