Re: [Syslog] I-D Action:draft-ietf-syslog-transport-tls-12.txt
"Rainer Gerhards" <rgerhards@hq.adiscon.com> Fri, 09 May 2008 20:50 UTC
Return-Path: <syslog-bounces@ietf.org>
X-Original-To: syslog-archive@megatron.ietf.org
Delivered-To: ietfarch-syslog-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 758D23A6881; Fri, 9 May 2008 13:50:34 -0700 (PDT)
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C50023A68D2 for <syslog@core3.amsl.com>; Fri, 9 May 2008 13:50:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iN2toIytXeee for <syslog@core3.amsl.com>; Fri, 9 May 2008 13:50:31 -0700 (PDT)
Received: from mailin.adiscon.com (hetzner.adiscon.com [85.10.198.18]) by core3.amsl.com (Postfix) with ESMTP id 7D02B3A67EC for <syslog@ietf.org>; Fri, 9 May 2008 13:50:30 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailin.adiscon.com (Postfix) with ESMTP id 9E6947AE2BC; Fri, 9 May 2008 22:45:08 +0200 (CEST)
Received: from mailin.adiscon.com ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id evNyMAI0RbDO; Fri, 9 May 2008 22:45:08 +0200 (CEST)
Received: from grfint2.intern.adiscon.com (p50989a7c.dip0.t-ipconnect.de [80.152.154.124]) by mailin.adiscon.com (Postfix) with ESMTP id 52C347AE284; Fri, 9 May 2008 22:45:08 +0200 (CEST)
Content-class: urn:content-classes:message
MIME-Version: 1.0
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Fri, 09 May 2008 22:48:50 +0200
Message-ID: <577465F99B41C842AAFBE9ED71E70ABA308FC0@grfint2.intern.adiscon.com>
In-Reply-To: <049301c8b20c$33dd1e20$0600a8c0@china.huawei.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Syslog] I-D Action:draft-ietf-syslog-transport-tls-12.txt
Thread-Index: AcixJ3ChaVnUq5oITfGwAnnHJ7WqPwAfO5owABLMh4AAAMFzcAAExWgwAAP3SgA=
References: <20080507150001.D3CB428C65B@core3.amsl.com><OF13490747.F0126D34-ON85257443.00540976-85257443.00574A09@agfa.com><577465F99B41C842AAFBE9ED71E70ABA308FB3@grfint2.intern.adiscon.com><124CF5A7D55D6F43A4FD9437F28254D8C28025@ALPMLVEM05.e2k.ad.ge.com> <577465F99B41C842AAFBE9ED71E70ABA308FBC@grfint2.intern.adiscon.com> <049301c8b20c$33dd1e20$0600a8c0@china.huawei.com>
From: Rainer Gerhards <rgerhards@hq.adiscon.com>
To: David Harrington <ietfdbh@comcast.net>, "Moehrke, John (GE Healthcare)" <John.Moehrke@med.ge.com>, robert.horn@agfa.com, "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>, syslog@ietf.org
Subject: Re: [Syslog] I-D Action:draft-ietf-syslog-transport-tls-12.txt
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: syslog-bounces@ietf.org
Errors-To: syslog-bounces@ietf.org
I went through the mailing list archive, but I did not find one single message wrapping it up. Maybe this here comes close: http://www.ietf.org/mail-archive/web/syslog/current/msg00772.html Getting the whole thing together requires substantial work. I personally do not think this is useful (given what you have posted). If in doubt, we should probably better ask for advise from our current AD. Rainer > -----Original Message----- > From: David Harrington [mailto:ietfdbh@comcast.net] > Sent: Friday, May 09, 2008 9:38 PM > To: Rainer Gerhards; 'Moehrke, John (GE Healthcare)'; > robert.horn@agfa.com; 'Joseph Salowey (jsalowey)'; syslog@ietf.org > Subject: RE: [Syslog] I-D > Action:draft-ietf-syslog-transport-tls-12.txt > > Hi, > > Acting as co-chair, I request that everybody please read BCP61, found > in RFC 3365 - "Strong Security Requirements for Internet Engineering > Task Force Standard Protocols". It's short. ;-) > > If the IESG required strong security features for syslog, then the > IESG was probably enforcing the IETF consensus documented in this RFC. > This BCP has not been updated or obsoleted to my knowledge. BUT - the > IESG **may** be working off a newer consensus, so we may need to see > what was said, or get input from our responsible AD. > > I don't think it says the security features must be enabled by > default, or that policy decisions should be included in the protocool > specification. It reports IETF rough consensus that "all IETF > protocols should operate securely". However, RFC 3365 is also clear > that "MUST is for implementers", not users - "it is completely > reasonable for security features to be an option that the end user of > the protocol may choose to disable." > > RFC 3365 does not use the word default, nor the word enabled, and in > my reading of