Makura no Soshi

Now the latest internet draft for transport-tls is out for two weeks now and it looks like a consensus on the text is found — at least there were no comments so far. I spent the better part of these two weeks changing and debugging my own implementation of transport-tls, which is far beyond the schedule but at least in time to have a working and usable program for mid-term evaluation…

So this is a good time to re-read the draft and check its requirements against my current syslogd code:

Read the rest of this entry »

Problem: You administer office PCs and have to deploy your organization’s new CA certificate. Since you know your users, telling them individually to download and install it is not an option. You need an automatic solution for unattended installation.

Read the rest of this entry »

I think OpenSSL needs a documentation project. My first week of GSoC coding was dedicated to transport-tls, so I started with establishing a TLS connection and accessing different parts of the X.509 certificates to check them. I would have thought these are basic tasks for every TLS-enabled application and yet I found this unexpectedly difficult.

Read the rest of this entry »

When I came to work on Syslog one of the most disturbing texts I came across was Rainer’s observation “On the (un)reliability of plain tcp syslog…“. The problem is that a sendmsg() system call is nearly always successful — it only indicates local errors (like a full send queue), but no network errors. So even after the other side initiated a connection shutdown one can happily write into the local buffer and only get an error on the second write.

Read the rest of this entry »

The structured data (SD) in syslog-protocol offers some interesting possibilities when it comes to modifying a message in transit. What would be necessary to enable rewriting in transit while still be able to authenticate by syslog-sign?

Read the rest of this entry »

Today the participants in Google’s Summer of Code 2008 were announced. – And my project was chosen. :-)

So now I will work for NetBSD and implement the new IETF syslog protocols.

Skimming through last year’s Informatik Spektrum I found an interesting master thesis by Steffen Tambach (german) examining the reliability of UDP transport. The analysis showed that no data was lost on the Fast Ethernet, but all lost packets were dropped by the receiver sowewhere on the network stack between NIC and socket API.

The following recommendations are given to prevent UDP package loss in a local network (besides the obvious ‘have enough bandwidth for your data’ and ‘be able to store/process it fast enough’):

• use IEEE 803.3x flow control
• ban network devices without IEEE 803.3x support (and old 10 Mbps hubs/repeaters)
• use NICs that support device polling or interrupt coalescence (to prevent interrupt-livelocks)
• increase the socket’s receive buffer size

This is a little known technological fact about the Internet:
the Internet is actually made up of words and enthusiasm.

— Erin McKean: Redefining the dictionary (TED talk)