IETF Logo Mail Archive

Re: [Syslog] Some revised text for syslog TLS

<Pasi.Eronen@nokia.com> Tue, 27 May 2008 05:52 UTC

Return-Path: <syslog-bounces@ietf.org>
X-Original-To: syslog-archive@megatron.ietf.org
Delivered-To: ietfarch-syslog-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7E7013A6B4C; Mon, 26 May 2008 22:52:39 -0700 (PDT)
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2EA303A6B3A for <syslog@core3.amsl.com>; Mon, 26 May 2008 22:52:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.324
X-Spam-Level:
X-Spam-Status: No, score=-6.324 tagged_above=-999 required=5 tests=[AWL=0.275, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 47cyAMdLsePZ for <syslog@core3.amsl.com>; Mon, 26 May 2008 22:52:36 -0700 (PDT)
Received: from mgw-mx06.nokia.com (smtp.nokia.com [192.100.122.233]) by core3.amsl.com (Postfix) with ESMTP id 56F2328C208 for <syslog@ietf.org>; Mon, 26 May 2008 22:52:21 -0700 (PDT)
Received: from esebh108.NOE.Nokia.com (esebh108.ntc.nokia.com [172.21.143.145]) by mgw-mx06.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id m4R5pO9Z018052; Tue, 27 May 2008 08:51:45 +0300
Received: from vaebh102.NOE.Nokia.com ([10.160.244.23]) by esebh108.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 27 May 2008 08:51:30 +0300
Received: from vaebe104.NOE.Nokia.com ([10.160.244.59]) by vaebh102.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 27 May 2008 08:51:29 +0300
x-mimeole: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Tue, 27 May 2008 08:51:28 +0300
Message-ID: <1696498986EFEC4D9153717DA325CB72BDC304@vaebe104.NOE.Nokia.com>
In-Reply-To: <98AE08B66FAD1742BED6CB9522B7312204FB5D64@xmb-rtp-20d.amer.cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Syslog] Some revised text for syslog TLS
Thread-Index: Aci9BIbqo/w6J1eNRCCueVc7JY86VgB+nRUAAB+j5bAAAgUOIAAN6Qxg
References: <AC1CFD94F59A264488DC2BEC3E890DE505DFD90C@xmb-sjc-225.amer.cisco.com><577465F99B41C842AAFBE9ED71E70ABA309093@grfint2.intern.adiscon.com><124CF5A7D55D6F43A4FD9437F28254D8EED6CB@ALPMLVEM05.e2k.ad.ge.com> <98AE08B66FAD1742BED6CB9522B7312204FB5D64@xmb-rtp-20d.amer.cisco.com>
From: Pasi.Eronen@nokia.com
To: aokmians@cisco.com, syslog@ietf.org
X-OriginalArrivalTime: 27 May 2008 05:51:29.0948 (UTC) FILETIME=[B5C6ADC0:01C8BFBD]
X-Nokia-AV: Clean
Subject: Re: [Syslog] Some revised text for syslog TLS
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: syslog-bounces@ietf.org
Errors-To: syslog-bounces@ietf.org

Anton,

If you want to work on specifying such structured data fields,
that's fine (I agree that they could useful in many situations);
but it's way too late to add anything this big to the 
syslog-transport-tls draft. So this would be a separate document.

