Re: [Syslog] Some revised text for syslog TLS
<Pasi.Eronen@nokia.com> Tue, 27 May 2008 05:52 UTC
Return-Path: <syslog-bounces@ietf.org>
X-Original-To: syslog-archive@megatron.ietf.org
Delivered-To: ietfarch-syslog-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7E7013A6B4C; Mon, 26 May 2008 22:52:39 -0700 (PDT)
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2EA303A6B3A for <syslog@core3.amsl.com>; Mon, 26 May 2008 22:52:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.324
X-Spam-Level:
X-Spam-Status: No, score=-6.324 tagged_above=-999 required=5 tests=[AWL=0.275, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 47cyAMdLsePZ for <syslog@core3.amsl.com>; Mon, 26 May 2008 22:52:36 -0700 (PDT)
Received: from mgw-mx06.nokia.com (smtp.nokia.com [192.100.122.233]) by core3.amsl.com (Postfix) with ESMTP id 56F2328C208 for <syslog@ietf.org>; Mon, 26 May 2008 22:52:21 -0700 (PDT)
Received: from esebh108.NOE.Nokia.com (esebh108.ntc.nokia.com [172.21.143.145]) by mgw-mx06.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id m4R5pO9Z018052; Tue, 27 May 2008 08:51:45 +0300
Received: from vaebh102.NOE.Nokia.com ([10.160.244.23]) by esebh108.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 27 May 2008 08:51:30 +0300
Received: from vaebe104.NOE.Nokia.com ([10.160.244.59]) by vaebh102.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 27 May 2008 08:51:29 +0300
x-mimeole: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Tue, 27 May 2008 08:51:28 +0300
Message-ID: <1696498986EFEC4D9153717DA325CB72BDC304@vaebe104.NOE.Nokia.com>
In-Reply-To: <98AE08B66FAD1742BED6CB9522B7312204FB5D64@xmb-rtp-20d.amer.cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Syslog] Some revised text for syslog TLS
Thread-Index: Aci9BIbqo/w6J1eNRCCueVc7JY86VgB+nRUAAB+j5bAAAgUOIAAN6Qxg
References: <AC1CFD94F59A264488DC2BEC3E890DE505DFD90C@xmb-sjc-225.amer.cisco.com><577465F99B41C842AAFBE9ED71E70ABA309093@grfint2.intern.adiscon.com><124CF5A7D55D6F43A4FD9437F28254D8EED6CB@ALPMLVEM05.e2k.ad.ge.com> <98AE08B66FAD1742BED6CB9522B7312204FB5D64@xmb-rtp-20d.amer.cisco.com>
From: Pasi.Eronen@nokia.com
To: aokmians@cisco.com, syslog@ietf.org
X-OriginalArrivalTime: 27 May 2008 05:51:29.0948 (UTC) FILETIME=[B5C6ADC0:01C8BFBD]
X-Nokia-AV: Clean
Subject: Re: [Syslog] Some revised text for syslog TLS
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: syslog-bounces@ietf.org
Errors-To: syslog-bounces@ietf.org
Anton, If you want to work on specifying such structured data fields, that's fine (I agree that they could useful in many situations); but it's way too late to add anything this big to the syslog-transport-tls draft. So this would be a separate document. Best regards, Pasi > -----Original Message----- > From: Anton Okmyanskiy (aokmians) > Sent: 27 May, 2008 02:24 > To: Moehrke, John (GE Healthcare); Rainer Gerhards; Joseph > Salowey (jsalowey); syslog@ietf.org > Subject: Re: [Syslog] Some revised text for syslog TLS > > The bottom line is that when you use a certificate to authenticate > the client, the trusted identity of the client that gets recorded in > the messages must be derived from certificate, not from other source > like IP address or whatever device or DNS says device might be. > > This can be handled by specifying appropriate tags (structured data > ID) for certificate fields and recommending that those are added to > the message (or updated) by the receiver if certificate-based > authenticate is used. > > This would prevent the case of some client using legitimate (but > stolen) certificate, and then indicating identity of another device > in the message itself. If such behavior were allowed, then when > certificate is stolen (but not yet put on certificate revocation > list), this would extend the security threat to a wider scope of > issues because we are allowing one device to masquerade as any other > device. > > Note, that we need structured data field IDs not only for > certificate Common Name (CN), but also for fields such as > fingerprint. When one certificate is revoked and a new one issues, > I believe the new one can have the same common name. In that case, > if the receiver wants to identify which exact certificate the client > used, you need to see the fingerprint or other similar certificate > fields. We had a use-case with customer where such information was > needed with TLS (albeit not in syslog context). > > Regards, > Anton. > > > > > -----Original Message----- > > From: syslog-bounces@ietf.org > > [mailto:syslog-bounces@ietf.org] On Behalf Of Moehrke, John > > (GE Healthcare) > > Sent: Monday, May 26, 2008 3:16 PM > > To: Rainer Gerhards; Joseph Salowey (jsalowey); syslog@ietf.org > > Subject: Re: [Syslog] Some revised text for syslog TLS > > > > I have said this before, but people continue to go down > this path... > > > > The TLS authentication has already proven that the 