[Syslog] -transport-tls-12, section 4.2 suggestion
robert.horn@agfa.com Fri, 09 May 2008 18:12 UTC
Return-Path: <syslog-bounces@ietf.org>
X-Original-To: syslog-archive@megatron.ietf.org
Delivered-To: ietfarch-syslog-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2691E28C0E7; Fri, 9 May 2008 11:12:44 -0700 (PDT)
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A3B1628C0E7 for <syslog@core3.amsl.com>; Fri, 9 May 2008 11:12:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OVSjUyElB4VN for <syslog@core3.amsl.com>; Fri, 9 May 2008 11:12:41 -0700 (PDT)
Received: from mornm01-out.agfa.com (mornm01-out.agfa.com [134.54.1.75]) by core3.amsl.com (Postfix) with ESMTP id 6F8B03A687E for <syslog@ietf.org>; Fri, 9 May 2008 11:11:19 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.27,461,1204498800"; d="scan'208";a="45208301"
Received: from morswa037.agfa.be (HELO morswa037.be.local) ([10.232.220.21]) by mornm01-out.agfa.com with ESMTP; 09 May 2008 20:08:25 +0200
In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA308FBD@grfint2.intern.adiscon.com>
To: rgerhards@hq.adiscon.com
MIME-Version: 1.0
Message-ID: <OF49032716.4D528A3A-ON85257444.0062F26B-85257444.0063A431@agfa.com>
From: robert.horn@agfa.com
Date: Fri, 09 May 2008 14:08:21 -0400
Cc: syslog@ietf.org
Subject: [Syslog] -transport-tls-12, section 4.2 suggestion
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: syslog-bounces@ietf.org
Errors-To: syslog-bounces@ietf.org
I like Rainer's proposal. I had forgotten about the IESG desire for an out of box acceptable security. I find this mechanism a bit dubious, but specifying a reasonably secure default configuration as a separate policy section could work. How about a structure like this: In the protocol section, since this is TLS and TLS is certificate oriented, we have the following requirements: - The TLS negotiation SHALL be configurable to verify certificates based on the following rules: - The local side shall negotiate based on a local certificate store. The local certificate store contains a list of certificate/server pairs. - The local side shall verify the remote side matches certificates found in one of three stores: - Specific certs where Certificate X is accepted for remote X. (This is oriented toward self-signed certs) - (optional) Signing certs, where Remote Y is accepted if its cert was signed by Certificate Y. No chain of trust. - (optional) Signing certs, where Remote Z is accepted if its cert was signed by Certificate Z. Chain of trust is accepted. Implementations may add other additional rules for other situations where connections are accepted, but these shall not be the default configuration. I made the use of signed certs optional because it pulls in all the other issues around revocation, etc. I'm not too worried about having a server manage CRLs, updates, etc. but it could be a problem demanding that all clients also manage that. I do worry about all the issues that come up in terms of preserving syslog function during serious network disruptions. I do not want to see my problem reporting facility (syslog) fail just because I lost the PKI servers. I'm think of cases where those servers had been physically destroyed, but 80% of the network still exists, e.g., Katrina. In the policy section, - By default, if verification fails then the connection will be refused. - Other rules may be added, but shall not be the out of box default. - There shall be a maintenance method to create a self-signed cert. There shall be a maintenance method to import a self cert into any of the cert stores. - There may be a maintenance method for adding and removing certs in the other two kinds of cert stores. - There may be other authentication and authorization methods. This then enables a reasonably useful default behavior. With proper instructions a skilled home user could follow these rules. It also enables direct implementation of many enterprise rules, although not all of them. It can encourage developers to split their implementation so that new policy structures do not cause problems with the underlying protocol implementation. The default home user scenario expectation is the following: - Installing a server: - Home user generates a self-signed certificate for the server, files it into the server local certificate store, and saves it for making copies for clients. The corresponding private key lives somewhere in local configuration files and the user can be instructed that they should never ever give that information to other people. - Installing a client: - Home user generates a self-signed certificate for the client, files it into the client local certificate store, and saves it for making copies for servers. Again, private key remains secret in configuration files somewhere. - Home user copies the client self-signed certificate into the server's specific certs for remotes. - Home user copies the server self-signed certificate into the client's specific certs for remotes. This default does not scale to the large enterprise. Adding the two kinds of signed cert stores extends the default configuration to support many, but not all, enterprise policies. There will be other enterprise oriented methods. This default does meet the needs of a small enterprise or skilled home user. By making the default the use of self-signed certificates you avoid all the problems resulting from the absence of syslog oriented PKI infrastructures. Even when there are suitable PKI infrastructures for identity management, these are not generally suitable for applications authentication management. Introducing a PKI dependency will effectively delay the use of syslog-tls for many more years. Using self-signed certificates leaves the home user with the need to copy around these certificates. Moving files from here to there is something that can be handled by media, web aps, etc. This is simplified by the lack of security requirements. All you need is fingerprint display if you have reason to question the copying. It will overwhelm the unskilled home user, but they probably won't be configuring syslog. Someone who is setting up syslog can probably handle instructions for copying certificates from place to place. Self-signed certs may take a few minutes to generate, but they are something that is not overly burdensome for syslog maintenance programs. This also scales to the needs of many service providers. If a service provider is installing thousands of dumb remote systems to unsupported locations (i.e., unskilled home user systems), they can preconfigure the dumb remote with self-signed certificates. Since the rules only require matching, the service provider does not need to try to match hostnames, IP addresses, etc. I would base the cert on the device serial number. This would not be perfect security. I could break into the dumb remote and steal the private key. But it is a huge improvement over the current situation. It does force me to break in, and none of the PKI structures protect against that. Revocation is a bigger administrative problem but you can manage revocation of self-signed certificates for simple situations like this even at the service provider scale. Kind Regards, Robert Horn | Agfa HealthCare Research Scientist | HE/Technology Office T +1 978 897 4860 Agfa HealthCare Corporation, 100 Challenger Road, Ridgefield Park, NJ, 07660-2199, United States http://www.agfa.com/healthcare/ Click on link to read important disclaimer: http://www.agfa.com/healthcare/maildisclaimer _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog
- [Syslog] -transport-tls-12, section 4.2.3 (finger… Rainer Gerhards
- Re: [Syslog] -transport-tls-12, section 4.2.3 (fi… Rainer Gerhards
- [Syslog] Self-signed certs - was: Re: -transport-… Chris Lonvick
- Re: [Syslog] -transport-tls-12, section 4.2.3 (fi… Joseph Salowey (jsalowey)
- Re: [Syslog] -transport-tls-12, section 4.2.3 (fi… Rainer Gerhards
- [Syslog] Missing email? was: Re: -transport-tls-1… Chris Lonvick
- [Syslog] -transport-tls-12, section 4.2 suggestion robert.horn
- Re: [Syslog] Missing email? was: Re: -transport-t… Rainer Gerhards
- Re: [Syslog] -transport-tls-12, section 4.2 sugge… Joseph Salowey (jsalowey)
- Re: [Syslog] Self-signed certs - was: Re: -transp… Pasi.Eronen@nokia.com
- Re: [Syslog] -transport-tls-12, section 4.2 sugge… robert.horn