Re: [Syslog] Some revised text for syslog TLS
"Rainer Gerhards" <rgerhards@hq.adiscon.com> Mon, 26 May 2008 07:18 UTC
Return-Path: <syslog-bounces@ietf.org>
X-Original-To: syslog-archive@megatron.ietf.org
Delivered-To: ietfarch-syslog-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6BC443A6A37; Mon, 26 May 2008 00:18:56 -0700 (PDT)
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ED81F3A6B1B for <syslog@core3.amsl.com>; Mon, 26 May 2008 00:18:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.413
X-Spam-Level:
X-Spam-Status: No, score=-2.413 tagged_above=-999 required=5 tests=[AWL=0.186, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PBkNCTChTf4Z for <syslog@core3.amsl.com>; Mon, 26 May 2008 00:18:55 -0700 (PDT)
Received: from mailin.adiscon.com (hetzner.adiscon.com [85.10.198.18]) by core3.amsl.com (Postfix) with ESMTP id BE52B3A67E9 for <syslog@ietf.org>; Mon, 26 May 2008 00:18:54 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailin.adiscon.com (Postfix) with ESMTP id CFB3F7AE2BC; Mon, 26 May 2008 09:18:49 +0200 (CEST)
Received: from mailin.adiscon.com ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R5W3E6T3rVED; Mon, 26 May 2008 09:18:49 +0200 (CEST)
Received: from grfint2.intern.adiscon.com (p50989a7c.dip0.t-ipconnect.de [80.152.154.124]) by mailin.adiscon.com (Postfix) with ESMTP id 933907AE284; Mon, 26 May 2008 09:18:49 +0200 (CEST)
Content-class: urn:content-classes:message
MIME-Version: 1.0
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Mon, 26 May 2008 09:18:53 +0200
Message-ID: <577465F99B41C842AAFBE9ED71E70ABA309093@grfint2.intern.adiscon.com>
In-Reply-To: <AC1CFD94F59A264488DC2BEC3E890DE505DFD90C@xmb-sjc-225.amer.cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Syslog] Some revised text for syslog TLS
Thread-Index: Aci9BIbqo/w6J1eNRCCueVc7JY86VgB+nRUA
References: <AC1CFD94F59A264488DC2BEC3E890DE505DFD90C@xmb-sjc-225.amer.cisco.com>
From: Rainer Gerhards <rgerhards@hq.adiscon.com>
To: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>, syslog@ietf.org
Subject: Re: [Syslog] Some revised text for syslog TLS
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: syslog-bounces@ietf.org
Errors-To: syslog-bounces@ietf.org
Joe, I like this new text. I am snipping everything below except the one thing that drives a question: > o IP-address-based authorization where the IP address configured > for the authorized peer is compared against the subject fields in the > certificate. Implementations MUST support matching the IP address > against a SubjectAltName field of type iPAddress and MAY support > checking the configured IP address against the Common Name portion of > the Subject Distinguished Name. Matching for certificate credentials > is > performed using the matching rules specified by [3]. If more than one > IP Address identity is present in the certificate a match in any one of > the set is considered acceptable. I know that you asked about the usefulness of IP based authentication before. I am now at a point where I have actually finished my implementation and I am "polishing" it. On my agenda is now a as good as possible *automatic* authentication. For the client to authorize the server, it is quite easy. There usually is something like *.* @@192.0.2.1 In this case, I can take the destination ("192.0.2.1") and verify it against the server's certificate. Provided we use a common root CA, this setup is fully automatic. So supporting IPs is quite useful in this scenario. Please note that operators tend to use IP addresses over hostnames because of reliability reasons and early startup capability of the syslogd (before DNS resolutions is available). So this is of practical relevance. In case of the server authenticating the client, there is no such obvious choice. I could use the remote client's IP address (provided by the transport stack) and verify that it matches the IP address inside the certificate. However, is this really useful? IMO, this is more or less a check if the remote cert is signed by a common CA. Something that may be useful, but does not depend on the client's IP be known. Do you or somebody else on this list (Tom?) have a clue why it may be useful to carry out such a check? Back on the topic of easy but still secure configuration, I could envision taken the reverse DNS name of the transport sender and checking that against the identity presented in the certificate. Anyone any thoughts/comments on this? Again, all of this assumes a common root CA and certificates signed by it (not necessarily full PKI, but an "in-house CA"). Thanks, Rainer _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- [Syslog] Some revised text for syslog TLS Joseph Salowey (jsalowey)
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS Pasi.Eronen
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS Pasi.Eronen
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS Martin Schütte
- Re: [Syslog] Some revised text for syslog TLS Moehrke, John (GE Healthcare)
- Re: [Syslog] Some revised text for syslog TLS Anton Okmyanskiy (aokmians)
- Re: [Syslog] Some revised text for syslog TLS Pasi.Eronen
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS robert.horn
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS Pasi.Eronen
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- Re: [Syslog] Some revised text for syslog TLS robert.horn
- Re: [Syslog] Some revised text for syslog TLS Martin Schütte
- Re: [Syslog] Some revised text for syslog TLS Martin Schütte