the document, I see nothing that states that strong > security MUST be enabled by default. > > But please continue checking what was said by the IESG when we > rechartered (or whenever it was). > > David Harrington > dbharrington@comcast.net > ietfdbh@comcast.net > dharrington@huawei.com > > > > > -----Original Message----- > > From: syslog-bounces@ietf.org > > [mailto:syslog-bounces@ietf.org] On Behalf Of Rainer Gerhards > > Sent: Friday, May 09, 2008 12:36 PM > > To: Moehrke, John (GE Healthcare); robert.horn@agfa.com; > > Joseph Salowey (jsalowey); syslog@ietf.org > > Subject: Re: [Syslog] I-D > > Action:draft-ietf-syslog-transport-tls-12.txt > > > > John, > > > > I need to find it inside the mailing list archive. If I remember, it > > came up during rechartering (2? 3? Years ago). It was along the > lines > > that a secure transport AND secure default for that transport are > > required. This is the primary reason that -syslog-protocol and > > -transport-udp can not advance to RFC before -transport-tls is done. > > > > Rainer > > > > > -----Original Message----- > > > From: Moehrke, John (GE Healthcare) > [mailto:John.Moehrke@med.ge.com] > > > Sent: Friday, May 09, 2008 6:18 PM > > > To: Rainer Gerhards; robert.horn@agfa.com; Joseph Salowey > > (jsalowey); > > > syslog@ietf.org > > > Subject: RE: [Syslog] I-D > > Action:draft-ietf-syslog-transport-tls-12.txt > > > > > > > > > Could someone please point me at the mentioned IESG requirement to > > > include policy decisions? This is a very unusual position. > > And as your > > > own assessment shows is something that simply will not scale. > > > > > > For example, there are healthcare systems installed on > > military ships > > > where all network wiring is inside compressed nitrogen casings > with > > > sensors. This is clearly a sensitive environment, but they have > > already > > > managed many of the risks. > > > > > > John > > > > > > > -----Original Message----- > > > > From: syslog-bounces@ietf.org [mailto:syslog-bounces@ietf.org] > On > > > Behalf > > > > Of Rainer Gerhards > > > > Sent: Friday, May 09, 2008 3:36 AM > > > > To: robert.horn@agfa.com; Joseph Salowey (jsalowey); > > syslog@ietf.org > > > > Subject: Re: [Syslog] I-D > > > Action:draft-ietf-syslog-transport-tls-12.txt > > > > > > > > Hi all, > > > > > > > > I agree to Robert, policy decisions need to be separated. > > I CC Pasi > > > > because my comment is directly related to IESG requirements, > which > > > IMHO > > > > cannot be delivered by *any* syslog TLS document without > > compromise > > > > [comments directly related to IESG are somewhat later, I need to > > > level > > > > ground first]. > > _______________________________________________ > > Syslog mailing list > > Syslog@ietf.org > > https://www.ietf.org/mailman/listinfo/syslog > > > > _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog
- [Syslog] I-D Action:draft-ietf-syslog-transport-t… Internet-Drafts
- [Syslog] FW: I-D Action:draft-ietf-syslog-transpo… Joseph Salowey (jsalowey)
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… David Harrington
- [Syslog] FW: FW: I-D Action:draft-ietf-syslog-tra… Rainer Gerhards
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… robert.horn
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… Rainer Gerhards
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… Moehrke, John (GE Healthcare)
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… Rainer Gerhards
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… David Harrington
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… Rainer Gerhards
- [Syslog] lower requirements? (Re: I-D Action:draf… Martin Schütte
- [Syslog] why fingerprints? (Re: I-D Action:draft-… Martin Schütte
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… Joseph Salowey (jsalowey)
- Re: [Syslog] why fingerprints? (Re: I-DAction:dra… Joseph Salowey (jsalowey)
- Re: [Syslog] lower requirements? (Re: I-DAction:d… Joseph Salowey (jsalowey)
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… Pasi.Eronen@nokia.com
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… Rainer Gerhards
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… Joseph Salowey (jsalowey)
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… Rainer Gerhards
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… tom.petch