Re: [Syslog] ciphersuites was draft-ietf-syslog-transport-tls-01.txt
"Tom Petch" <nwnetworks@dial.pipex.com> Mon, 19 June 2006 10:31 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FsH2m-0005fw-L9; Mon, 19 Jun 2006 06:31:44 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FsH2k-0005fk-Pj for syslog@ietf.org; Mon, 19 Jun 2006 06:31:42 -0400
Received: from blaster.systems.pipex.net ([62.241.163.7]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FsH2j-0002Ze-Cm for syslog@ietf.org; Mon, 19 Jun 2006 06:31:42 -0400
Received: from pc6 (1Cust191.tnt24.lnd4.gbr.da.uu.net [62.188.151.191]) by blaster.systems.pipex.net (Postfix) with SMTP id AA77BE0004BE; Mon, 19 Jun 2006 11:31:34 +0100 (BST)
Message-ID: <034301c69382$9e6839a0$0601a8c0@pc6>
From: Tom Petch <nwnetworks@dial.pipex.com>
To: syslog@ietf.org
References: <019001c67374$8d1a27e0$0400a8c0@china.huawei.com>
Subject: Re: [Syslog] ciphersuites was draft-ietf-syslog-transport-tls-01.txt
Date: Mon, 19 Jun 2006 11:27:01 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 02ec665d00de228c50c93ed6b5e4fc1a
Cc:
X-BeenThere: syslog@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Tom Petch <nwnetworks@dial.pipex.com>
List-Id: Security Issues in Network Event Logging <syslog.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@lists.ietf.org>
List-Help: <mailto:syslog-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@lists.ietf.org?subject=subscribe>
Errors-To: syslog-bounces@lists.ietf.org
Reading this I-D (-02 actually), I seem to recognise wording from the TLS RFC but, I think, not enough to make clear what TLS does and does not offer. The I-D talks of strong mutual authentication, compression and encryption but fails to mention ciphersuites. Compression is negotiated per se but key exchange (eg RSA), authentication (eg SHA) and encryption (eg 3DES-EDE) come as a package, a predefined list of ciphersuites, and if the combination you want is not predefined, tough (go write your own RFC). Equally, NULL, NULL, NULL is a valid TLS ciphersuite, but rather weak on security. This may be all very familiar but I think it needs spelling out because one ciphersuite must be REQUIRED to ensure interoperability. As the I-D stands, this will be TLS_RSA_WITH_3DES_EDE_CBC_SHA which, as the name suggests, calls for a certificate with RSA public key valid for encryption, 3DES_EDE and SHA. Earlier, I queried the support for TLS and was pointed at the 220,000 hits on Google; my follow up question is, what is the commonest ciphersuite in use, amongst those secure enough to satisfy the IESG? (DES40_CBC will not do:-) Is this default what we want? SHA is fine for me. Certificates are not present in all ciphersuites; the I-D takes them for granted but fails to specify which. Is encryption always wanted? As I have said before, it is an irrelevance for the environments I am familiar with (although I accept it is a requirement for others) but do we insist it is always present? Tom Petch ----- Original Message ----- From: "David B Harrington" <dbharrington@comcast.net> To: <syslog@ietf.org> Sent: Tuesday, May 09, 2006 4:26 PM Subject: [Syslog] draft-ietf-syslog-transport-tls-01.txt Hi, A new revision of the syslog/TLS draft is available. http://www.ietf.org/internet-drafts/draft-ietf-syslog-transport-tls-01 .txt We need reviewers. Can we get 1) a person to check the grammar? 2) a person to check the syslog technical parts? 3) a person to check compatibility with the other WG documents? 4) a person to check the TLS technical parts? We also need general reviews of the document by multiple people. Thanks, David Harrington co-chair, Syslog WG ietfdbh@comcast.net _______________________________________________ Syslog mailing list Syslog@lists.ietf.org https://www1.ietf.org/mailman/listinfo/syslog _______________________________________________ Syslog mailing list Syslog@lists.ietf.org https://www1.ietf.org/mailman/listinfo/syslog
- [Syslog] draft-ietf-syslog-transport-tls-01.txt David B Harrington
- RE: [Syslog] draft-ietf-syslog-transport-tls-01.t… Rainer Gerhards
- Re: [Syslog] stream transport was draft-ietf-sysl… Tom Petch
- Re: [Syslog] ciphersuites was draft-ietf-syslog-t… Tom Petch
- RE: [Syslog] ciphersuites was draft-ietf-syslog-t… Miao Fuyou
- RE: [Syslog] stream transport wasdraft-ietf-syslo… Miao Fuyou
- Re: [Syslog] stream transport wasdraft-ietf-syslo… Darren J Moffat
- RE: [Syslog] stream transportwasdraft-ietf-syslog… Rainer Gerhards
- Re: [Syslog] delineated datagrams was draft-ietf-… Tom Petch
- [Syslog] stream transport David Harrington
- RE: [Syslog] delineated datagrams wasdraft-ietf-s… Miao Fuyou
- RE: [Syslog] delineated datagramswasdraft-ietf-sy… Rainer Gerhards
- RE: [Syslog] delineated datagrams Miao Fuyou
- RE: [Syslog] delineated datagrams Chris Lonvick
- RE: [Syslog] delineated datagrams Rainer Gerhards
- RE: [Syslog] delineated datagrams David Harrington
- RE: [Syslog] delineated datagrams Balazs Scheidler
- RE: [Syslog] delineated datagrams John Calcote
- RE: [Syslog] delineated datagrams Balazs Scheidler
- RE: [Syslog] delineated datagrams John Calcote
- RE: [Syslog] delineated datagrams Rainer Gerhards
- RE: [Syslog] delineated datagrams Balazs Scheidler
- RE: [Syslog] delineated datagrams Rainer Gerhards
- Re: [Syslog] delineated datagrams Chris Lonvick
- RE: [Syslog] delineated datagrams Rainer Gerhards
- RE: [Syslog] delineated datagrams David Harrington