[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Syslog-sec] UDP message size issue proposal

To: <syslog-sec@employees.org>
Subject: [Syslog-sec] UDP message size issue proposal
From: "Anton Okmianski" <aokmians@cisco.com>
Date: Tue, 12 Oct 2004 17:25:02 -0400
Cc:
Delivered-to: archive-syslog-sec@lists.adiscon.com
Delivered-to: syslog-sec@employees.org
List-archive: <http://www.employees.org/pipermail/syslog-sec>
List-help: <mailto:syslog-sec-request@www.employees.org?subject=help>
List-id: syslog-sec.www.employees.org
List-post: <mailto:syslog-sec@www.employees.org>
List-subscribe: <http://www.employees.org/mailman/listinfo/syslog-sec>, <mailto:syslog-sec-request@www.employees.org?subject=subscribe>
List-unsubscribe: <http://www.employees.org/mailman/listinfo/syslog-sec>, <mailto:syslog-sec-request@www.employees.org?subject=unsubscribe>
Sender: syslog-sec-bounces@www.employees.org
Thread-index: AcSwoe8xQ3+YxqsUQ8iCTkpgGQfmqg==

Hi!

Sorry for a long delay on this issue - I was on a 2 week vacation. I have spoken with a number of TCP/UDP/IP experts regarding the sizing issue. I am ready to propose the following changes:

1. Syslog-protocol will state that the max message will be defined by the transport layer.

2. Syslog-transport-udp will support messages up to maximum UDP datagram size of 64K. UDP is a very bad choice for large message transmissions, so it does not make sense for us to stretch it by adding our own fragmentation without other transmission control features such as found in TCP.

3. Syslog-transport-udp will rely on IP fragmentation and we will get rid of "proprietary" fragmentation which was designed to handle messages over 64K and deal with various non-compliant network hosts.

4. Syslog-transport-udp will recommend sending messages within the boundaries of prevalent MTU size on a given network to be safe. It will recommend Ethernet's 1500 bytes less headers and will draw reader attention to the minimum MTU size hosts on the network are required to support for IPv6 (576 bytes) and IPv6 (1280 bytes).

5. Path MTU discovery may not work robustly and some TCP/IP stacks may not support UDP packets of full 64K size and truncate them. We will mention this and bite this bullet. We should not restrict the protocol due to incompliant implementations because it is a moving target and penalizes compliant implementations with extra overhead. The above size recommendation would partially deal with this, but leave the final choice up to the administrator.

6. We will get rid of most syslog transport headers for UDP as they will no longer be needed. The only thing that will be left is the transport protocol version prefixed to every syslog message. Should we even bother with that?

This is a major change to the syslog-transport-udp. I'd like to get positive feedback before I proceed with this update. The best part is that if we all agree on the above, the next draft will be 1/3 of the size -- easier read for you. :)

Thanks,
Anton.

_______________________________________________
Syslog-sec mailing list
Syslog-sec@www.employees.org
http://www.employees.org/mailman/listinfo/syslog-sec

Prev by Date: RE: [Syslog-sec] Sturctured Data & Unicode
Next by Date: RE: [Syslog-sec] UDP message size issue proposal
Previous by thread: [Syslog-sec] New ID and Updated Web Page
Next by thread: RE: [Syslog-sec] UDP message size issue proposal
Index(es):
- Date
- Thread