Re: [secdir] secdir review of draft-ietf-syslog-sign-27

"Alexander Clemm (alex)" <> Fri, 09 October 2009 05:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1BFE928C14E; Thu, 8 Oct 2009 22:03:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.099
X-Spam-Status: No, score=-7.099 tagged_above=-999 required=5 tests=[AWL=-0.501, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9Znr2RMCv3M1; Thu, 8 Oct 2009 22:03:31 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id B74973A6828; Thu, 8 Oct 2009 22:03:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=43889; q=dns/txt; s=sjiport02001; t=1255064715; x=1256274315; h=from:sender:reply-to:subject:date:message-id:to:cc: mime-version:content-transfer-encoding:content-id: content-description:resent-date:resent-from:resent-sender: resent-to:resent-cc:resent-message-id:in-reply-to: references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:list-owner:list-archive; z=From:=20"Alexander=20Clemm=20(alex)"=20<> |Subject:=20RE:=20[secdir]=20secdir=20review=20of=20draft -ietf-syslog-sign-27|Date:=20Thu,=208=20Oct=202009=2022:0 5:12=20-0700|Message-ID:=20<85B2F271FDF6B949B3672BA5A7BB6>|To:=20"Tina=20TSO U"=20<>,=20"secdir"=20<>, =20<>|Cc:=20<>, =20<>,=0D=0A=20=20 =20=20=20=20=20=20"Chris=20Lonvick=20(clonvick)"=20<clonv>,=0D=0A=20=20=20=20=20=20=20=20<Pasi.Eronen>,=20<>,=0D=0A=20=20=20=20 =20=20=20=20"Alexander=20Clemm=20(alex)"=20< m>|MIME-Version:=201.0|In-Reply-To:=20<00a301ca367a$420da 160$>|References:=20<4AAE56EF.50>=20<006801ca3677$25943b00$8e27460a@china.h>=20<00a301ca367a$420da160$8e27460a@china.huawei .com>; bh=EmNNX/vDnbUOJ55ADu5+me+cGpDIZqMsghQQMqZu5Rs=; b=CX/BjX1RepsQ7X+OMyePiP/zzBitFK66iCokB8UPjOervAo2gsRgF6qH reEAjn1oXrv8IA/ga6CcvkLxOgR1apO57HfXT10GT/8eUScrJ+JVCS+bq 7OYHYlHFpKgO5ibp6K1kQgVQyOJ16R7mo+h/pS7JdDJsP6Vx44V4PfvmS w=;
Authentication-Results:; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AiAFAB9hzkqrR7Hu/2dsb2JhbACCJy2/XZg9gjAOgWwE
X-IronPort-AV: E=Sophos; i="4.44,530,1249257600"; d="scan'208,217"; a="212852784"
Received: from ([]) by with ESMTP; 09 Oct 2009 05:05:14 +0000
Received: from ( []) by (8.13.8/8.14.3) with ESMTP id n9955EKj008547; Fri, 9 Oct 2009 05:05:14 GMT
Received: from ([]) by with Microsoft SMTPSVC(6.0.3790.3959); Thu, 8 Oct 2009 22:05:14 -0700
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CA489E.1575F3FE"
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Thu, 08 Oct 2009 22:05:12 -0700
Message-ID: <>
In-Reply-To: <00a301ca367a$420da160$>
Thread-Topic: [secdir] secdir review of draft-ietf-syslog-sign-27
Thread-Index: Aco2ek7wTFF8WPJFQGWjDynwgpqBowSIAsAQ
References: <> <006801ca3677$25943b00$> <00a301ca367a$420da160$>
From: "Alexander Clemm (alex)" <>
To: Tina TSOU <>, secdir <>,
X-OriginalArrivalTime: 09 Oct 2009 05:05:14.0003 (UTC) FILETIME=[15BA1630:01CA489E]
X-Mailman-Approved-At: Sun, 11 Oct 2009 23:40:45 -0700
Cc:,,, "Alexander Clemm (alex)" <>
Subject: Re: [secdir] secdir review of draft-ietf-syslog-sign-27
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 09 Oct 2009 05:03:45 -0000



Thank you for your review.  Please see responses, inline, delimited with
<ALEX>.  Please let me know if you feel that those responses adequately
resolve the issue, or clarify any problems that you feel have not been
adequately addressed.  


