From jremeika@draper.com Mon Jun 10 14:48:45 2013 Return-Path: X-Original-To: syslog@ietfa.amsl.com Delivered-To: syslog@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E92221F95EF for ; Mon, 10 Jun 2013 14:48:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.109 X-Spam-Level: X-Spam-Status: No, score=-1.109 tagged_above=-999 required=5 tests=[BAYES_05=-1.11, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nl5hD0-ITX45 for ; Mon, 10 Jun 2013 14:48:39 -0700 (PDT) Received: from ns.draper.com (ns.draper.com [140.102.2.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D3F321F8F85 for ; Mon, 10 Jun 2013 14:48:38 -0700 (PDT) Received: from CAS1.draper.com (cas1.draper.com [140.102.16.163]) by ns.draper.com (PMDF V6.6 #32061) with ESMTPS id <0MO700B1X5WU03@ns.draper.com> for syslog@ietf.org; Mon, 10 Jun 2013 17:48:30 -0400 (EDT) Received: from MBX2.draper.com ([169.254.1.197]) by CAS1.draper.com ([fe80::c434:4163:9a08:a5c5%12]) with mapi id 14.03.0123.003; Mon, 10 Jun 2013 17:48:30 -0400 Date: Mon, 10 Jun 2013 21:48:29 +0000 From: "Remeika, James C." X-Originating-IP: [140.102.16.172] To: "syslog@ietf.org" Message-id: <356019E317654543A61055476ED9844B09F698F0@mbx2.draper.com> MIME-version: 1.0 Content-type: multipart/alternative; boundary=_000_356019E317654543A61055476ED9844B09F698F0mbx2drapercom_ Content-language: en-US Thread-Topic: Request for clarification of RTF 5424 Section 6.2.5 (APP-NAME) Thread-Index: AQHOZiI6sLbk/dBWo0KOpHrysEDPcg== Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: Subject: [Syslog] Request for clarification of RTF 5424 Section 6.2.5 (APP-NAME) X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Jun 2013 21:49:48 -0000 --_000_356019E317654543A61055476ED9844B09F698F0mbx2drapercom_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable The APP-NAME field definition in RCF 5424 header says that "[i]t is a strin= g without further semantics", and the ABNF definition of the field is 1*48P= RINTUSASCII, which to my reading indicates that the space character is allo= wed. The same is true for the field PROCID, which follows APP-NAME: space c= haracters seem to be allowed. How can this be allowed, if the values within= the header are delimited by spaces. It seems like the two value sets for A= PP-NAME and PROCID would be indistinguishable: ++MESSAGE A++ APP-NAME: "cat dog" PROCID: "rabbit" ++MESSAGE B++ APP-NAME: "cat" PROCID: "dog rabbit" Thanks for your consideration, James Remeika --_000_356019E317654543A61055476ED9844B09F698F0mbx2drapercom_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

The APP-NAME field definition in RCF 5424 header says that "[i]t = is a string without further semantics", and the ABNF definition of the= field is 1*48PRINTUSASCII, which to my reading indicates that the space ch= aracter is allowed. The same is true for the field PROCID, which follows APP-NAME: space characters seem to be allowed. How c= an this be allowed, if the values within the header are delimited by spaces= . It seems like the two value sets for APP-NAME and PROCID would be indisti= nguishable:

++MESSAGE A++

APP-NAME: "cat dog"

PROCID: "rabbit"

++MESSAGE B++

APP-NAME: "cat"

PROCID: "dog rabbit"

