Improve logging credibility by adding synchronization time information

Introduction The following content is from RFC 5424 In the protocol, the timestamp parameter of the reported log and the parameter of whether the time has been synchronized have been set to indicate whether the reported time has been synchronized with the external time source. Although the standard has considered the accuracy requirements of time recording and designed a time "isSynced" parameter, it is impossible to ensure the credibility of time recording only through the synchronization flag parameters. If the external time source of the originator is attacked or a fake time source, the log reported by the originator only records whether the time is synchronized, but does not report the synchronization time source information.By constructing a higher-level fake source time synchronization server, the attacker can easily affect the credibility of the log reporting time. --|Originator1|-->--|Collector| +-----------+ +-----------+ +---------+ Stratum 0 / +-------+ +-----------+ +-----------+ / | GPS |-->--| NTP |-->--|Originator2|-->--/ +-------+ +-----------+ +-----------+ Stratum 0 Stratum 1 Figure 1: Attack Scenario ]]> Take the above figure as an example. If Originator1 synchronizes to a fake NTP time source and Originator2 synchronizes to an NTP time source whose superior external time source is GPS, attacker can modify the system time of the fake NTP time source to affect the log reporting time of Originator1, which can further affect the time accuracy of Collector when correlating logs of different devices. In order to solve the problem of the credibility of log reporting time, it is proposed to add synchronization time information after the synchronization flag parameter.

Terminology The readers should be familiar with the terms defined in. In addition, this document makes use of the following terms:

syncInfo:: The syncInfo parameter is used to record current synchronization NTP source host IP or host name, remote refers to the NTP upper-level source host address, and stratum class;

Setting syncInfo The parameters in RFC 5424 does not have the function of Setting synchronization NTP information. This chapter proposes to add this new parameter after the "isSynced" parameter.

Setting new parameter The following new parameter is defined. SYNCINFO: The parameter indicates the synchronization time source information of the originator. The syncInfo parameter is included current synchronization NTP source host IP or host name, remote refers to the NTP upper-level source host address, and stratum class. If the value "0" is used for "isSynced", this parameter MUST NOT be specified. If the value "1" is used for "isSynced" ,the originator's synchronization time source information needs to be added.

Examples The following is an example of an originator that knows both its synchronization time source information and that it is externally synchronized: [timeQuality isSynced="1" syncInfo="remote:time-d.nist.gov|refid:NIST|st:1"] The syncInfo parameter records that the current synchronization NTP source host name is time-d.nist.gov, the remote refers to the NTP upper-level source host address is NIST, and the stratum class is 1.

Handling of the collectors When the log collector merges logs reported by different originators, it compares the synchronization time source information and the stratum class information in the logs: If the different are synchronized with same time sources, the log time reported by different originators is credible; --|Originator1|->-|Collector| +---------+ +-----------+ +---------+ / Stratum 1 / +------------------+ / +---------+ +-----------+ / | GPS/Atomic clock |-->--| NTP2 |->--|Originator2|->-/ +------------------+ +---------+ +-----------+ Stratum 0 Stratum 1 Figure 2: Trusted Scenario 1 for Log Reporting Time ]]> If the different originators are synchronized with different time sources, it is necessary to determine whether the time source refers to a higher-quality external time source. If a higher-quality external time source is cited, the log time is credible. This log time cannot be trusted if a higher quality external time source is not referenced or the time is not synchronized. -| NTP1 |->--|Originator1|->--|Collector| +--------------+ +-----------+ +-----------+ +---------+ Stratum 0 Stratum 1 / +--------------+ +-----------+ +-----------+ / | GPS |->-| NTP2 |->--|Originator2|->--/ +--------------+ +-----------+ +-----------+ Stratum 0 Stratum 1 Figure 3: Trusted Scenario 2 for Log Reporting Time ]]> -| NTP1 |->-|Originator1|->-|Collector| +------------------+ +--------+ +-----------+ +---------+ Stratum 2 Stratum 3 / +------------------+ +--------+ +-----------+ / | GPS/Atomic clock|->-| NTP2 |->-|Originator2|->-/ +------------------+ +--------+ +-----------+ Stratum 0 Stratum 1 Figure 4: Untrusted Scenarios for Log Reporting Time ]]>

IANA Considerations This requires registering a new parameter with IANA. This parameter is the same as the "isSynced" parameter and should be an optional parameter.

Contributors TBD

Acknowledgements TBD