Thank you and kind regards

--- Alexander Clemm


From: Tina TSOU [] 
Sent: Tuesday, September 15, 2009 8:03 PM
To: secdir;
Subject: Re: [secdir] secdir review of draft-ietf-syslog-sign-27


Sending to



B. R.

	----- Original Message ----- 

	From: Tina TSOU <>  

	To: ; secdir <>  

	Cc: ; 

	Sent: Wednesday, September 16, 2009 10:41 AM

	Subject: [secdir] secdir review of draft-ietf-syslog-sign-27


	I have reviewed this document as part of the security
	ongoing effort to review all IETF documents being processed by
the IESG. 
	  These comments were written primarily for the benefit of the
	area directors.  Document editors and WG chairs should treat
	comments just like any other last call comments.
	In general, from the security point of view, this draft does not
specify what 
	the loghost should do in case of packet loss, DoS attack, etc.
Should the 
	device try to retrieve the sys log information again? 
	Section 1, third paragraph (talking about Certificate Block):
not to 
	over-complicate matters, but this is really talking about the
content of a 
	Payload Block. Rather than introduce that term, perhaps rephrase
the paragraph 
	slightly to make clear that multiple Certificate Blocks may be
used. What's the key management information here? Is it Certificate
information or public key information?


	    Additionally, a signer sends Certificate Blocks to provide
	    management information between the signer and the collector.
	    Certificate Block has a field to denote the type of key
	    which may be such things as a PKIX certificate, an OpenPGP
	    certificate, or even an indication that a key had been pre-
	    distributed.  In the cases of certificates being sent, the
	    certificates may have to be split across multiple
	    Blocks carried in separate messages.


	<ALEX>  Change accepted  



	Section 1, fifth paragraph, first sentence: not clear what
"previous" refers to. 
	The phrase "of the previous messages" doesn't seem to add
anything and can be 
	dropped. Suggest adding "syslog" after "received" and
"corresponding" before 
	"Signature Block", so the sentence reads:


	    The collector may verify that the hash of
	    each received syslog message matches the signed hash
contained in the
	    corresponding Signature Block.


	 <ALEX> Change accepted



	Section 4.2.3: It is strongly suggested that the field currently
identified as 
	Signature Group (SG) be renamed to Signature Group
Interpretation (SGI) to avoid 
	confusion. The statement that SPRI identifies the actual
signature group also 
	comes a bit late (beginning of the fourth paragraph). It should
be moved up to 
	the first paragraph.


	Note that changing SG to SGI affects the tables in section 4.2
and 5.3.2 and IANA considerations. Note also that the field is called
SIG instead of SG in section


	<ALEX>  There does not seem to be a need for that change -
section 4.2.3 contains an additional clarification which clearly points
out the difference between SG field and the Signature Group itself; this
should be sufficient.



	In section 5.3.2, P23, what's the main difference between using
Signature block and using Certificate block? It seems Certificate Block
overlaps with Signature Block, e.g., Both block are digitally signed,
why is only certificate block termed "certificate block", why not term
certificate block as "signature block"?



	The question is confusing.  The difference between Signature
Block and Certificate Block should be clear (as also evidenced from the
proposed text in the first comment) and there should be no issue that
they might be confused.  Signature Blocks contain the signatures of
previously sent messages, whereas Certificate Blocks contain key
material - two very distinct purposes.  No changes are made.



	In section, the point is made that the timestamp of the
	Block message is the same as that of the Payload Block. In fact,
they differ 
	very slightly in the example. Is that intended?



	Proposed wording change as follows:

	                       Note that the Certificate Block message
in this example has a time stamp

	                       that is very close to the time stamp in
the Payload Block.  