Thanks for your consideration,

James Remeika

--_000_356019E317654543A61055476ED9844B09F698F0mbx2drapercom_-- From ietfc@btconnect.com Tue Jun 11 01:41:23 2013 Return-Path: X-Original-To: syslog@ietfa.amsl.com Delivered-To: syslog@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D909121F9A4E for ; Tue, 11 Jun 2013 01:41:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.799 X-Spam-Level: X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[AWL=0.200, BAYES_00=-2.599, J_CHICKENPOX_23=0.6, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8R4enXNmXH6b for ; Tue, 11 Jun 2013 01:41:17 -0700 (PDT) Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe004.messaging.microsoft.com [216.32.181.184]) by ietfa.amsl.com (Postfix) with ESMTP id 7E99421F9A5C for ; Tue, 11 Jun 2013 01:41:17 -0700 (PDT) Received: from mail107-ch1-R.bigfish.com (10.43.68.227) by CH1EHSOBE013.bigfish.com (10.43.70.63) with Microsoft SMTP Server id 14.1.225.23; Tue, 11 Jun 2013 08:41:16 +0000 Received: from mail107-ch1 (localhost [127.0.0.1]) by mail107-ch1-R.bigfish.com (Postfix) with ESMTP id 5B83320279; Tue, 11 Jun 2013 08:41:16 +0000 (UTC) X-Forefront-Antispam-Report: CIP:157.56.249.213; KIP:(null); UIP:(null); IPV:NLI; H:AM2PRD0710HT004.eurprd07.prod.outlook.com; RD:none; EFVD:NLI X-SpamScore: -13 X-BigFish: PS-13(zz9371I542Izz1f42h1ee6h1de0h1fdah1202h1e76h1d1ah1d2ah1fc6hzz1033IL8275bh8275dhz2dh2a8h5a9h668h839h947hd24hf0ah1177h1179h1288h12a5h12a9h12bdh137ah139eh13b6h1441h1504h1537h162dh1631h1758h17f1h184fh1898h18e1h1946h19b5h19ceh1ad9h1b0ah1d0ch1d2eh1d3fh1dfeh1dffh1e1dh1e23h304l1d11m1155h) Received: from mail107-ch1 (localhost.localdomain [127.0.0.1]) by mail107-ch1 (MessageSwitch) id 1370940063327890_10467; Tue, 11 Jun 2013 08:41:03 +0000 (UTC) Received: from CH1EHSMHS034.bigfish.com (snatpool3.int.messaging.microsoft.com [10.43.68.226]) by mail107-ch1.bigfish.com (Postfix) with ESMTP id 4D717420349; Tue, 11 Jun 2013 08:41:03 +0000 (UTC) Received: from AM2PRD0710HT004.eurprd07.prod.outlook.com (157.56.249.213) by CH1EHSMHS034.bigfish.com (10.43.70.34) with Microsoft SMTP Server (TLS) id 14.1.225.23; Tue, 11 Jun 2013 08:41:03 +0000 Received: from DBXPRD0611HT002.eurprd06.prod.outlook.com (157.56.254.85) by pod51017.outlook.com (10.255.165.39) with Microsoft SMTP Server (TLS) id 14.16.324.0; Tue, 11 Jun 2013 08:40:52 +0000 Message-ID: <017901ce667f$80e69d40$4001a8c0@gateway.2wire.net> From: t.petch To: "Remeika, James C." , References: <356019E317654543A61055476ED9844B09F698F0@mbx2.draper.com> Date: Tue, 11 Jun 2013 09:41:35 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Originating-IP: [157.56.254.85] X-OriginatorOrg: btconnect.com Subject: Re: [Syslog] Request for clarification of RTF 5424 Section 6.2.5(APP-NAME) X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jun 2013 08:41:23 -0000 ----- Original Message ----- From: "Remeika, James C." To: Sent: Monday, June 10, 2013 10:48 PM The APP-NAME field definition in RCF 5424 header says that "[i]t is a string without further semantics", and the ABNF definition of the field is 1*48PRINTUSASCII, which to my reading indicates that the space character is allowed. RFC5424 says to me " SP = %d32 PRINTUSASCII = %d33-126 " which says to me that the SP[ace character] is not allowed. Not sure why we have different readings. Tom Petch The same is true for the field PROCID, which follows APP-NAME: space characters seem to be allowed. How can this be allowed, if the values within the header are delimited by spaces. It seems like the two value sets for APP-NAME and PROCID would be indistinguishable: ++MESSAGE A++ APP-NAME: "cat dog" PROCID: "rabbit" ++MESSAGE B++ APP-NAME: "cat" PROCID: "dog rabbit" Thanks for your consideration, James Remeika ------------------------------------------------------------------------ -------- > _______________________________________________ > Syslog mailing list > Syslog@ietf.org > https://www.ietf.org/mailman/listinfo/syslog > From jremeika@draper.com