Re: [Syslog] -transport-tls-12, section 4.2 suggestion
"Joseph Salowey (jsalowey)" <jsalowey@cisco.com> Mon, 12 May 2008 04:50 UTC
Return-Path: <syslog-bounces@ietf.org>
X-Original-To: syslog-archive@megatron.ietf.org
Delivered-To: ietfarch-syslog-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 105DA28C1B7; Sun, 11 May 2008 21:50:33 -0700 (PDT)
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5E3FA28C1A6 for <syslog@core3.amsl.com>; Sun, 11 May 2008 21:50:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.47
X-Spam-Level:
X-Spam-Status: No, score=-6.47 tagged_above=-999 required=5 tests=[AWL=0.129, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zLxKJFCLvLl4 for <syslog@core3.amsl.com>; Sun, 11 May 2008 21:50:30 -0700 (PDT)
Received: from sj-iport-2.cisco.com (sj-iport-2.cisco.com [171.71.176.71]) by core3.amsl.com (Postfix) with ESMTP id 010B928C1AE for <syslog@ietf.org>; Sun, 11 May 2008 21:50:29 -0700 (PDT)
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-2.cisco.com with ESMTP; 11 May 2008 21:50:26 -0700
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id m4C4oQXl012188; Sun, 11 May 2008 21:50:26 -0700
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-2.cisco.com (8.13.8/8.13.8) with ESMTP id m4C4oQod023335; Mon, 12 May 2008 04:50:26 GMT
Received: from xmb-sjc-225.amer.cisco.com ([128.107.191.38]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Sun, 11 May 2008 21:50:26 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Sun, 11 May 2008 21:51:15 -0700
Message-ID: <AC1CFD94F59A264488DC2BEC3E890DE505C95877@xmb-sjc-225.amer.cisco.com>
In-Reply-To: <OF49032716.4D528A3A-ON85257444.0062F26B-85257444.0063A431@agfa.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Syslog] -transport-tls-12, section 4.2 suggestion
Thread-Index: Acix/7ShJomhgzlgS0eKAgKPrhPSlAB6Hyfg
References: <577465F99B41C842AAFBE9ED71E70ABA308FBD@grfint2.intern.adiscon.com> <OF49032716.4D528A3A-ON85257444.0062F26B-85257444.0063A431@agfa.com>
From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
To: robert.horn@agfa.com, rgerhards@hq.adiscon.com
X-OriginalArrivalTime: 12 May 2008 04:50:26.0742 (UTC) FILETIME=[B2238D60:01C8B3EB]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=7630; t=1210567826; x=1211431826; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jsalowey@cisco.com; z=From:=20=22Joseph=20Salowey=20(jsalowey)=22=20<jsalowey@ci sco.com> |Subject:=20RE=3A=20[Syslog]=20-transport-tls-12,=20section =204.2=20suggestion |Sender:=20; bh=B9Hpnu31KwwzYhk5AGgo/XxcHH9iynGgKQcr0uv7OqA=; b=o07+0+QbCvlRlDjBo+KG/5VJBnZIS1+QnMGBahRe2xd62lGs9YsvIYMliG QSfgi4i+h/n3WGHkij56G0qDEVx9KyPq3fcE57zwRvmG0MyjynCw8waj9t4I VggDwKatOm;
Authentication-Results: sj-dkim-3; header.From=jsalowey@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
Cc: syslog@ietf.org
Subject: Re: [Syslog] -transport-tls-12, section 4.2 suggestion
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: syslog-bounces@ietf.org
Errors-To: syslog-bounces@ietf.org
Hi Robert, I think this mostly makes sense. Some questions inline below: > > I like Rainer's proposal. I had forgotten about the IESG > desire for an out of box acceptable security. I find this > mechanism a bit dubious, but specifying a reasonably secure > default configuration as a separate policy section could > work. How about a structure like this: > > In the protocol section, since this is TLS and TLS is > certificate oriented, we have the following requirements: > > - The TLS negotiation SHALL be configurable to verify > certificates based on the following rules: > - The local side shall negotiate based on a local > certificate store. > The local certificate store contains a list of > certificate/server pairs. > - The local side shall verify the remote side matches > certificates found in one of three stores: > - Specific certs where Certificate X is accepted for remote X. > (This is oriented toward self-signed certs) > - (optional) Signing certs, where Remote Y is accepted > if its cert was signed by Certificate Y. No chain of trust. > - (optional) Signing certs, where Remote Z is accepted > if its cert was signed by Certificate Z. Chain of trust is accepted. > [Joe] I'm not sure what the different between the last two are. The capability to chain certificates is indicated in the basic constraints extension of a CA certificate and is validated by standard certificate path validation (RFC 5280), is there a reason why this is not sufficient? Perhaps we can collapse the second two into one. > Implementations may add other additional rules for other > situations where connections are accepted, but these shall > not be the default configuration. > [Joe] I believe that the ability to match a Subject name field should be at least RECOMMENDED. > I made the use of signed certs optional because it pulls in > all the other issues around revocation, etc. I'm not too > worried about having a server manage CRLs, updates, etc. but > it could be a problem demanding that all clients also manage > that. I do worry about all the issues that come up in terms > of preserving syslog function during serious network > disruptions. I do not want to see my problem reporting > facility (syslog) fail just because I lost the PKI servers. > I'm think of cases where those servers had been physically > destroyed, but 80% of the network still exists, e.g., Katrina. [Joe] I think having just one mandatory option is fine. > > In