Re: [Syslog] Some revised text for syslog TLS
<Pasi.Eronen@nokia.com> Mon, 26 May 2008 12:28 UTC
Return-Path: <syslog-bounces@ietf.org>
X-Original-To: syslog-archive@megatron.ietf.org
Delivered-To: ietfarch-syslog-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D89033A6A0C; Mon, 26 May 2008 05:28:49 -0700 (PDT)
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A9F263A6A0C for <syslog@core3.amsl.com>; Mon, 26 May 2008 05:28:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.287
X-Spam-Level:
X-Spam-Status: No, score=-6.287 tagged_above=-999 required=5 tests=[AWL=0.312, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bwKdyaZXSHKt for <syslog@core3.amsl.com>; Mon, 26 May 2008 05:28:47 -0700 (PDT)
Received: from mgw-mx03.nokia.com (smtp.nokia.com [192.100.122.230]) by core3.amsl.com (Postfix) with ESMTP id 83DCB3A68A9 for <syslog@ietf.org>; Mon, 26 May 2008 05:28:47 -0700 (PDT)
Received: from esebh108.NOE.Nokia.com (esebh108.ntc.nokia.com [172.21.143.145]) by mgw-mx03.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id m4QCSZFe013416; Mon, 26 May 2008 15:28:46 +0300
Received: from vaebh103.NOE.Nokia.com ([10.160.244.24]) by esebh108.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 26 May 2008 15:28:34 +0300
Received: from vaebe104.NOE.Nokia.com ([10.160.244.59]) by vaebh103.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 26 May 2008 15:28:34 +0300
x-mimeole: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Mon, 26 May 2008 15:28:33 +0300
Message-ID: <1696498986EFEC4D9153717DA325CB72B36A0B@vaebe104.NOE.Nokia.com>
In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA309093@grfint2.intern.adiscon.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Syslog] Some revised text for syslog TLS
Thread-Index: Aci9BIbqo/w6J1eNRCCueVc7JY86VgB+nRUAAArie5A=
References: <AC1CFD94F59A264488DC2BEC3E890DE505DFD90C@xmb-sjc-225.amer.cisco.com> <577465F99B41C842AAFBE9ED71E70ABA309093@grfint2.intern.adiscon.com>
From: Pasi.Eronen@nokia.com
To: rgerhards@hq.adiscon.com, syslog@ietf.org
X-OriginalArrivalTime: 26 May 2008 12:28:34.0614 (UTC) FILETIME=[03F87560:01C8BF2C]
X-Nokia-AV: Clean
Subject: Re: [Syslog] Some revised text for syslog TLS
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: syslog-bounces@ietf.org
Errors-To: syslog-bounces@ietf.org
Rainer Gerhards wrote:
> I know that you asked about the usefulness of IP based
> authentication before. I am now at a point where I have actually
> finished my implementation and I am "polishing" it. On my agenda is
> now a as good as possible *automatic* authentication.
>
> For the client to authorize the server, it is quite easy. There
> usually is something like
>
> *.* @@192.0.2.1
>
> In this case, I can take the destination ("192.0.2.1") and verify it
> against the server's certificate. Provided we use a common root CA,
> this setup is fully automatic. So supporting IPs is quite useful in
> this scenario. Please note that operators tend to use IP addresses
> over hostnames because of reliability reasons and early startup
> capability of the syslogd (before DNS resolutions is available). So
> this is of practical relevance.
I agree that in some situations, we don't want to depend on
DNS. However, this is somewhat orthogonal to what the certificate
contains.
AFAIK certificates containing IP addresses are quite rare; host names
are much common. To support such situation -- while still avoiding
dependency on DNS -- it would be useful if you could configure the IP
address (used for opening the connection) and server name (compared
against the certificate, but not looked up from DNS) separately.
I don't know what that would look like in your configuration file
syntax, but maybe something like
*.* @@192.0.2.1[syslogsrv2.example.com]
> In case of the server authenticating the client, there is no such
> obvious choice. I could use the remote client's IP address (provided
> by the transport stack) and verify that it matches the IP address
> inside the certificate. However, is this really useful? IMO, this is
> more or less a check if the remote cert is signed by a common CA.
> Something that may be useful, but does not depend on the client's IP
> be known.
>
> Do you or somebody else on this list (Tom?) have a clue why it may be
> useful to carry out such a check?
It doesn't seem very useful to me... I guess you could have a local
"wildcard" or "netmask" saying that only clients from 192.0.2.* are
allowed to connect; if your certificates contain IP addresses,
presumably you'd use the address in the certificate (and not the
transport) for that check. (But as I said, certificates containing
IP addresses are not common.)
> Back on the topic of easy but still secure configuration, I could
> envision taken the reverse DNS name of the transport sender and
> checking that against the identity presented in the
> certificate. Anyone any thoughts/comments on this?
This doesn't seem very useful to me, and AFAIK no such thing
is done in other protocols using TLS/certificates.
Best regards,
Pasi
_______________________________________________
Syslog mailing list
Syslog@ietf.org
https://www.ietf.org/mailman/listinfo/syslog
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- [Syslog] Some revised text for syslog TLS Joseph Salowey (jsalowey)
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS Pasi.Eronen
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS Pasi.Eronen
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS Martin Schütte
- Re: [Syslog] Some revised text for syslog TLS Moehrke, John (GE Healthcare)
- Re: [Syslog] Some revised text for syslog TLS Anton Okmyanskiy (aokmians)
- Re: [Syslog] Some revised text for syslog TLS Pasi.Eronen
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS robert.horn
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS Pasi.Eronen
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- Re: [Syslog] Some revised text for syslog TLS robert.horn
- Re: [Syslog] Some revised text for syslog TLS Martin Schütte
- Re: [Syslog] Some revised text for syslog TLS Martin Schütte