Tue Jun 11 08:09:04 2013 Return-Path: X-Original-To: syslog@ietfa.amsl.com Delivered-To: syslog@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDD1021F84DF for ; Tue, 11 Jun 2013 08:09:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.46 X-Spam-Level: X-Spam-Status: No, score=-1.46 tagged_above=-999 required=5 tests=[AWL=-0.061, BAYES_00=-2.599, J_CHICKENPOX_15=0.6, J_CHICKENPOX_23=0.6] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z0HMdPYGG9JL for ; Tue, 11 Jun 2013 08:08:58 -0700 (PDT) Received: from ns.draper.com (ns.draper.com [140.102.2.1]) by ietfa.amsl.com (Postfix) with ESMTP id D93AD21F86D3 for ; Tue, 11 Jun 2013 08:08:58 -0700 (PDT) Received: from CAS2.draper.com (cas2.draper.com [140.102.16.162]) by ns.draper.com (PMDF V6.6 #32061) with ESMTPS id <0MO80011UI2XEN@ns.draper.com> for syslog@ietf.org; Tue, 11 Jun 2013 11:08:57 -0400 (EDT) Received: from MBX2.draper.com ([169.254.1.197]) by CAS2.draper.com ([fe80::41bc:660b:221a:4902%15]) with mapi id 14.03.0123.003; Tue, 11 Jun 2013 11:08:57 -0400 Date: Tue, 11 Jun 2013 15:08:56 +0000 From: "Remeika, James C." In-reply-to: <017901ce667f$80e69d40$4001a8c0@gateway.2wire.net> X-Originating-IP: [140.102.16.172] To: "syslog@ietf.org" Message-id: <356019E317654543A61055476ED9844B09F69955@mbx2.draper.com> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-language: en-US Content-transfer-encoding: quoted-printable Thread-Topic: [Syslog] Request for clarification of RTF 5424 Section 6.2.5(APP-NAME) Thread-Index: AQHOZn9xf+DP4LO7dUyoF64urgd8x5kwnLQ7 Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: References: <356019E317654543A61055476ED9844B09F698F0@mbx2.draper.com> <017901ce667f$80e69d40$4001a8c0@gateway.2wire.net> Subject: Re: [Syslog] Request for clarification of RTF 5424 Section 6.2.5(APP-NAME) X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jun 2013 15:09:04 -0000 Tom, =0A= =0A= Thanks very much. I simply missed that text in RCF 5424. However, a humble = comment: the line =0A= =0A= SD-NAME =3D 1*32PRINTUSASCII=0A= ; except '=3D', SP, ']', %d34 (")=0A= =0A= is a little confusing on that front, since it seems to imply that SP is a m= ember of PRINTUSASCII that must be excluded by special comment. I realize n= ow it is just there for emphasis. =0A= =0A= Thanks again,=0A= James Remeika=0A= ________________________________________=0A= From: t.petch [ietfc@btconnect.com]=0A= Sent: Tuesday, June 11, 2013 4:41 AM=0A= To: Remeika, James C.; syslog@ietf.org=0A= Subject: Re: [Syslog] Request for clarification of RTF 5424 Section 6.2.5(A= PP-NAME)=0A= =0A= ----- Original Message -----=0A= From: "Remeika, James C." =0A= To: =0A= Sent: Monday, June 10, 2013 10:48 PM=0A= =0A= The APP-NAME field definition in RCF 5424 header says that "[i]t is a=0A= string without further semantics", and the ABNF definition of the field=0A= is 1*48PRINTUSASCII, which to my reading indicates that the space=0A= character is allowed.=0A= =0A= =0A= =0A= RFC5424 says to me=0A= " SP =3D %d32=0A= PRINTUSASCII =3D %d33-126=0A= "=0A= which says to me that the SP[ace character] is not allowed.=0A= =0A= Not sure why we have different readings.=0A= =0A= Tom Petch=0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= The same is true for the field PROCID, which follows APP-NAME: space=0A= characters seem to be allowed. How can this be allowed, if the values=0A= within the header are delimited by spaces. It seems like the two value=0A= sets for APP-NAME and PROCID would be indistinguishable:=0A= =0A= ++MESSAGE A++=0A= APP-NAME: "cat dog"=0A= PROCID: "rabbit"=0A= =0A= =0A= ++MESSAGE B++=0A= APP-NAME: "cat"=0A= PROCID: "dog rabbit"=0A= =0A= Thanks for your consideration,=0A= James Remeika=0A= =0A= =0A= =0A= ------------------------------------------------------------------------=0A= --------=0A= =0A= =0A= > _______________________________________________=0A= > Syslog mailing list=0A= > Syslog@ietf.org=0A= > https://www.ietf.org/mailman/listinfo/syslog=0A= >=0A= =0A= =0A=