IETF Logo Mail Archive

Re: [Syslog] Some revised text for syslog TLS

"Anton Okmyanskiy (aokmians)" <aokmians@cisco.com> Mon, 26 May 2008 23:23 UTC

Return-Path: <syslog-bounces@ietf.org>
X-Original-To: syslog-archive@megatron.ietf.org
Delivered-To: ietfarch-syslog-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B7F453A6BF4; Mon, 26 May 2008 16:23:14 -0700 (PDT)
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 985793A6BF4 for <syslog@core3.amsl.com>; Mon, 26 May 2008 16:23:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3I5TG2+Te7tl for <syslog@core3.amsl.com>; Mon, 26 May 2008 16:23:12 -0700 (PDT)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id 48A083A6B8F for <syslog@ietf.org>; Mon, 26 May 2008 16:23:10 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.27,545,1204531200"; d="scan'208";a="104204313"
Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-6.cisco.com with ESMTP; 26 May 2008 16:23:14 -0700
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id m4QNNE66007457; Mon, 26 May 2008 16:23:14 -0700
Received: from xbh-rtp-201.amer.cisco.com (xbh-rtp-201.cisco.com [64.102.31.12]) by sj-core-1.cisco.com (8.13.8/8.13.8) with ESMTP id m4QNNDKk027951; Mon, 26 May 2008 23:23:14 GMT
Received: from xmb-rtp-20d.amer.cisco.com ([64.102.31.51]) by xbh-rtp-201.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 26 May 2008 19:23:13 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Mon, 26 May 2008 19:23:35 -0400
Message-ID: <98AE08B66FAD1742BED6CB9522B7312204FB5D64@xmb-rtp-20d.amer.cisco.com>
In-Reply-To: <124CF5A7D55D6F43A4FD9437F28254D8EED6CB@ALPMLVEM05.e2k.ad.ge.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Syslog] Some revised text for syslog TLS
Thread-Index: Aci9BIbqo/w6J1eNRCCueVc7JY86VgB+nRUAAB+j5bAAAgUOIA==
References: <AC1CFD94F59A264488DC2BEC3E890DE505DFD90C@xmb-sjc-225.amer.cisco.com><577465F99B41C842AAFBE9ED71E70ABA309093@grfint2.intern.adiscon.com> <124CF5A7D55D6F43A4FD9437F28254D8EED6CB@ALPMLVEM05.e2k.ad.ge.com>
From: "Anton Okmyanskiy (aokmians)" <aokmians@cisco.com>
To: "Moehrke, John (GE Healthcare)" <John.Moehrke@med.ge.com>, Rainer Gerhards <rgerhards@hq.adiscon.com>, "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>, syslog@ietf.org
X-OriginalArrivalTime: 26 May 2008 23:23:13.0580 (UTC) FILETIME=[780F06C0:01C8BF87]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=5784; t=1211844194; x=1212708194; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=aokmians@cisco.com; z=From:=20=22Anton=20Okmyanskiy=20(aokmians)=22=20<aokmians@ cisco.com> |Subject:=20RE=3A=20[Syslog]=20Some=20revised=20text=20for= 20syslog=20TLS |Sender:=20; bh=qJQbv60o6/A/BM8osAhy78g/Kcjv/7YsoeT2hVHSMzw=; b=BbEAi+P2rIIz5oN8p9hcWBGZybu+WyCd5gOj6RnNjwuE8kycC0hJiF5aND 4zomstU5NnxCvS0vdENVGuJik/e9/Jcg4znF5uR6WS+Y0nqBffjJ+5N89pK5 nTTy3wCxBx;
Authentication-Results: sj-dkim-2; header.From=aokmians@cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
Subject: Re: [Syslog] Some revised text for syslog TLS
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: syslog-bounces@ietf.org
Errors-To: syslog-bounces@ietf.org

The bottom line is that when you use a certificate to authenticate the
client, the trusted identity of the client that gets recorded in the
messages must be derived from certificate, not from other source like IP
address or whatever device or DNS says device might be. 

This can be handled by specifying appropriate tags (structured data ID)
for certificate fields and recommending that those are added to the
message (or updated) by the receiver if certificate-based authenticate
is used. 

This would prevent the case of some client using legitimate (but stolen)
certificate, and then indicating identity of another device in the
message itself. If such behavior were allowed, then when certificate is
stolen (but not yet put on certificate revocation list), this would
extend the security threat to a wider scope of issues because we are
allowing one device to masquerade as any other device.  