'other' > > side holds the private key... this is cryptographically > > secure authentication... > > > > Adding a check of the IP address or DNS address adds very > > very little value, and is not cryptographically secure > > (unless using Secure DNS). > > > > Therefore there is little value to adding IP or hostname > > checking, and lots of ways it will break (NAT, DHCP, etc). > > > > John > > > > > -----Original Message----- > > > From: syslog-bounces@ietf.org [mailto:syslog-bounces@ietf.org] On > > Behalf > > > Of Rainer Gerhards > > > Sent: Monday, May 26, 2008 2:19 AM > > > To: Joseph Salowey (jsalowey); syslog@ietf.org > > > Subject: Re: [Syslog] Some revised text for syslog TLS > > > > > > Joe, > > > > > > I like this new text. > > > > > > I am snipping everything below except the one thing that drives a > > > question: > > > > > > > o IP-address-based authorization where the IP address > > configured > > > > for the authorized peer is compared against the subject > fields in > > the > > > > certificate. Implementations MUST support matching the > > IP address > > > > against a SubjectAltName field of type iPAddress and > MAY support > > > > checking the configured IP address against the Common > Name portion > > of > > > > the Subject Distinguished Name. Matching for certificate > > credentials > > > > is > > > > performed using the matching rules specified by [3]. > If more than > > one > > > > IP Address identity is present in the certificate a match > > in any one > > > of > > > > the set is considered acceptable. > > > > > > I know that you asked about the usefulness of IP based > > authentication > > > before. I am now at a point where I have actually finished my > > > implementation and I am "polishing" it. On my agenda is now > > a as good > > as > > > possible *automatic* authentication. > > > > > > For the client to authorize the server, it is quite easy. There > > usually > > > is something like > > > > > > *.* @@192.0.2.1 > > > > > > In this case, I can take the destination ("192.0.2.1") and > > verify it > > > against the server's certificate. Provided we use a > common root CA, > > this > > > setup is fully automatic. So supporting IPs is quite > useful in this > > > scenario. Please note that operators tend to use IP > addresses over > > > hostnames because of reliability reasons and early startup > > capability > > of > > > the syslogd (before DNS resolutions is available). So this is of > > > practical relevance. > > > > > > In case of the server authenticating the client, there is no such > > > obvious choice. I could use the remote client's IP > address (provided > > by > > > the transport stack) and verify that it matches the IP > > address inside > > > the certificate. However, is this really useful? IMO, this > > is more or > > > less a check if the remote cert is signed by a common CA. > Something > > that > > > may be useful, but does not depend on the client's IP be known. > > > > > > Do you or somebody else on this list (Tom?) have a clue why > > it may be > > > useful to carry out such a check? > > > > > > Back on the topic of easy but still secure configuration, I could > > > envision taken the reverse DNS name of the transport sender and > > checking > > > that against the identity presented in the certificate. > Anyone any > > > thoughts/comments on this? > > > > > > Again, all of this assumes a common root CA and > > certificates signed by > > > it (not necessarily full PKI, but an "in-house CA"). > > > > > > Thanks, > > > Rainer > > > _______________________________________________ > > > Syslog mailing list > > > Syslog@ietf.org > > > https://www.ietf.org/mailman/listinfo/syslog > > _______________________________________________ > > Syslog mailing list > > Syslog@ietf.org > > https://www.ietf.org/mailman/listinfo/syslog > > > _______________________________________________ > Syslog mailing list > Syslog@ietf.org > https://www.ietf.org/mailman/listinfo/syslog > _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- [Syslog] Some revised text for syslog TLS Joseph Salowey (jsalowey)
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS Pasi.Eronen
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS Pasi.Eronen
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS Martin Schütte
- Re: [Syslog] Some revised text for syslog TLS Moehrke, John (GE Healthcare)
- Re: [Syslog] Some revised text for syslog TLS Anton Okmyanskiy (aokmians)
- Re: [Syslog] Some revised text for syslog TLS Pasi.Eronen
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS robert.horn
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS Pasi.Eronen
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- Re: [Syslog] Some revised text for syslog TLS robert.horn
- Re: [Syslog] Some revised text for syslog TLS Martin Schütte
- Re: [Syslog] Some revised text for syslog TLS Martin Schütte