Hi Rainer, Thanks for your response, it was helpful, and I look forward to reading your additional comments. I just wanted to point out an additional spec that you may already know about, but I wanted to make sure.
This IETF draft is the proposed "new" IHE message format with XML schema. http://www.ietf.org/internet-drafts/draft-marshall-security-audit-08.txt Regards, Doug > -----Original Message----- > From: Rainer Gerhards [mailto:[EMAIL PROTECTED] > Sent: Friday, December 19, 2003 11:45 AM > To: Doug Dunlop; [EMAIL PROTECTED] > Subject: RE: Syslog message size, internationalization and IHE > > > Hi Doug, > > thanks for your interesting mail. I will reply in more detail > when I am > through with the papers (looks like it takes some time), but I have an > immediate comment... > > > The Integrating the Healthcare Enterprise (IHE) initiative > > has specified the use of syslog as the mechanism for logging > > audit record messages. The specification allows up to 32Kb > > messages, the content of the MSG field is XML with a > > specified XML schema and it uses UTF-8 encodings. > > There is a good reason for the current 1k limit on syslog > messages. This > 1k is on most networks being transmitted in a single packet, > which will > remove any fragmentation or multi-packet issues. With 32k, > the data will > definitely travel in more than one packet (in almost all > cases). So with > UDP, you are seeing challenges in in-order delivery and partial packet > loss. > > I am trying to address this (at least partly) in the syslog-protocol > spec. In there, the idea is to basically stick with the 1k transport > limitation but - on an upper layer - support fragmentation and longer > messages with what we currently call a "cookie". This approach will > allow you to at least > > a) detect missing packetc > b) reassmeble packets that were delivered out-of-order > (with some burden on the reciver) > > To be more precise, in b) we reassamble an upper-layer > message that was > sent via multiple packets. That upper layer is what your > application is > talking to. > > More comments when I have read the other docs. > > I would also like to use this message to whish all WG members a merry > xmas, a great new year and a peaceful holiday season. I hope it is > eventless from the infosec community point of view ;) > > Rainer > > >
