Re: [Syslog] Use Of RFC 5425 In IEC 62351
Chris Lonvick <lonvick.ietf@gmail.com> Sun, 28 November 2021 21:22 UTC
Return-Path: <lonvick.ietf@gmail.com>
X-Original-To: syslog@ietfa.amsl.com
Delivered-To: syslog@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD0BD3A0496; Sun, 28 Nov 2021 13:22:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.949
X-Spam-Level:
X-Spam-Status: No, score=-3.949 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-1.852, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0_QbxZLA6nvz; Sun, 28 Nov 2021 13:22:32 -0800 (PST)
Received: from mail-oi1-x233.google.com (mail-oi1-x233.google.com [IPv6:2607:f8b0:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90C923A045E; Sun, 28 Nov 2021 13:22:31 -0800 (PST)
Received: by mail-oi1-x233.google.com with SMTP id bj13so30679913oib.4; Sun, 28 Nov 2021 13:22:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language:to :cc:references:from:in-reply-to; bh=Q5kCaHOq1hFDFzGF0qJqH5VzxdUj79VCKRNv7FbTfts=; b=qeH5eRheJVpWEA/j3fgrq42mm4grYNhsG0GI1kqDH8lFoetxBvfwm58moayzoGR5pa 9at90Qdyxqi93h/Uir1VCR81F3Nmcg+ztYgTN7ru5772miMgoOVYt/T1Hl7IyvwQUl07 Kw/wZxYOd+4pHs9cVXpPrrn0rz00hQwZXqTDo0thYm038LQVRPhU2hex9yhqKNv/KK9u 828zsu9hkyDmRqX6HKBIo2DwvB/oaHXLGV50SMTGzaCchr85efQllfk8R+XcZ88Qau5s A3I+njWJLL7BDffJsTaBuobdtYdF1THPVnwJWdgb7/LySBHeNB13W2rsdmwSMoVfPAgq sp0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to; bh=Q5kCaHOq1hFDFzGF0qJqH5VzxdUj79VCKRNv7FbTfts=; b=vd8BBYMhp5R1+Hkyo95uV2LHtd5l4BIrl+1tzYo+85A8QBIxvS/2Tpm9x4GqYMVwd7 sQzz4cRI1ZupAylPjUlwnyCKauOmqrGqTytXvtHfmHiaIMwoaoI2jLMXDktHat0iB8hL CUwBaIce6IaqO3anMRPTbRnrzZO2njfcmCDIMNRGvFKuBPqfW/NxLN2jOqpujU5FhOJt qLeftkwaBkd2wkHiRMACOFa6JkkgLqmqmQHutqYAjBcqnb/RhzwRp7sR7TIJ+soHR7PZ KfbWCxRZwxGlI8AW4Whkxpq10QowCmYnBLCEk9VrJm8GTKU6cIUlwzRC/N/BOIC4mJnS y5Xg==
X-Gm-Message-State: AOAM531lLqk4+bM2PuPWev1uX1fj4Vmlp0fBEjAXtspBNGN7UNxd2Ms5 fos7UKUFi/OIRBjww+atXtw=
X-Google-Smtp-Source: ABdhPJxiAoNW07i4N60zGrgLE6MhDL1QnEsvZQgpWRgxFkS+zj/rFsUciafwIPW3AFieT1ivYapM6Q==
X-Received: by 2002:a54:4019:: with SMTP id x25mr36937825oie.116.1638134549754; Sun, 28 Nov 2021 13:22:29 -0800 (PST)
Received: from ?IPV6:2600:1700:12b0:adf0:e4a3:a132:6f26:7df? ([2600:1700:12b0:adf0:e4a3:a132:6f26:7df]) by smtp.googlemail.com with ESMTPSA id e28sm2579168oiy.10.2021.11.28.13.22.28 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 28 Nov 2021 13:22:29 -0800 (PST)
Content-Type: multipart/alternative; boundary="------------Z9UazO0k0RvdPgKeEA5i8DpK"
Message-ID: <64c34d64-5982-0df8-f057-1b3f53166e77@gmail.com>
Date: Sun, 28 Nov 2021 15:22:27 -0600
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.2.0
Content-Language: en-US
To: Arijit Bose <arijit.bose@hitachienergy.com>, "sean+ietf@sn3rd.com" <sean+ietf@sn3rd.com>, "sean@sn3rd.com" <sean@sn3rd.com>, "syslog@ietf.org" <syslog@ietf.org>, "ietf-action@ietf.org" <ietf-action@ietf.org>, joe@salowey.net
Cc: "IEC 62351 WG15 (WG15@iectc57.org)" <WG15@iectc57.org>, kaduk@mit.edu, rdd@cert.org
References: <HE1PR0602MB336990C8F08648EC1A72AEB8F9939@HE1PR0602MB3369.eurprd06.prod.outlook.com> <HE1PR0602MB33697D2F6C7816FDDEE36A1BF9959@HE1PR0602MB3369.eurprd06.prod.outlook.com> <HE1PR0602MB336947D8E77358113F10E27AF99A9@HE1PR0602MB3369.eurprd06.prod.outlook.com> <HE1PR0602MB3369993C688CA90046CAAAD2F99F9@HE1PR0602MB3369.eurprd06.prod.outlook.com> <HE1PR0602MB3369A07DFE7D1D2D75B15602F99F9@HE1PR0602MB3369.eurprd06.prod.outlook.com> <HE1PR0602MB336991FF01C76FA1073D5CF0F99F9@HE1PR0602MB3369.eurprd06.prod.outlook.com>
From: Chris Lonvick <lonvick.ietf@gmail.com>
In-Reply-To: <HE1PR0602MB336991FF01C76FA1073D5CF0F99F9@HE1PR0602MB3369.eurprd06.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/syslog/ckNeVyj8pj-yj8NH5iGGkXM_sIE>
