IETF Logo Mail Archive

Re: [Syslog] Some revised text for syslog TLS

<Pasi.Eronen@nokia.com> Mon, 26 May 2008 13:06 UTC

Return-Path: <syslog-bounces@ietf.org>
X-Original-To: syslog-archive@megatron.ietf.org
Delivered-To: ietfarch-syslog-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7A0C73A694B; Mon, 26 May 2008 06:06:24 -0700 (PDT)
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C8AE53A67D9 for <syslog@core3.amsl.com>; Mon, 26 May 2008 06:06:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.313
X-Spam-Level:
X-Spam-Status: No, score=-6.313 tagged_above=-999 required=5 tests=[AWL=0.286, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OE6oqr3VCzrg for <syslog@core3.amsl.com>; Mon, 26 May 2008 06:06:21 -0700 (PDT)
Received: from mgw-mx03.nokia.com (smtp.nokia.com [192.100.122.230]) by core3.amsl.com (Postfix) with ESMTP id 694F13A67F2 for <syslog@ietf.org>; Mon, 26 May 2008 06:06:21 -0700 (PDT)
Received: from esebh107.NOE.Nokia.com (esebh107.ntc.nokia.com [172.21.143.143]) by mgw-mx03.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id m4QD6Bg9023045; Mon, 26 May 2008 16:06:19 +0300
Received: from esebh102.NOE.Nokia.com ([172.21.138.183]) by esebh107.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 26 May 2008 16:06:09 +0300
Received: from vaebe104.NOE.Nokia.com ([10.160.244.59]) by esebh102.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 26 May 2008 16:06:09 +0300
x-mimeole: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Mon, 26 May 2008 16:06:08 +0300
Message-ID: <1696498986EFEC4D9153717DA325CB72B36AAC@vaebe104.NOE.Nokia.com>
In-Reply-To: <1211806792.27593.11.camel@localhost.localdomain>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Syslog] Some revised text for syslog TLS
Thread-Index: Aci/MF7jy1NVEensQ7+a4dvkqdLN3wAAGezQ
References: <AC1CFD94F59A264488DC2BEC3E890DE505DFD90C@xmb-sjc-225.amer.cisco.com> <577465F99B41C842AAFBE9ED71E70ABA309093@grfint2.intern.adiscon.com> <1696498986EFEC4D9153717DA325CB72B36A0B@vaebe104.NOE.Nokia.com> <1211806792.27593.11.camel@localhost.localdomain>
From: Pasi.Eronen@nokia.com
To: rgerhards@hq.adiscon.com
X-OriginalArrivalTime: 26 May 2008 13:06:09.0243 (UTC) FILETIME=[43D58AB0:01C8BF31]
X-Nokia-AV: Clean
Cc: syslog@ietf.org
Subject: Re: [Syslog] Some revised text for syslog TLS
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: syslog-bounces@ietf.org
Errors-To: syslog-bounces@ietf.org

Rainer Gerhards wrote:

> Please keep in mind that my message was related to the question if
> there is a use case for using IPs inside a certificate. As I said
> above, there is.

Ok. Do you think this use case is important enough to keep this
feature (checking IPAddress subjectAltName) as part of the "MUST
implement" baseline?

(Joe's latest text already has other forms of name comparison as
optional: "Implementations MAY also support authorization based on
other attributes.  For example, the authorization of a device Serial
Number against the SerialNumber portion of the Subject Distinguished
Name [...]")

> > To support such situation -- while still avoiding dependency on
> > DNS -- it would be useful if you could configure the IP address
> > (used for opening the connection) and server name (compared
> > against the certificate, but not looked up from DNS) separately.
> > 
> > I don't know what that would look like in your configuration file
> > syntax, but maybe something like
> > 
> > *.* @@192.0.2.1[syslogsrv2.example.com]
> 
> rsyslog of course supports this. The actual syntax is:
> 
> $ActionSendStreamDriverAuthMode x509/name # soon to be default
> $ActionSendStreamDriverPermittedPeer syslogsrv2.example.com
> *.* @@192.0.2.1

Ok, good to know.

Best regards,
Pasi
_______________________________________________
Syslog mailing list
Syslog@ietf.org
https://www.ietf.org/mailman/listinfo/syslog

v2.23.0 | Report a Bug | By Email