Re: [Syslog] Review ofdraft-petch-gerhards-syslog-transport-dtls-01.txt"
"tom.petch" <cfinss@dial.pipex.com> Wed, 22 April 2009 20:36 UTC
Return-Path: <cfinss@dial.pipex.com>
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 283BB3A69E6 for <syslog@core3.amsl.com>; Wed, 22 Apr 2009 13:36:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.621
X-Spam-Level:
X-Spam-Status: No, score=-0.621 tagged_above=-999 required=5 tests=[AWL=-0.950, BAYES_20=-0.74, DATE_IN_PAST_06_12=1.069]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vPX141EJ+JHY for <syslog@core3.amsl.com>; Wed, 22 Apr 2009 13:36:40 -0700 (PDT)
Received: from mk-outboundfilter-6.mail.uk.tiscali.com (mk-outboundfilter-6.mail.uk.tiscali.com [212.74.114.14]) by core3.amsl.com (Postfix) with ESMTP id 14F073A7121 for <syslog@ietf.org>; Wed, 22 Apr 2009 13:36:24 -0700 (PDT)
X-Trace: 96000426/mk-outboundfilter-6.mail.uk.tiscali.com/PIPEX/$PIPEX-ACCEPTED/pipex-customers/62.188.19.46/None/cfinss@dial.pipex.com
X-SBRS: None
X-RemoteIP: 62.188.19.46
X-IP-MAIL-FROM: cfinss@dial.pipex.com
X-SMTP-AUTH:
X-MUA: Microsoft Outlook Express 6.00.2800.1106Produced By Microsoft MimeOLE V6.00.2800.1106
X-IP-BHB: Once
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AjYFANcc70k+vBMu/2dsb2JhbABFgmJLijnDNgeDbQY
X-IronPort-AV: E=Sophos;i="4.40,232,1238972400"; d="scan'208";a="96000426"
X-IP-Direction: IN
Received: from 1cust46.tnt2.lnd3.gbr.da.uu.net (HELO allison) ([62.188.19.46]) by smtp.pipex.tiscali.co.uk with SMTP; 22 Apr 2009 21:37:39 +0100
Message-ID: <001e01c9c381$c79b21c0$0601a8c0@allison>
From: "tom.petch" <cfinss@dial.pipex.com>
To: fenghongyan <hongyanfeng@huaweisymantec.com>, syslog@ietf.org
References: <fc1e8c655909.49e133cc@huaweisymantec.com>
Date: Wed, 22 Apr 2009 15:24:29 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Subject: Re: [Syslog] Review ofdraft-petch-gerhards-syslog-transport-dtls-01.txt"
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: "tom.petch" <cfinss@dial.pipex.com>
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2009 20:36:41 -0000
Linda, Thank you for your comments and my apologies for not responding earlier. Bear in mind that this I-D was written in 2006 when the tls draft did not exist in its present form and so could not be referenced. It has been re-issued now in the light of renewed interest in the topic and this required the references to be updated but otherwise the I-D was not changed. So yes, more revision is needed and hopefully will happen next week. Meanwhile, bear in mind that it was written to offer alternatives to the approaches being considered in 2006, especially that the roles of DTLS client and server could be reversed with advantage which in turn needs a protocol to agree this, which in turn is a common practice with other TLS applications and so was lifted from that. As to whether or not this is a good idea, well, the way to find out is to write an I-D and see what the response is. If there is no consensus to support an idea, then the editor removes it:-) Tom Petch ----- Original Message ----- From: "fenghongyan" <hongyanfeng@huaweisymantec.com> To: <syslog@ietf.org> Sent: Saturday, April 11, 2009 6:20 PM Subject: [Syslog] Review ofdraft-petch-gerhards-syslog-transport-dtls-01.txt" > Hi, > > I read this proposal "draft-petch-gerhards-syslog-transport-dtls-01", > I have some comments on it: > > Those changes I made in my new version this draft is also need to make, I think. > > > section 1.3 > The security discussion is similar as stated in syslog/tls, Pasi > recommended simply pointer to syslog/tls would be better. > > section 1.4 > This is covered in syslog/tls; a pointer to that document would work. > > section 2.1 > I don't see if there's a necessary for a syslog server should be a DTLS client. > In my understanding, a dtls request is alway initiate by a dtls client, if syslog server being dtls client, > how does a server know which client want to connect to it? > I think RFC5425 has state authentication in very detail and come up the corresponding security policy. > Also, fingerprint is aim to cover the case you discussed in your draft having a certificate url authentication. > A pointer to that document would work. > > section 2.2 > I think a udp "registered port number" is required to assign for udp mapping and > a sctp "registered port number" is required to assign for sctp mapping respectively. > > section 2.3 > I claimed in my proposal to minimize the operation and security where > both syslog/tls and syslog/dtls are supported, why do you need write > the commands in your proposal? > > section 2.6, section 2.8 > It is covered in syslog/tls security policy; a pointer to that document would work. > > Thanks > Linda > _______________________________________________ > Syslog mailing list > Syslog@ietf.org > https://www.ietf.org/mailman/listinfo/syslog