Note, that we need structured data field IDs not only for certificate
Common Name (CN), but also for fields such as fingerprint.  When one
certificate is revoked and a new one issues, I believe the new one can
have the same common name.  In that case, if the receiver wants to
identify which exact certificate the client used, you need to see the
fingerprint or other similar certificate fields. We had a use-case with
customer where such information was needed with TLS (albeit not in
syslog context). 

Regards,
Anton.



> -----Original Message-----
> From: syslog-bounces@ietf.org 
> [mailto:syslog-bounces@ietf.org] On Behalf Of Moehrke, John 
> (GE Healthcare)
> Sent: Monday, May 26, 2008 3:16 PM
> To: Rainer Gerhards; Joseph Salowey (jsalowey); syslog@ietf.org
> Subject: Re: [Syslog] Some revised text for syslog TLS
> 
> I have said this before, but people continue to go down this path... 
> 
> The TLS authentication has already proven that the 'other' 
> side holds the private key... this is cryptographically 
> secure authentication... 
> 
> Adding a check of the IP address or DNS address adds very 
> very little value, and is not cryptographically secure 
> (unless using Secure DNS). 
> 
> Therefore there is little value to adding IP or hostname 
> checking, and lots of ways it will break (NAT, DHCP, etc).
> 
> John
> 
> > -----Original Message-----
> > From: syslog-bounces@ietf.org [mailto:syslog-bounces@ietf.org] On
> Behalf
> > Of Rainer Gerhards
> > Sent: Monday, May 26, 2008 2:19 AM
> > To: Joseph Salowey (jsalowey); syslog@ietf.org
> > Subject: Re: [Syslog] Some revised text for syslog TLS
> > 
> > Joe,
> > 
> > I like this new text.
> > 
> > I am snipping everything below except the one thing that drives a
> > question:
> > 
> > > 	o IP-address-based authorization where the IP address 
> configured 
> > > for the authorized peer is compared against the subject fields in
> the
> > > certificate.  Implementations MUST support matching the 
> IP address 
> > > against a SubjectAltName field of type iPAddress and MAY support 
> > > checking the configured IP address against the Common Name portion
> of
> > > the Subject Distinguished Name.  Matching for certificate
> credentials
> > > is
> > > performed using the matching rules specified by [3].  If more than
> one
> > > IP Address identity is present in the certificate a match 
> in any one
> > of
> > > the set is considered acceptable.
> > 
> > I know that you asked about the usefulness of IP based 
> authentication 
> > before. I am now at a point where I have actually finished my 
> > implementation and I am "polishing" it. On my agenda is now 
> a as good
> as
> > possible *automatic* authentication.
> > 
> > For the client to authorize the server, it is quite easy. There
> usually
> > is something like
> > 
> > *.* @@192.0.2.1
> > 
> > In this case, I can take the destination ("192.0.2.1") and 
> verify it 
> > against the server's certificate. Provided we use a common root CA,
> this
> > setup is fully automatic. So supporting IPs is quite useful in this 
> > scenario. Please note that operators tend to use IP addresses over 
> > hostnames because of reliability reasons and early startup 
> capability
> of
> > the syslogd (before DNS resolutions is available). So this is of 
> > practical relevance.
> > 
> > In case of the server authenticating the client, there is no such 
> > obvious choice. I could use the remote client's IP address (provided
> by
> > the transport stack) and verify that it matches the IP 
> address inside 
> > the certificate. However, is this really useful? IMO, this 
> is more or 
> > less a check if the remote cert is signed by a common CA. Something
> that
> > may be useful, but does not depend on the client's IP be known.
> > 
> > Do you or somebody else on this list (Tom?) have a clue why 
> it may be 
> > useful to carry out such a check?
> > 
> > Back on the topic of easy but still secure configuration, I could 
> > envision taken the reverse DNS name of the transport sender and
> checking
> > that against the identity presented in the certificate. Anyone any 
> > thoughts/comments on this?
> > 
> > Again, all of this assumes a common root CA and 
> certificates signed by 
> > it (not necessarily full PKI, but an "in-house CA").
> > 
> > Thanks,
> > Rainer
> > _______________________________________________
> > Syslog mailing list
> > Syslog@ietf.org
> > https://www.ietf.org/mailman/listinfo/syslog
> _______________________________________________
> Syslog mailing list
> Syslog@ietf.org
> https://www.ietf.org/mailman/listinfo/syslog
> 
_______________________________________________
Syslog mailing list
Syslog@ietf.org
https://www.ietf.org/mailman/listinfo/syslog

v2.23.0 | Report a Bug | By Email