X-Mailman-Approved-At: Sun, 05 Dec 2021 08:07:44 -0800
Subject: Re: [Syslog] Use Of RFC 5425 In IEC 62351
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/syslog/>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Nov 2021 21:22:38 -0000
Hello Arijit and All, Speaking as an individual (not representing the IETF or any Working Group), the work we did for the syslog protocol was never intended to be insecure. I would make two suggestions: - create a new Internet Draft that will deprecate the insecure cypher suite from the RFC; and - specify the implementation and deployment of the cypher suites in your IEC documents as you suggest below and cite the Internet Draft as updating the RFC. I'm cc'ing the current IETF Security ADs and adding Joe's contact email. Best regards, Chris On 11/22/21 10:30 AM, Arijit Bose wrote: > > Dear all, > > I am also looping the email address ietf-action@ietf.org for this same > query. > > > > With best regards > > Arijit > > > *From:*Arijit Bose > *Sent:* Monday, November 22, 2021 2:40 PM > *To:* jsalowey@cisco.com; clonvick@cisco.com; lonvick.ietf@gmail.com; > ietfdbh@comcast.net; turners@ieca.com; sean+ietf@sn3rd.com; > sean@sn3rd.com; syslog@ietf.org > *Cc:* IEC 62351 WG15 (WG15@iectc57.org) <WG15@iectc57.org> > *Subject:* RE: Use Of RFC 5425 In IEC 62351 > *Importance:* High > > Dear all, > > My name is Arijit Kumar Bose and I am a member of IEC 62351 TC 57 WG15 > : IEC 62351 - Wikipedia > <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FIEC_62351&data=04%7C01%7Csteffen.fries%40siemens.com%7Cb9ba5117eb5a41c4194f08d9a2b9df82%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637719741475788053%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=w0fRscX0Ba72P%2FKnsrH7GamIBeFWww7DFa76h6pqhso%3D&reserved=0>. > > > For the development of an IEC cybersecurity standard for electrical > power system, we (WG15) are trying to reference RFC 5425 and adopt its > specifications. However, since RFC 5425 specifies > *TLS_RSA_WITH_AES_128_CBC_SHA,*which is currently insecure and > depreciated cipher suite Ciphersuite Info > <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fciphersuite.info%2Fcs%2FTLS_RSA_WITH_AES_128_CBC_SHA%2F&data=04%7C01%7Csteffen.fries%40siemens.com%7Cb9ba5117eb5a41c4194f08d9a2b9df82%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637719741475798016%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=OrCx6A6rOiRfVzYOqg%2B%2FC9bAt1BA8wSaPQIZQ2jv7x4%3D&reserved=0>. > Therefore, we are trying to adopt stronger cipher suites in accordance > with IEC 62351-3 : IEC 62351-3:2014+AMD1:2018+AMD2:2020 CSV | IEC > Webstore > <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwebstore.iec.ch%2Fpublication%2F66624&data=04%7C01%7Csteffen.fries%40siemens.com%7Cb9ba5117eb5a41c4194f08d9a2b9df82%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637719741475798016%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=blKdNi3GMd58RUChw3eZ3Y0FfaPq4i98Z6uO8VumGP8%3D&reserved=0>. > IEC 62351-3 specifies a set of stronger state of the art cipher suites > and thus defines a profile on how to apply TLS, addressing > authentication, cipher suite requirements, renegotiation, etc. > Therefore, we would like to use the state of the art cipher suites as > specified in IEC 62351-3 and also mandatorily refer RFC 5425 including > the usage of its port number 6514 for transporting secure syslog > traffic. Our understanding would be that it does not violate RFC 5425, > as it allows in section 4.2 of RFC 5425 that also stronger cipher > suites may be used. > > Would these be allowed that if we normatively (mandatorily) refer RFC > 5425 to secure SYSLOG traffic including the use of the TCP port number > 6514 