IETF Logo Mail Archive

Re: [Syslog] -transport-tls-12, section 4.2 suggestion

"Joseph Salowey (jsalowey)" <jsalowey@cisco.com> Mon, 12 May 2008 04:50 UTC

Return-Path: <syslog-bounces@ietf.org>
X-Original-To: syslog-archive@megatron.ietf.org
Delivered-To: ietfarch-syslog-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 105DA28C1B7; Sun, 11 May 2008 21:50:33 -0700 (PDT)
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5E3FA28C1A6 for <syslog@core3.amsl.com>; Sun, 11 May 2008 21:50:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.47
X-Spam-Level:
X-Spam-Status: No, score=-6.47 tagged_above=-999 required=5 tests=[AWL=0.129, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zLxKJFCLvLl4 for <syslog@core3.amsl.com>; Sun, 11 May 2008 21:50:30 -0700 (PDT)
Received: from sj-iport-2.cisco.com (sj-iport-2.cisco.com [171.71.176.71]) by core3.amsl.com (Postfix) with ESMTP id 010B928C1AE for <syslog@ietf.org>; Sun, 11 May 2008 21:50:29 -0700 (PDT)
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-2.cisco.com with ESMTP; 11 May 2008 21:50:26 -0700
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id m4C4oQXl012188; Sun, 11 May 2008 21:50:26 -0700
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-2.cisco.com (8.13.8/8.13.8) with ESMTP id m4C4oQod023335; Mon, 12 May 2008 04:50:26 GMT
Received: from xmb-sjc-225.amer.cisco.com ([128.107.191.38]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Sun, 11 May 2008 21:50:26 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Sun, 11 May 2008 21:51:15 -0700
Message-ID: <AC1CFD94F59A264488DC2BEC3E890DE505C95877@xmb-sjc-225.amer.cisco.com>
In-Reply-To: <OF49032716.4D528A3A-ON85257444.0062F26B-85257444.0063A431@agfa.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Syslog] -transport-tls-12, section 4.2 suggestion
Thread-Index: Acix/7ShJomhgzlgS0eKAgKPrhPSlAB6Hyfg
References: <577465F99B41C842AAFBE9ED71E70ABA308FBD@grfint2.intern.adiscon.com> <OF49032716.4D528A3A-ON85257444.0062F26B-85257444.0063A431@agfa.com>
From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
To: robert.horn@agfa.com, rgerhards@hq.adiscon.com
X-OriginalArrivalTime: 12 May 2008 04:50:26.0742 (UTC) FILETIME=[B2238D60:01C8B3EB]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=7630; t=1210567826; x=1211431826; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jsalowey@cisco.com; z=From:=20=22Joseph=20Salowey=20(jsalowey)=22=20<jsalowey@ci sco.com> |Subject:=20RE=3A=20[Syslog]=20-transport-tls-12,=20section =204.2=20suggestion |Sender:=20; bh=B9Hpnu31KwwzYhk5AGgo/XxcHH9iynGgKQcr0uv7OqA=; b=o07+0+QbCvlRlDjBo+KG/5VJBnZIS1+QnMGBahRe2xd62lGs9YsvIYMliG QSfgi4i+h/n3WGHkij56G0qDEVx9KyPq3fcE57zwRvmG0MyjynCw8waj9t4I VggDwKatOm;
Authentication-Results: sj-dkim-3; header.From=jsalowey@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
Cc: syslog@ietf.org
Subject: Re: [Syslog] -transport-tls-12, section 4.2 suggestion
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: syslog-bounces@ietf.org
Errors-To: syslog-bounces@ietf.org

Hi Robert,

I think this mostly makes sense. Some questions inline below: 
> 
> I like Rainer's proposal.  I had forgotten about the IESG 
> desire for an out of box acceptable security.  I find this 
> mechanism a bit dubious, but specifying a reasonably secure 
> default configuration as a separate policy section could 
> work.  How about a structure like this:
> 
> In the protocol section, since this is TLS and TLS is 
> certificate oriented, we have the following requirements:
> 
>  - The TLS negotiation SHALL be configurable to verify 
> certificates based on the following rules:
>     - The local side shall negotiate based on a local 
> certificate store. 
> The local certificate store contains a list of 
> certificate/server pairs.
>     - The local side shall verify the remote side matches 
> certificates found in one of three stores:
>        - Specific certs where Certificate X is accepted for remote X. 
> (This is oriented toward self-signed certs)
>        - (optional) Signing certs, where Remote Y is accepted 
> if its cert was signed by Certificate Y.  No chain of trust.
>        - (optional) Signing certs, where Remote Z is accepted 
> if its cert was signed by Certificate Z.  Chain of trust is accepted.
>
[Joe] I'm not sure what the different between the last two are.  The
capability to chain certificates is indicated in the basic constraints
extension of a CA certificate and is validated by standard certificate
path validation (RFC 5280), is there a reason why this is not
sufficient?  Perhaps we can collapse the second two into one. 
 