Best regards,
Pasi

> -----Original Message-----
> From: Anton Okmyanskiy (aokmians)
> Sent: 27 May, 2008 02:24
> To: Moehrke, John (GE Healthcare); Rainer Gerhards; Joseph 
> Salowey (jsalowey); syslog@ietf.org
> Subject: Re: [Syslog] Some revised text for syslog TLS
> 
> The bottom line is that when you use a certificate to authenticate
> the client, the trusted identity of the client that gets recorded in
> the messages must be derived from certificate, not from other source
> like IP address or whatever device or DNS says device might be.
> 
> This can be handled by specifying appropriate tags (structured data
> ID) for certificate fields and recommending that those are added to
> the message (or updated) by the receiver if certificate-based
> authenticate is used.
> 
> This would prevent the case of some client using legitimate (but
> stolen) certificate, and then indicating identity of another device
> in the message itself. If such behavior were allowed, then when
> certificate is stolen (but not yet put on certificate revocation
> list), this would extend the security threat to a wider scope of
> issues because we are allowing one device to masquerade as any other
> device.
> 
> Note, that we need structured data field IDs not only for
> certificate Common Name (CN), but also for fields such as
> fingerprint.  When one certificate is revoked and a new one issues,
> I believe the new one can have the same common name.  In that case,
> if the receiver wants to identify which exact certificate the client
> used, you need to see the fingerprint or other similar certificate
> fields. We had a use-case with customer where such information was
> needed with TLS (albeit not in syslog context).
> 
> Regards,
> Anton.
> 
> 
> 
> > -----Original Message-----
> > From: syslog-bounces@ietf.org 
> > [mailto:syslog-bounces@ietf.org] On Behalf Of Moehrke, John 
> > (GE Healthcare)
> > Sent: Monday, May 26, 2008 3:16 PM
> > To: Rainer Gerhards; Joseph Salowey (jsalowey); syslog@ietf.org
> > Subject: Re: [Syslog] Some revised text for syslog TLS
> > 
> > I have said this before, but people continue to go down 
> this path... 
> > 
> > The TLS authentication has already proven that the 'other' 
> > side holds the private key... this is cryptographically 
> > secure authentication... 
> > 
> > Adding a check of the IP address or DNS address adds very 
> > very little value, and is not cryptographically secure 
> > (unless using Secure DNS). 
> > 
> > Therefore there is little value to adding IP or hostname 
> > checking, and lots of ways it will break (NAT, DHCP, etc).
> > 
> > John
> > 
> > > -----Original Message-----
> > > From: syslog-bounces@ietf.org [mailto:syslog-bounces@ietf.org] On
> > Behalf
> > > Of Rainer Gerhards
> > > Sent: Monday, May 26, 2008 2:19 AM
> > > To: Joseph Salowey (jsalowey); syslog@ietf.org
> > > Subject: Re: [Syslog] Some revised text for syslog TLS
> > > 
> > > Joe,
> > > 
> > > I like this new text.
> > > 
> > > I am snipping everything below except the one thing that drives a
> > > question:
> > > 
> > > > 	o IP-address-based authorization where the IP address 
> > configured 
> > > > for the authorized peer is compared against the subject 
> fields in
> > the
> > > > certificate.  Implementations MUST support matching the 
> > IP address 
> > > > against a SubjectAltName field of type iPAddress and 
> MAY support 
> > > > checking the configured IP address against the Common 
> Name portion
> > of
> > > > the Subject Distinguished Name.  Matching for certificate
> > credentials
> > > > is
> > > > performed using the matching rules specified by [3].  
> If more than
> > one
> > > > IP Address identity is present in the certificate a match 
> > in any one
> > > of
> > > > the set is considered acceptable.
> > > 
> > > I know that you asked about the usefulness of IP based 
> > authentication 
> > > before. I am now at a point where I have actually finished my 
> > > implementation and I am "polishing" it. On my agenda is now 
> > a as good
> > as
> > > possible *automatic* authentication.
> > > 
> > > For the client to authorize the server, it is quite easy. There
> > usually
> > > is something like
> > > 
> > > *.* @@192.0.2.1
> > > 
> > > In this case, I can take the destination ("192.0.2.1") and 
> > verify it 
> > > against the server's certificate. Provided we use a 
> common root CA,
> > this
> > > setup is fully automatic. So supporting IPs is quite 
> useful in this 
> > > scenario. Please note that operators tend to use IP 
> addresses over 
> > > hostnames because of reliability reasons and early startup 
> > capability
> > of
> > > the syslogd (before DNS resolutions is available). So this is of 
> > > practical relevance.
> > > 
> > > In case of the server authenticating the client, there is no such 
> > > obvious choice. I could use the remote client's IP 
> address (provided
> > by
> > > the transport stack) and verify that it matches the IP 
> > address inside 
> > > the certificate. However, is this really useful? IMO, this 
> > is more or 
> > > less a check if the remote cert is signed by a common CA. 
> Something
> > that
> > > may be useful, but does not depend on the client's IP be known.
> > > 
> > > Do you or somebody else on this list (Tom?) have a clue why 
> > it may be 
> > > useful to carry out such a check?
> > > 
> > > Back on the topic of easy but still secure configuration, I could 
> > > envision taken the reverse DNS name of the transport sender and
> > checking
> > > that against the identity presented in the certificate. 
> Anyone any 
> > > thoughts/comments on this?
> > > 
> > > Again, all of this assumes a common root CA and 
> > certificates signed by 
> > > it (not necessarily full PKI, but an "in-house CA").
> > > 
> > > Thanks,
> > > Rainer
> > > _______________________________________________
> > > Syslog mailing list
> > > Syslog@ietf.org
> > > https://www.ietf.org/mailman/listinfo/syslog
> > _______________________________________________
> > Syslog mailing list
> > Syslog@ietf.org
> > https://www.ietf.org/mailman/listinfo/syslog
> > 
> _______________________________________________
> Syslog mailing list
> Syslog@ietf.org
> https://www.ietf.org/mailman/listinfo/syslog
> 
_______________________________________________
Syslog mailing list
Syslog@ietf.org
https://www.ietf.org/mailman/listinfo/syslog

v2.23.0 | Report a Bug | By Email