On Fri, Oct 06, 2000 at 10:05:55AM -0400, Scott McDermott wrote:
Sure, if your network people have their shit together, you can rest with a pretty good idea that you won't have any UDP packets dropped on your own networks. Still, that's not a guarantee, which TCP gives.
TCP gives a conditional guarantee. Your packets only arrive safely if the network isn't too congested and if the hosts have the time to establish a full session. That sucks when you want to send a "network congested" message or a "my power supply is dying so I'm going down" message or a "my CPU is at 100% and i'm dropping packets left and right" message. You need a protocol that works when everything around it is breaking. The younger SNMP-trap is also UDP.
Why the original UNIX syslog started with UDP is beyond my comprehension. Here we have logs which may or may not be *critical* in the case of intrusion attempts or other problems where missing log messages would be a disaster.
Because the people who wrote syslog lived in the days before everyone was concerned with security and secure loghosts, when they were just trying to make everything work to begin with. And because they wanted a protocol that had some chance of working during other kinds of disasters, like imminent host failure. And because they (and the people who wrote snmp, and snmp-trap, and DNS) were looking at tiny messages, at TCP overhead that's considerably larger than the underlying messages, at TCP's long session setup/teardown times, and so at much higher scalability limits for UDP over TCP for a given collection of hardware and network. - Morty