>  Implementations may add other additional rules for other 
> situations where connections are accepted, but these shall 
> not be the default configuration. 
> 
[Joe] I believe that the ability to match a Subject name field should be
at least RECOMMENDED. 

> I made the use of signed certs optional because it pulls in 
> all the other issues around revocation, etc.  I'm not too 
> worried about having a server manage CRLs, updates, etc. but 
> it could be a problem demanding that all clients also manage 
> that.  I do worry about all the issues that come up in terms 
> of preserving syslog function during serious network 
> disruptions.  I do not want to see my problem reporting 
> facility (syslog) fail just because I lost the PKI servers.  
> I'm think of cases where those servers had been physically 
> destroyed, but 80% of the network still exists, e.g., Katrina.

[Joe] I think having just one mandatory option is fine. 

> 
> In the policy section,
> 
>   - By default, if verification fails then the connection 
> will be refused.
>   - Other rules may be added, but shall not be the out of box default.
> 
>   - There shall be a maintenance method to create a self-signed cert. 
> There shall be a maintenance method to import a self cert 
> into any of the cert stores.
>   - There may be a maintenance method for adding and removing 
> certs in the other two kinds of cert stores.
>   - There may be other authentication and authorization methods.
> 
> This then enables a reasonably useful default behavior.  With 
> proper instructions a skilled home user could follow these 
> rules.  It also enables direct implementation of many 
> enterprise rules, although not all of them.  It can encourage 
> developers to split their implementation so that new policy 
> structures do not cause problems with the underlying protocol 
> implementation.
> 
> The default home user scenario expectation is the following:
> 
>  - Installing a server:
>    - Home user generates a self-signed certificate for the 
> server, files it into the server local certificate store, and 
> saves it for making copies for clients.  The corresponding 
> private key lives somewhere in local configuration files and 
> the user can be instructed that they should never ever give 
> that information to other people.
> 
>  - Installing a client:
>    - Home user generates a self-signed certificate for the 
> client, files it into the client local certificate store, and 
> saves it for making copies for servers.  Again, private key 
> remains secret in configuration files somewhere.
>    - Home user copies the client self-signed certificate into 
> the server's specific certs for remotes.
>    - Home user copies the server self-signed certificate into 
> the client's specific certs for remotes.
> 
> This default does not scale to the large enterprise.  Adding 
> the two kinds of signed cert stores extends the default 
> configuration to support many, but not all, enterprise 
> policies.  There will be other enterprise oriented methods.
> 
> This default does meet the needs of a small enterprise or 
> skilled home user.  By making the default the use of 
> self-signed certificates you avoid all the problems resulting 
> from the absence of syslog oriented PKI infrastructures.  
> Even when there are suitable PKI infrastructures for identity 
> management, these are not generally suitable for applications 
> authentication management.  Introducing a PKI dependency will 
> effectively delay the use of syslog-tls for many more years.
> 
> Using self-signed certificates leaves the home user with the 
> need to copy around these certificates.  Moving files from 
> here to there is something that can be handled by media, web 
> aps, etc.  This is simplified by the lack of security 
> requirements.  All you need is fingerprint display if you 
> have reason to question the copying.  It will overwhelm the 
> unskilled home user, but they probably won't be configuring 
> syslog.  Someone who is setting up syslog can probably handle 
> instructions for copying certificates from place to place.  
> Self-signed certs may take a few minutes to generate, but 
> they are something that is not overly burdensome for syslog 
> maintenance programs.
> 

[Joe] This is where a standard fingerprint format can help. 

> This also scales to the needs of many service providers.  If 
> a service provider is installing thousands of dumb remote 
> systems to unsupported locations (i.e., unskilled home user 
> systems), they can preconfigure the dumb remote with 
> self-signed certificates.  Since the rules only require 
> matching, the service provider does not need to try to match 
> hostnames, IP addresses, etc.  I would base the cert on the 
> device serial number. This would not be perfect security.  

[Joe] So in this scenario you match the end entity cert against a local
store, correct?  

>I 
> could break into the dumb remote and steal the private key.  
> But it is a huge improvement over the current situation.  It 
> does force me to break in, and none of the PKI structures 
> protect against that.  Revocation is a bigger administrative 
> problem but you can manage revocation of self-signed 
> certificates for simple situations like this even at the 
> service provider scale.
> 
> Kind Regards,
> 
> Robert Horn | Agfa HealthCare
> Research Scientist | HE/Technology Office T  +1 978 897 4860
> 
> Agfa HealthCare Corporation, 100 Challenger Road, Ridgefield 
> Park, NJ, 07660-2199, United States 
> http://www.agfa.com/healthcare/ Click on link to read 
> important disclaimer: 
> http://www.agfa.com/healthcare/maildisclaimer
> 
_______________________________________________
Syslog mailing list
Syslog@ietf.org
https://www.ietf.org/mailman/listinfo/syslog

v2.23.0 | Report a Bug | By Email