	                       The fact that the time stamps are so
close implies that this is the first 

	                       Certificate Block message

	                       sent in this reboot session; additional
Certificate Block messages can be 

	                       sent later with a later time stamp, which
will carry the same Payload Block 

	                       that will still contain the same time



	In section 6, near the bottom of the first paragraph, a couple
of words are 
	missing. It is suggested that the sentence be changed to read:


	    collector MUST ignore duplicates of Signature Blocks and
	    Blocks it has already received and authenticated.



	Suggested change is accepted.



	Section 7 is informative. Perhaps it belongs in an appendix.


	There does not seem to be compelling reason to change the
structure at this point, propose to keep as is.


	In section 7.1, 
	 4.  Set the last message number processed to the value of the
	           First Message Number plus the Count of the Signature
	           minus 1.
	Why is the Last message number not defined in this document?


	The last message number is in fact introduced in item b.  As it
is stated there clearly, it is a cursor that is maintained by the
collector to keep track of the point to which it has received message
signatures.  Additional explanation does not appear to be necessary.  



	In section 8.1,
	 This specification uses Public Key Cryptography technologies.
	   proper party or parties have to control the private key
portion of a
	   public-private key pair.  Any party that controls a private
key can
	   sign anything it pleases.
	As regarding the last sentence, Is it appropriate to use
"pleases" here? How about using *favors* or *prefers* instead of


	"Pleases" appears to be the appropriate term in this context -
it expresses that it can in effect do whatever it wants - "favors" or
"prefers" would imply there are a choices to select between, which does
not sound quite right in this context.  No change is made.  



	In section 8.2,
	As a signer, it is advisable to avoid message lengths exceeding
	   octets.  Various problems might result if a signer were to
	   messages with a length greater than 2048 octets, because
relays MAY
	   truncate messages with lengths greater than 2048 octets which
	   make it impossible for collectors to validate a hash of the
	   To increase the chance of interoperability, it tends to be
best to be
	   conservative with what you send but liberal in what you are
able to
	   From the above paragraph, we can see it is necessary to
	   the length of message, So I would like to suggest changing
the last
	   sentence as:
	   To increase the chance of interoperability, it tends to be
best to 
	   limit the length of what you send but loose what you are able
	   to make it more precise. Is it reasonable to do this?


	The "conservative" and "liberal" saying dates back to Jon Postel
and RFC 760.  We think this should stay as is.  


	In section 8.3,
	Syslog does not strongly associate the message with the message
	   originator.  That association is established by the collector
	   verification of the Signature Block. 
	What's the difference between associating the message with the
message originator
	and signature? If they are the same thing, I think the
association should be pre-established
	in collector? Is it a correct understanding?


	 It is up to facility and application-ID to indicate who or what
actually triggered the original message; for the purposes of this here,
"originator" refers to the sender of the message, not the source of the
event that triggers the sending of the message.  The wording should



	In section 8.4,
	Event messages might be recorded and replayed by an attacker.
	   the information contained in the Signature Blocks, a reviewer
	   determine whether the received messages are the ones
originally sent
	   by an originator.  The reviewer can also identify messages
that have
	   been replayed.


	I am wondering what the information is in the signature block
can be used to
	prevent replaying? Count or sequence number, time stamp, if
there is such thing, it is better to
	point it out which field of signature block is used for

	Section 7 implicitly explains how messages can be identified
that have been replayed.  In that case, in step 3.b (section 7.1), the
authenticated log file would already contain the message.  Step 3.b does
not explicitly state to flag the fact that a replayed message was
received, but adding such a capability if desired would be near-trivial
(and IMHO hence does not need to be explained) and in any event the
authenticated log file would clearly contain only one instance of the
authenticated message.  

	To make it even clearer, the following wording is added to
section 8.4:


	                       Using the methods for verification of

	                       outlined in Section 7, a replayed message
can be detected by checking

	                       prior to writing a message to the
authenticated log file whether the message is 

	                       already contained in it.




	B. R.






	secdir mailing list