IETF Logo Mail Archive

Re: [Syslog] Some revised text for syslog TLS

Rainer Gerhards <rgerhards@hq.adiscon.com> Mon, 26 May 2008 12:59 UTC

Return-Path: <syslog-bounces@ietf.org>
X-Original-To: syslog-archive@megatron.ietf.org
Delivered-To: ietfarch-syslog-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 274223A67F2; Mon, 26 May 2008 05:59:41 -0700 (PDT)
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 739CC3A67A9 for <syslog@core3.amsl.com>; Mon, 26 May 2008 05:59:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.506
X-Spam-Level:
X-Spam-Status: No, score=-2.506 tagged_above=-999 required=5 tests=[AWL=0.093, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GxKesyfd8Dyd for <syslog@core3.amsl.com>; Mon, 26 May 2008 05:59:38 -0700 (PDT)
Received: from mailin.adiscon.com (hetzner.adiscon.com [85.10.198.18]) by core3.amsl.com (Postfix) with ESMTP id 18D923A67D9 for <syslog@ietf.org>; Mon, 26 May 2008 05:59:37 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailin.adiscon.com (Postfix) with ESMTP id D8C957AE344; Mon, 26 May 2008 14:58:34 +0200 (CEST)
Received: from mailin.adiscon.com ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lMdlbUQYkNVY; Mon, 26 May 2008 14:58:34 +0200 (CEST)
Received: from grfint2.intern.adiscon.com (p50989a7c.dip0.t-ipconnect.de [80.152.154.124]) by mailin.adiscon.com (Postfix) with ESMTP id 8B6E37AE342; Mon, 26 May 2008 14:58:34 +0200 (CEST)
Received: from [172.19.2.12] ([172.19.2.12]) by grfint2.intern.adiscon.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 26 May 2008 14:59:35 +0200
From: Rainer Gerhards <rgerhards@hq.adiscon.com>
To: Pasi.Eronen@nokia.com
In-Reply-To: <1696498986EFEC4D9153717DA325CB72B36A0B@vaebe104.NOE.Nokia.com>
References: <AC1CFD94F59A264488DC2BEC3E890DE505DFD90C@xmb-sjc-225.amer.cisco.com> <577465F99B41C842AAFBE9ED71E70ABA309093@grfint2.intern.adiscon.com> <1696498986EFEC4D9153717DA325CB72B36A0B@vaebe104.NOE.Nokia.com>
Organization: Adiscon
Date: Mon, 26 May 2008 14:59:52 +0200
Message-Id: <1211806792.27593.11.camel@localhost.localdomain>
Mime-Version: 1.0
X-Mailer: Evolution 2.12.3 (2.12.3-1.fc8)
X-OriginalArrivalTime: 26 May 2008 12:59:35.0757 (UTC) FILETIME=[594C57D0:01C8BF30]
Cc: syslog@ietf.org
Subject: Re: [Syslog] Some revised text for syslog TLS
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: syslog-bounces@ietf.org
Errors-To: syslog-bounces@ietf.org

Hi Pasi,

inline...

On Mon, 2008-05-26 at 15:28 +0300, Pasi.Eronen@nokia.com wrote:
> Rainer Gerhards wrote:
> 
> > I know that you asked about the usefulness of IP based
> > authentication before. I am now at a point where I have actually
> > finished my implementation and I am "polishing" it. On my agenda is
> > now a as good as possible *automatic* authentication.
> > 
> > For the client to authorize the server, it is quite easy.  There
> > usually is something like
> > 
> > *.* @@192.0.2.1
> > 
> > In this case, I can take the destination ("192.0.2.1") and verify it
> > against the server's certificate. Provided we use a common root CA,
> > this setup is fully automatic. So supporting IPs is quite useful in
> > this scenario. Please note that operators tend to use IP addresses
> > over hostnames because of reliability reasons and early startup
> > capability of the syslogd (before DNS resolutions is available). So
> > this is of practical relevance.
> 
> I agree that in some situations, we don't want to depend on
> DNS. However, this is somewhat orthogonal to what the certificate
> contains.
> 
> AFAIK certificates containing IP addresses are quite rare; host names
> are much common.  

Please keep in mind that my message was related to the question if there
is a use case for using IPs inside a certificate. As I said above, there
is.

> To support such situation -- while still avoiding
> dependency on DNS -- it would be useful if you could configure the IP
> address (used for opening the connection) and server name (compared
> against the certificate, but not looked up from DNS) separately.
> 
> I don't know what that would look like in your configuration file
> syntax, but maybe something like
> 
> *.* @@192.0.2.1[syslogsrv2.example.com]

rsyslog of course supports this. The actual syntax is:

$ActionSendStreamDriverAuthMode x509/name # soon to be default
$ActionSendStreamDriverPermittedPeer syslogsrv2.example.com
*.* @@192.0.2.1

The $ActionSendStreamDriverPermittedPeer directive can be specified
multiple times, for example when talking to an active/passive cluster
with different identities (or whatever else may come up).

To prevent relying on tcp, one could also add syslogsrv2.example.com
to /etc/hosts, which would also lead to

*.* @@syslogsrv2.example.com

In any case, the goal is to have automatic authentication, and this
works well with a common trusted CA. An "in-house" CA may also issue
certificates with IP addresses.

> > In case of the server authenticating the client, there is no such
> > obvious choice. I could use the remote client's IP address (provided
> > by the transport stack) and verify that it matches the IP address
> > inside the certificate. However, is this really useful? IMO, this is
> > more or less a check if the remote cert is signed by a common CA.
> > Something that may be useful, but does not depend on the client's IP
> > be known.
> >
> > Do you or somebody else on this list (Tom?) have a clue why it may be
> > useful to carry out such a check?
> 
> It doesn't seem very useful to me... I guess you could have a local
> "wildcard" or "netmask" saying that only clients from 192.0.2.* are
> allowed to connect; if your certificates contain IP addresses,
> presumably you'd use the address in the certificate (and not the
> transport) for that check. (But as I said, certificates containing
> IP addresses are not common.)

Even if the certificate has an IP - does that really gain me something?
I think using the certificate's IP doesn't provide me any additional
security in this case.

I think this authentication is not useful and the server really can not
automatically be configured to detect permitted remote clients - except
for wildcard names.

(as a side-note, rsyslog allows a mode where it just checks the validity
of the remote certificate - so a common CA can be used to automatically
authorize a broad range of machines).

> 
> > Back on the topic of easy but still secure configuration, I could
> > envision taken the reverse DNS name of the transport sender and
> > checking that against the identity presented in the
> > certificate. Anyone any thoughts/comments on this?
> 
> This doesn't seem very useful to me, and AFAIK no such thing
> is done in other protocols using TLS/certificates.

Plus, it would again introduce the DNS dependency. So that's probably a
bad idea.

But after this conversation: is there really any use case for IP
addresses in the certificate? I begin to get the feeling that we should
probably remove the text about them - there are ample work-arounds to
achieve the same, mostly better, effect.

Rainer

_______________________________________________
Syslog mailing list
Syslog@ietf.org
https://www.ietf.org/mailman/listinfo/syslog

v2.23.0 | Report a Bug | By Email