IETF Logo Mail Archive

Re: [Syslog] Some revised text for syslog TLS

"Rainer Gerhards" <rgerhards@hq.adiscon.com> Mon, 26 May 2008 07:18 UTC

Return-Path: <syslog-bounces@ietf.org>
X-Original-To: syslog-archive@megatron.ietf.org
Delivered-To: ietfarch-syslog-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6BC443A6A37; Mon, 26 May 2008 00:18:56 -0700 (PDT)
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ED81F3A6B1B for <syslog@core3.amsl.com>; Mon, 26 May 2008 00:18:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.413
X-Spam-Level:
X-Spam-Status: No, score=-2.413 tagged_above=-999 required=5 tests=[AWL=0.186, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PBkNCTChTf4Z for <syslog@core3.amsl.com>; Mon, 26 May 2008 00:18:55 -0700 (PDT)
Received: from mailin.adiscon.com (hetzner.adiscon.com [85.10.198.18]) by core3.amsl.com (Postfix) with ESMTP id BE52B3A67E9 for <syslog@ietf.org>; Mon, 26 May 2008 00:18:54 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailin.adiscon.com (Postfix) with ESMTP id CFB3F7AE2BC; Mon, 26 May 2008 09:18:49 +0200 (CEST)
Received: from mailin.adiscon.com ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R5W3E6T3rVED; Mon, 26 May 2008 09:18:49 +0200 (CEST)
Received: from grfint2.intern.adiscon.com (p50989a7c.dip0.t-ipconnect.de [80.152.154.124]) by mailin.adiscon.com (Postfix) with ESMTP id 933907AE284; Mon, 26 May 2008 09:18:49 +0200 (CEST)
Content-class: urn:content-classes:message
MIME-Version: 1.0
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Mon, 26 May 2008 09:18:53 +0200
Message-ID: <577465F99B41C842AAFBE9ED71E70ABA309093@grfint2.intern.adiscon.com>
In-Reply-To: <AC1CFD94F59A264488DC2BEC3E890DE505DFD90C@xmb-sjc-225.amer.cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Syslog] Some revised text for syslog TLS
Thread-Index: Aci9BIbqo/w6J1eNRCCueVc7JY86VgB+nRUA
References: <AC1CFD94F59A264488DC2BEC3E890DE505DFD90C@xmb-sjc-225.amer.cisco.com>
From: Rainer Gerhards <rgerhards@hq.adiscon.com>
To: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>, syslog@ietf.org
Subject: Re: [Syslog] Some revised text for syslog TLS
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: syslog-bounces@ietf.org
Errors-To: syslog-bounces@ietf.org

Joe,

I like this new text.

I am snipping everything below except the one thing that drives a
question:

> 	o IP-address-based authorization where the IP address configured
> for the authorized peer is compared against the subject fields in the
> certificate.  Implementations MUST support matching the IP address
> against a SubjectAltName field of type iPAddress and MAY support
> checking the configured IP address against the Common Name portion of
> the Subject Distinguished Name.  Matching for certificate credentials
> is
> performed using the matching rules specified by [3].  If more than one
> IP Address identity is present in the certificate a match in any one
of
> the set is considered acceptable.

I know that you asked about the usefulness of IP based authentication
before. I am now at a point where I have actually finished my
implementation and I am "polishing" it. On my agenda is now a as good as
possible *automatic* authentication.

For the client to authorize the server, it is quite easy. There usually
is something like

*.* @@192.0.2.1

In this case, I can take the destination ("192.0.2.1") and verify it
against the server's certificate. Provided we use a common root CA, this
setup is fully automatic. So supporting IPs is quite useful in this
scenario. Please note that operators tend to use IP addresses over
hostnames because of reliability reasons and early startup capability of
the syslogd (before DNS resolutions is available). So this is of
practical relevance.

In case of the server authenticating the client, there is no such
obvious choice. I could use the remote client's IP address (provided by
the transport stack) and verify that it matches the IP address inside
the certificate. However, is this really useful? IMO, this is more or
less a check if the remote cert is signed by a common CA. Something that
may be useful, but does not depend on the client's IP be known.

Do you or somebody else on this list (Tom?) have a clue why it may be
useful to carry out such a check?

Back on the topic of easy but still secure configuration, I could
envision taken the reverse DNS name of the transport sender and checking
that against the identity presented in the certificate. Anyone any
thoughts/comments on this?

Again, all of this assumes a common root CA and certificates signed by
it (not necessarily full PKI, but an "in-house CA").

Thanks,
Rainer
_______________________________________________
Syslog mailing list
Syslog@ietf.org
https://www.ietf.org/mailman/listinfo/syslog

v2.23.0 | Report a Bug | By Email