the policy section, > > - By default, if verification fails then the connection > will be refused. > - Other rules may be added, but shall not be the out of box default. > > - There shall be a maintenance method to create a self-signed cert. > There shall be a maintenance method to import a self cert > into any of the cert stores. > - There may be a maintenance method for adding and removing > certs in the other two kinds of cert stores. > - There may be other authentication and authorization methods. > > This then enables a reasonably useful default behavior. With > proper instructions a skilled home user could follow these > rules. It also enables direct implementation of many > enterprise rules, although not all of them. It can encourage > developers to split their implementation so that new policy > structures do not cause problems with the underlying protocol > implementation. > > The default home user scenario expectation is the following: > > - Installing a server: > - Home user generates a self-signed certificate for the > server, files it into the server local certificate store, and > saves it for making copies for clients. The corresponding > private key lives somewhere in local configuration files and > the user can be instructed that they should never ever give > that information to other people. > > - Installing a client: > - Home user generates a self-signed certificate for the > client, files it into the client local certificate store, and > saves it for making copies for servers. Again, private key > remains secret in configuration files somewhere. > - Home user copies the client self-signed certificate into > the server's specific certs for remotes. > - Home user copies the server self-signed certificate into > the client's specific certs for remotes. > > This default does not scale to the large enterprise. Adding > the two kinds of signed cert stores extends the default > configuration to support many, but not all, enterprise > policies. There will be other enterprise oriented methods. > > This default does meet the needs of a small enterprise or > skilled home user. By making the default the use of > self-signed certificates you avoid all the problems resulting > from the absence of syslog oriented PKI infrastructures. > Even when there are suitable PKI infrastructures for identity > management, these are not generally suitable for applications > authentication management. Introducing a PKI dependency will > effectively delay the use of syslog-tls for many more years. > > Using self-signed certificates leaves the home user with the > need to copy around these certificates. Moving files from > here to there is something that can be handled by media, web > aps, etc. This is simplified by the lack of security > requirements. All you need is fingerprint display if you > have reason to question the copying. It will overwhelm the > unskilled home user, but they probably won't be configuring > syslog. Someone who is setting up syslog can probably handle > instructions for copying certificates from place to place. > Self-signed certs may take a few minutes to generate, but > they are something that is not overly burdensome for syslog > maintenance programs. > [Joe] This is where a standard fingerprint format can help. > This also scales to the needs of many service providers. If > a service provider is installing thousands of dumb remote > systems to unsupported locations (i.e., unskilled home user > systems), they can preconfigure the dumb remote with > self-signed certificates. Since the rules only require > matching, the service provider does not need to try to match > hostnames, IP addresses, etc. I would base the cert on the > device serial number. This would not be perfect security. [Joe] So in this scenario you match the end entity cert against a local store, correct? >I > could break into the dumb remote and steal the private key. > But it is a huge improvement over the current situation. It > does force me to break in, and none of the PKI structures > protect against that. Revocation is a bigger administrative > problem but you can manage revocation of self-signed > certificates for simple situations like this even at the > service provider scale. > > Kind Regards, > > Robert Horn | Agfa HealthCare > Research Scientist | HE/Technology Office T +1 978 897 4860 > > Agfa HealthCare Corporation, 100 Challenger Road, Ridgefield > Park, NJ, 07660-2199, United States > http://www.agfa.com/healthcare/ Click on link to read > important disclaimer: > http://www.agfa.com/healthcare/maildisclaimer > _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog
- [Syslog] -transport-tls-12, section 4.2.3 (finger… Rainer Gerhards
- Re: [Syslog] -transport-tls-12, section 4.2.3 (fi… Rainer Gerhards
- [Syslog] Self-signed certs - was: Re: -transport-… Chris Lonvick
- Re: [Syslog] -transport-tls-12, section 4.2.3 (fi… Joseph Salowey (jsalowey)
- Re: [Syslog] -transport-tls-12, section 4.2.3 (fi… Rainer Gerhards
- [Syslog] Missing email? was: Re: -transport-tls-1… Chris Lonvick
- [Syslog] -transport-tls-12, section 4.2 suggestion robert.horn
- Re: [Syslog] Missing email? was: Re: -transport-t… Rainer Gerhards
- Re: [Syslog] -transport-tls-12, section 4.2 sugge… Joseph Salowey (jsalowey)
- Re: [Syslog] Self-signed certs - was: Re: -transp… Pasi.Eronen@nokia.com
- Re: [Syslog] -transport-tls-12, section 4.2 sugge… robert.horn