IETF Logo Mail Archive

Re: [Syslog] I-D Action:draft-ietf-syslog-transport-tls-12.txt

"Joseph Salowey (jsalowey)" <jsalowey@cisco.com> Mon, 12 May 2008 22:17 UTC

Return-Path: <syslog-bounces@ietf.org>
X-Original-To: syslog-archive@megatron.ietf.org
Delivered-To: ietfarch-syslog-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C57DA28C28A; Mon, 12 May 2008 15:17:00 -0700 (PDT)
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F04E53A67B7 for <syslog@core3.amsl.com>; Mon, 12 May 2008 15:16:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.479
X-Spam-Level:
X-Spam-Status: No, score=-6.479 tagged_above=-999 required=5 tests=[AWL=0.120, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wJDKWzYB3jf9 for <syslog@core3.amsl.com>; Mon, 12 May 2008 15:16:57 -0700 (PDT)
Received: from sj-iport-3.cisco.com (sj-iport-3.cisco.com [171.71.176.72]) by core3.amsl.com (Postfix) with ESMTP id CDD913A6767 for <syslog@ietf.org>; Mon, 12 May 2008 15:16:57 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.27,475,1204531200"; d="scan'208";a="67056691"
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-3.cisco.com with ESMTP; 12 May 2008 15:16:56 -0700
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id m4CMGuvY001855; Mon, 12 May 2008 15:16:56 -0700
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-1.cisco.com (8.13.8/8.13.8) with ESMTP id m4CMGtKB012753; Mon, 12 May 2008 22:16:55 GMT
Received: from xmb-sjc-225.amer.cisco.com ([128.107.191.38]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 12 May 2008 15:16:55 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Mon, 12 May 2008 15:17:44 -0700
Message-ID: <AC1CFD94F59A264488DC2BEC3E890DE505C95BEA@xmb-sjc-225.amer.cisco.com>
In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA308FC3@grfint2.intern.adiscon.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Syslog] I-D Action:draft-ietf-syslog-transport-tls-12.txt
Thread-Index: AcixJ3ChaVnUq5oITfGwAnnHJ7WqPwAfO5owABfCe0AAmYDUoAAETG6A
References: <20080507150001.D3CB428C65B@core3.amsl.com> <OF13490747.F0126D34-ON85257443.00540976-85257443.00574A09@agfa.com> <577465F99B41C842AAFBE9ED71E70ABA308FB3@grfint2.intern.adiscon.com> <AC1CFD94F59A264488DC2BEC3E890DE505C95869@xmb-sjc-225.amer.cisco.com> <577465F99B41C842AAFBE9ED71E70ABA308FC3@grfint2.intern.adiscon.com>
From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
To: Rainer Gerhards <rgerhards@hq.adiscon.com>, robert.horn@agfa.com, syslog@ietf.org
X-OriginalArrivalTime: 12 May 2008 22:16:55.0821 (UTC) FILETIME=[E358ABD0:01C8B47D]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=3310; t=1210630616; x=1211494616; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jsalowey@cisco.com; z=From:=20=22Joseph=20Salowey=20(jsalowey)=22=20<jsalowey@ci sco.com> |Subject:=20RE=3A=20[Syslog]=20I-D=20Action=3Adraft-ietf-sy slog-transport-tls-12.txt |Sender:=20; bh=X7Pmc/EDLvOueQWF/ObFjqEipm2JI5xjWz67CwpGB1Q=; b=a29uOUFHIHHZ4NWHgYJJdl1l5o0d3u3eDW1BU4E/PzG91aEx8V82cHoPkD K3PqtuikGhK/KFSC3CJaHZjWQplE++FQY7XB5g1MZUQjpvJ6g7cKAI7EcRMR VZJ895zHyRicv3AbTk9ydPv5okfoNtgQyoIFeQrO5gm8QxX0mTFAk=;
Authentication-Results: sj-dkim-1; header.From=jsalowey@cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
Subject: Re: [Syslog] I-D Action:draft-ietf-syslog-transport-tls-12.txt
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: syslog-bounces@ietf.org
Errors-To: syslog-bounces@ietf.org

 
Hi Rainer,

Comments below:

<snip>
> > > http://wiki.rsyslog.com/index.php/TLS_for_syslog_use_cases
> > > 
> > > After close consideration, I think the draft currently fails on 
> > > addressing the two use cases define above properly. 
> Partly it fails 
> > > because it is not possible under the current IESG 
> requirement to be 
> > > safe by default. We cannot be fully safe by default without 
> > > configuration, so whatever we specify will fail for the home user.
> > > 
> > > A compromise may be to provide "good enough" security in 
> the default 
> > > policy. I see two ways of doing that: one is to NOT address the 
> > > Masquerade and Modification threats in the default 
> policy, just the 
> > > Disclosure threat. That leads us to unauthenticated 
> syslog being the 
> > > default (contrary to what is currently implemented) 
> [Disclosure is 
> > > addressed in this scenario as long as the client configs are not 
> > > compromised, which I find sufficiently enough - someone who can 
> > > compromise the client config can find other ways to get 
> hold of the 
> > > syslog message content].
> > > 
> > [Joe] If you don't address the relevant threats I'm not 
> sure you can 
> > call security "good enough".
> 
> I can do this because, from a practical perspective, what 
> most people are concerned with is confidentiallity. Let me 
> ask a question: how can we say HTTPS is secure? After all, 
> the HTTPS client is almost never authenticated against the 
> server. From my practical perspective, HTTPS-like security, 
> easily enabled by default even for the unskilled user is much 
> better than "full" security that only exists in theory - 
> because people turn it off. Security is only as good as the 
> humans using it...
> 
[Joe] We are not talking about HTTPS we are talking about syslog.  What
applies to one may not necessarily apply to the other (HTTP provides
other ways to authenticate the client etc.).  In addition HTTPS
authenticates the server in most cases.  In any case, I don't think you
can claim confidentiality if you do not take care of masquerade or
man-in-the-middle as either will result in a breach of confidentiality,
you are still vulnerable to active attackers.   

I believe that implementations need to support mutual authentication and
authorization with certificates.  The recommended mechanisms for this
probably still need some discussion, however I think it is important to
provide this capability.  I think what is more to the point in the
current discussion is what is required by default.  I would like to
suggest that server authentication, certificate path validation and
authorization be required by default, because I without this I don't
think any security goals are met.  I would also suggest that by default
clients should present and authenticate with a certificate, however a
server does not necessarily need to perform path validation or
authorization, it can just record the certificate (or fingerprint) that
carries the public key used in the authentication so it can be validated
at a later time.  

This requires configuration on the client, but not necessarily on the
server.  

_______________________________________________
Syslog mailing list
Syslog@ietf.org
https://www.ietf.org/mailman/listinfo/syslog

v2.23.0 | Report a Bug | By Email