Re: [Syslog] Some revised text for syslog TLS
Rainer Gerhards <rgerhards@hq.adiscon.com> Mon, 26 May 2008 12:59 UTC
Return-Path: <syslog-bounces@ietf.org>
X-Original-To: syslog-archive@megatron.ietf.org
Delivered-To: ietfarch-syslog-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 274223A67F2; Mon, 26 May 2008 05:59:41 -0700 (PDT)
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 739CC3A67A9 for <syslog@core3.amsl.com>; Mon, 26 May 2008 05:59:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.506
X-Spam-Level:
X-Spam-Status: No, score=-2.506 tagged_above=-999 required=5 tests=[AWL=0.093, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GxKesyfd8Dyd for <syslog@core3.amsl.com>; Mon, 26 May 2008 05:59:38 -0700 (PDT)
Received: from mailin.adiscon.com (hetzner.adiscon.com [85.10.198.18]) by core3.amsl.com (Postfix) with ESMTP id 18D923A67D9 for <syslog@ietf.org>; Mon, 26 May 2008 05:59:37 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailin.adiscon.com (Postfix) with ESMTP id D8C957AE344; Mon, 26 May 2008 14:58:34 +0200 (CEST)
Received: from mailin.adiscon.com ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lMdlbUQYkNVY; Mon, 26 May 2008 14:58:34 +0200 (CEST)
Received: from grfint2.intern.adiscon.com (p50989a7c.dip0.t-ipconnect.de [80.152.154.124]) by mailin.adiscon.com (Postfix) with ESMTP id 8B6E37AE342; Mon, 26 May 2008 14:58:34 +0200 (CEST)
Received: from [172.19.2.12] ([172.19.2.12]) by grfint2.intern.adiscon.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 26 May 2008 14:59:35 +0200
From: Rainer Gerhards <rgerhards@hq.adiscon.com>
To: Pasi.Eronen@nokia.com
In-Reply-To: <1696498986EFEC4D9153717DA325CB72B36A0B@vaebe104.NOE.Nokia.com>
References: <AC1CFD94F59A264488DC2BEC3E890DE505DFD90C@xmb-sjc-225.amer.cisco.com> <577465F99B41C842AAFBE9ED71E70ABA309093@grfint2.intern.adiscon.com> <1696498986EFEC4D9153717DA325CB72B36A0B@vaebe104.NOE.Nokia.com>
Organization: Adiscon
Date: Mon, 26 May 2008 14:59:52 +0200
Message-Id: <1211806792.27593.11.camel@localhost.localdomain>
Mime-Version: 1.0
X-Mailer: Evolution 2.12.3 (2.12.3-1.fc8)
X-OriginalArrivalTime: 26 May 2008 12:59:35.0757 (UTC) FILETIME=[594C57D0:01C8BF30]
Cc: syslog@ietf.org
Subject: Re: [Syslog] Some revised text for syslog TLS
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: syslog-bounces@ietf.org
Errors-To: syslog-bounces@ietf.org
Hi Pasi, inline... On Mon, 2008-05-26 at 15:28 +0300, Pasi.Eronen@nokia.com wrote: > Rainer Gerhards wrote: > > > I know that you asked about the usefulness of IP based > > authentication before. I am now at a point where I have actually > > finished my implementation and I am "polishing" it. On my agenda is > > now a as good as possible *automatic* authentication. > > > > For the client to authorize the server, it is quite easy. There > > usually is something like > > > > *.* @@192.0.2.1 > > > > In this case, I can take the destination ("192.0.2.1") and verify it > > against the server's certificate. Provided we use a common root CA, > > this setup is fully automatic. So supporting IPs is quite useful in > > this scenario. Please note that operators tend to use IP addresses > > over hostnames because of reliability reasons and early startup > > capability of the syslogd (before DNS resolutions is available). So > > this is of practical relevance. > > I agree that in some situations, we don't want to depend on > DNS. However, this is somewhat orthogonal to what the certificate > contains. > > AFAIK certificates containing IP addresses are quite rare; host names > are much common. Please keep in mind that my message was related to the question if there is a use case for using IPs inside a certificate. As I said above, there is. > To support such situation -- while still avoiding > dependency on DNS -- it would be useful if you could configure the IP > address (used for opening the connection) and server name (compared > against the certificate, but not looked up from DNS) separately. > > I don't know what that would look like in your configuration file > syntax, but maybe something like > > *.* @@192.0.2.1[syslogsrv2.example.com] rsyslog of course supports this. The actual syntax is: $ActionSendStreamDriverAuthMode x509/name # soon to be default $ActionSendStreamDriverPermittedPeer syslogsrv2.example.com *.* @@192.0.2.1 The $ActionSendStreamDriverPermittedPeer directive can be specified multiple times, for example when talking to an active/passive cluster with different identities (or whatever else may come up). To prevent relying on tcp, one could also add syslogsrv2.example.com to /etc/hosts, which would also lead to *.* @@syslogsrv2.example.com In any case, the goal is to have automatic authentication, and this works well with a common trusted CA. An "in-house" CA may also issue certificates with IP addresses. > > In case of the server authenticating the client, there is no such > > obvious choice. I could use the remote client's IP address (provided > > by the transport stack) and verify that it matches the IP address > > inside the certificate. However, is this really useful? IMO, this is > > more or less a check if the remote cert is signed by a common CA. > > Something that may be useful, but does not depend on the client's IP > > be known. > > > > Do you or somebody else on this list (Tom?) have a clue why it may be > > useful to carry out such a check? > > It doesn't seem very useful to me... I guess you could have a local > "wildcard" or "netmask" saying that only clients from 192.0.2.* are > allowed to connect; if your certificates contain IP addresses, > presumably you'd use the address in the certificate (and not the > transport) for that check. (But as I said, certificates containing > IP addresses are not common.) Even if the certificate has an IP - does that really gain me something? I think using the certificate's IP doesn't provide me any additional security in this case. I think this authentication is not useful and the server really can not automatically be configured to detect permitted remote clients - except for wildcard names. (as a side-note, rsyslog allows a mode where it just checks the validity of the remote certificate - so a common CA can be used to automatically authorize a broad range of machines). > > > Back on the topic of easy but still secure configuration, I could > > envision taken the reverse DNS name of the transport sender and > > checking that against the identity presented in the > > certificate. Anyone any thoughts/comments on this? > > This doesn't seem very useful to me, and AFAIK no such thing > is done in other protocols using TLS/certificates. Plus, it would again introduce the DNS dependency. So that's probably a bad idea. But after this conversation: is there really any use case for IP addresses in the certificate? I begin to get the feeling that we should probably remove the text about them - there are ample work-arounds to achieve the same, mostly better, effect. Rainer _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- [Syslog] Some revised text for syslog TLS Joseph Salowey (jsalowey)
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS Pasi.Eronen
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS Pasi.Eronen
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS Martin Schütte
- Re: [Syslog] Some revised text for syslog TLS Moehrke, John (GE Healthcare)
- Re: [Syslog] Some revised text for syslog TLS Anton Okmyanskiy (aokmians)
- Re: [Syslog] Some revised text for syslog TLS Pasi.Eronen
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS robert.horn
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS Pasi.Eronen
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- Re: [Syslog] Some revised text for syslog TLS robert.horn
- Re: [Syslog] Some revised text for syslog TLS Martin Schütte
- Re: [Syslog] Some revised text for syslog TLS Martin Schütte