but adopt the stronger cipher suites that are specified in IEC > 62351-3 instead of the weak cipher suite as indicated above ? By > adopting this, will it make our IEC standard incompliant with RFC 5425 ? > > I and WG15 are looking forward to your answer on this topic. > Appreciate your any input on the same. > > Thanks in advance! > > With best regards > Arijit > > *Arijit Kumar Bose* > Global Cyber Security Architect - Power Grids High Voltage | Software > Development Independent Expert > > ul. Pawia 7 > malopolskie > 31-154 Krakow, Poland > Mobile: +48 666 881 680 > E-mail: arijit.bose@hitachienergy.com > <mailto:arijit.bose@hitachienergy.com> > www.hitachienergy.com <https://www.hitachienergy.com/> > > <http://www.facebook.com/hitachienergy.global><http://www.instagram.com/hitachienergy><http://www.twitter.com/hitachienergy><https://www.youtube.com/c/hitachienergy><http://www.linkedin.com/company/hitachienergy> > > <www.hitachienergy.com> > > *From:*Arijit Bose > *Sent:* Monday, November 22, 2021 11:49 AM > *To:* jsalowey@cisco.com <mailto:jsalowey@cisco.com> > *Cc:* IEC 62351 WG15 (WG15@iectc57.org <mailto:WG15@iectc57.org>) > <WG15@iectc57.org <mailto:WG15@iectc57.org>> > *Subject:* RE: Use Of RFC 5425 In IEC 62351 > > Dear Joseph, > > A second friendly reminder for this below aspect. We(WG15) are looking > forward to your reply on this. > > With best regards > > Arijit > > > *From:*Arijit Bose > *Sent:* Wednesday, November 17, 2021 12:49 PM > *To:* 'jsalowey@cisco.com' <jsalowey@cisco.com > <mailto:jsalowey@cisco.com>> > *Cc:* IEC 62351 WG15 (WG15@iectc57.org <mailto:WG15@iectc57.org>) > <WG15@iectc57.org <mailto:WG15@iectc57.org>> > *Subject:* RE: Use Of RFC 5425 In IEC 62351 > > Dear Joseph, > > A friendly reminder for your input/suggestion on this topic as > expressed below. > > With best regards > > Arijit > > > *From:*Arijit Bose > *Sent:* Friday, November 12, 2021 11:17 AM > *To:* jsalowey@cisco.com <mailto:jsalowey@cisco.com> > *Cc:* IEC 62351 WG15 (WG15@iectc57.org <mailto:WG15@iectc57.org>) > <WG15@iectc57.org <mailto:WG15@iectc57.org>> > *Subject:* RE: Use Of RFC 5425 In IEC 62351 > > Dear Joseph, > > Since I got a computerized automatic generated reply stating an > undelivered message to miaofy@huawei.com <mailto:miaofy@huawei.com>and > myz@huawei.com <mailto:myz@huawei.com>indicating that most probably > their email address is no longer valid and thus could not be found, it > would be very helpful, if you can please help us (WG15) with your > valuable input / suggestion on this below topic. > > We are looking forward to your reply on this! > > With best regards > > Arijit > > > *From:*Arijit Bose > *Sent:* Wednesday, November 10, 2021 10:48 AM > *To:* miaofy@huawei.com <mailto:miaofy@huawei.com>; myz@huawei.com > <mailto:myz@huawei.com>; jsalowey@cisco.com <mailto:jsalowey@cisco.com> > *Subject:* Use Of RFC 5425 In IEC 62351 > > Dear all, > > My name is Arijit Kumar Bose and I am a member of IEC 62351 TC 57 WG15 > : IEC 62351 - Wikipedia > <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FIEC_62351&data=04%7C01%7Csteffen.fries%40siemens.com%7Cb9ba5117eb5a41c4194f08d9a2b9df82%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637719741475788053%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=w0fRscX0Ba72P%2FKnsrH7GamIBeFWww7DFa76h6pqhso%3D&reserved=0>. > > > For the development of an IEC cybersecurity standard for electrical > power system, we (WG15) are trying to reference RFC 5425 and adopt its > specifications. However, since RFC 5425 specifies > *TLS_RSA_WITH_AES_128_CBC_SHA,*which is currently insecure and > depreciated cipher suite Ciphersuite Info > <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fciphersuite.info%2Fcs%2FTLS_RSA_WITH_AES_128_CBC_SHA%2F&data=04%7C01%7Csteffen.fries%40siemens.com%7Cb9ba5117eb5a41c4194f08d9a2b9df82%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637719741475798016%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=OrCx6A6rOiRfVzYOqg%2B%2FC9bAt1BA8wSaPQIZQ2jv7x4%3D&reserved=0>. > Therefore, we are trying to adopt stronger cipher suites in accordance > with IEC 62351-3 : IEC 62351-3:2014+AMD1:2018+AMD2:2020 CSV | IEC > Webstore > <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwebstore.iec.ch%2Fpublication%2F66624&data=04%7C01%7Csteffen.fries%40siemens.com%7Cb9ba5117eb5a41c4194f08d9a2b9df82%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637719741475798016%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=blKdNi3GMd58RUChw3eZ3Y0FfaPq4i98Z6uO8VumGP8%3D&reserved=0>. > IEC 62351-3 specifies a set of stronger state of the art cipher suites > and thus defines a profile on how to apply TLS, addressing > authentication, cipher suite requirements, renegotiation, etc. > Therefore, we would like to use the state of the art cipher suites as > specified in IEC 62351-3 and also mandatorily refer RFC 5425 including > the usage of its port number 6514 for transporting secure syslog > traffic. Our understanding would be that it does not violate RFC 5425, > as it allows in section 4.2 of RFC 5425 that also stronger cipher > suites may be used. > > Would these be allowed that if we normatively (mandatorily) refer RFC > 5425 to secure SYSLOG traffic including the use of the TCP port number > 6514 but adopt the stronger cipher suites that are specified in IEC > 62351-3 instead of the weak cipher suite as indicated above ? By > adopting this, will it make our IEC standard incompliant with RFC 5425 ? > > I and WG15 are looking forward to your answer on this topic. > Appreciate your any input on the same. > > Thanks in advance! > > With best regards > Arijit > > *Arijit Kumar Bose* > Global Cyber Security Architect - Power Grids High Voltage | Software > Development Independent Expert > > ul. Pawia 7 > malopolskie > 31-154 Krakow, Poland > Mobile: +48 666 881 680 > E-mail: arijit.bose@hitachienergy.com > <mailto:arijit.bose@hitachienergy.com> > www.hitachienergy.com <https://www.hitachienergy.com/> > > <http://www.facebook.com/hitachienergy.global><http://www.instagram.com/hitachienergy><http://www.twitter.com/hitachienergy><https://www.youtube.com/c/hitachienergy><http://www.linkedin.com/company/hitachienergy> > > <www.hitachienergy.com> > > > > /Hitachi Energy Services Sp. z o. o. z siedzibą w Warszawie, adres: > Warszawa 04-713, ul. Żegańska 1, wpisana do Rejestru Przedsiębiorców > Krajowego Rejestru Sądowego prowadzonego w Sądzie Rejonowym dla m. st. > Warszawy, XIV Wydział Gospodarczy Krajowego Rejestru Sądowego pod nr > KRS 0000787719, nr REGON: 383431370, nr NIP: 9522196923, nr BDO: > 000147611, kapitał zakładowy 14 403 850,00 zł. > ------------------------------------------------------------------------ > Hitachi Energy Services Sp. z o. o. with registered seat at 1 Żeganska > Street, 04-713 Warsaw, Poland, registered in the Register of > Entrepreneurs of the Polish Court Register maintained by the District > Court for the Capital City of Warsaw, XIV Economic Department, under > KRS No. 0000787719, REGON No. (statistical number): 383431370, NIP No. > (taxpayer identification number) PL9522196923, BDO No. (WEEE > registration number) 000147611, share capital: 14 403 850,00 PLN. /
- Re: [Syslog] Use Of RFC 5425 In IEC 62351 Chris Lonvick
- Re: [Syslog] Use Of RFC 5425 In IEC 62351 tom petch
- Re: [Syslog] Use Of RFC 5425 In IEC 62351 Jürgen Schönwälder
- Re: [Syslog] Use Of RFC 5425 In IEC 62351 tom petch