Re: [Syslog] Document shepherd report of AD concerns
<Pasi.Eronen@nokia.com> Mon, 19 May 2008 08:07 UTC
Return-Path: <syslog-bounces@ietf.org>
X-Original-To: syslog-archive@megatron.ietf.org
Delivered-To: ietfarch-syslog-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D10C03A6850; Mon, 19 May 2008 01:07:38 -0700 (PDT)
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E0F593A69BB for <syslog@core3.amsl.com>; Mon, 19 May 2008 01:07:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.299
X-Spam-Level:
X-Spam-Status: No, score=-5.299 tagged_above=-999 required=5 tests=[AWL=-1.300, BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Au1CBMnZThET for <syslog@core3.amsl.com>; Mon, 19 May 2008 01:07:32 -0700 (PDT)
Received: from mgw-mx09.nokia.com (smtp.nokia.com [192.100.105.134]) by core3.amsl.com (Postfix) with ESMTP id 5286F3A6850 for <syslog@ietf.org>; Mon, 19 May 2008 01:07:20 -0700 (PDT)
Received: from esebh108.NOE.Nokia.com (esebh108.ntc.nokia.com [172.21.143.145]) by mgw-mx09.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id m4J86Ftu010410; Mon, 19 May 2008 03:07:05 -0500
Received: from vaebh103.NOE.Nokia.com ([10.160.244.24]) by esebh108.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 19 May 2008 11:06:26 +0300
Received: from vaebe104.NOE.Nokia.com ([10.160.244.59]) by vaebh103.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 19 May 2008 11:06:25 +0300
x-mimeole: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Mon, 19 May 2008 11:06:24 +0300
Message-ID: <1696498986EFEC4D9153717DA325CB72A5347E@vaebe104.NOE.Nokia.com>
In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA309019@grfint2.intern.adiscon.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Syslog] Document shepherd report of AD concerns
Thread-Index: Aci2tcvqceaP6oScSc+DZiE7D64PrAAC00GQAAC2PMAAr8EzcA==
References: <07c101c8b6b5$cd5bcb20$0600a8c0@china.huawei.com> <1696498986EFEC4D9153717DA325CB72A13634@vaebe104.NOE.Nokia.com> <577465F99B41C842AAFBE9ED71E70ABA309019@grfint2.intern.adiscon.com>
From: Pasi.Eronen@nokia.com
To: rgerhards@hq.adiscon.com, ietfdbh@comcast.net, syslog@ietf.org
X-OriginalArrivalTime: 19 May 2008 08:06:25.0739 (UTC) FILETIME=[3BF059B0:01C8B987]
X-Nokia-AV: Clean
Subject: Re: [Syslog] Document shepherd report of AD concerns
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: syslog-bounces@ietf.org
Errors-To: syslog-bounces@ietf.org
Rainer Gerhards wrote: > This text is along a fine line of differences: it talks about the > sender checking the server. It is the same model that HTTPS uses > (sorry, but this *is* the analogy). The server is authenticated but > the client not. > > The text is NOT talking about the server authenticating the client. Yes, the text was intended to clarify Section 4.2.1; Section 4.2.2 also needs similar clarifications (although as you note, the text isn't necessarily identical, and different requirements for minimal compliance could be specified). > Let's look at a syslog.conf line: > > *.* @@<server> > > Where server is the remote server's name or IP address. This is > (extended) rsyslog syntax, but in essence it is the same for all > implementations. What always must be configured is the name of the > server. > > So it is quite easy to check the server identity (again, just like > https) - we can simply compare the name from the cert to what was > configured as <server>. Note that this process is fully automatic if > the sender ships with a set of trusted root certs (like web browsers > do) and the server operator obtained a cert from one of those > authorities. As I said myself, a home user is not likely to pay the > associated fee, but a small biz may do. The advantage is obvious, > because we have instant security without any need to configure > anything (that would not be configured in any case). > > A server cert fingerprint requires a bit more of configuration, but > can obviously be a good solution in scenarios where neiterh PKI nor > paid public certs are available. > > If we look at the server, there is no such semi-automatic > authentication available. The client can not actually be > authenticated. We have a hop by hop archetecture and we have no > required indication of relays inside the message. So for the server, > we can not have a check if client is authentic (is who it claims it > is) but instead we can just have access control - we can check if > the client is permitted to send to us. IMHO this is different from > verifying authenticity. In a relay chain, the relay may still > receive spoofed messages from a relay in front of it. So we can not > autenticate the messages themselfs but only provide access control > for the machine that is connecting to us. Once we are beyond that > stage, we may still receive spoofed, faked, whatever messages. We > can only trust messages if all relays in the chain are configured > with TLS and the same access control. For *nix based syslogds, even > that does not help, because the message on the OS log socket may > already be spoofed. > > Thus, I consider authenticating the originator or relay to the > receiver (or relay) quite less important than authenticating the > server to the client. > > This is the reason that I propose to not only split these two modes > (as already happened), but have different minimal requirements for > them. > > A useful mode to actually authenticate messages is to check the > hostname provided inside the message against the clients > certificate. Of course, this only work on the first hop after the > originator, only if we have syslog-protcol formatted messages and is > still somewhat vulnerable to local log injection in a *nix > environment (there is no cure against that). If one thinks along > these lines, it would be quite useful to have an additional access > policy the requires a given server to accept only a given set of > hostnames from a remote client (those that it is permitted to relay > from). This check is probably more useful than the initial > cert-based access control check because it (somewhat) protects > against injecting malicious messages (somewhat, because it still > depends on the full chain being properly protected, it is just > easier to detect simpler attacks, what I find useful). So far, the security checks in -transport-tls draft have been solely at the *transport* level, and not concerned with the contents of the message. (The security considerations text needs to explicitly say this, though -- currently, it doesn't.) Best regards, Pasi _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog
- [Syslog] Document shepherd report of AD concerns David Harrington
- Re: [Syslog] Document shepherd report of AD conce… Pasi.Eronen
- Re: [Syslog] Document shepherd report of AD conce… Rainer Gerhards
- [Syslog] Terminology was Re: Document shepherd re… tom.petch
- Re: [Syslog] Document shepherd report of AD conce… tom.petch
- Re: [Syslog] Document shepherd report of AD conce… robert.horn
- [Syslog] MUST is for implementers, not users. David Harrington
- Re: [Syslog] Document shepherd report of AD conce… Pasi.Eronen
- Re: [Syslog] Document shepherd report of AD conce… Pasi.Eronen