RE: [Syslog] ciphersuites was draft-ietf-syslog-transport-tls-01.txt
Miao Fuyou <miaofy@huawei.com> Tue, 20 June 2006 01:47 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FsVLB-0005hN-Gk; Mon, 19 Jun 2006 21:47:41 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FsVLA-0005hF-2J for syslog@ietf.org; Mon, 19 Jun 2006 21:47:40 -0400
Received: from szxga03-in.huawei.com ([61.144.161.55] helo=huawei.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FsVL8-0001O7-87 for syslog@ietf.org; Mon, 19 Jun 2006 21:47:40 -0400
Received: from huawei.com (szxga03-in [172.24.2.9]) by szxga03-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTP id <0J1400K41YPDWI@szxga03-in.huawei.com> for syslog@ietf.org; Tue, 20 Jun 2006 09:56:02 +0800 (CST)
Received: from huawei.com ([172.24.1.24]) by szxga03-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTP id <0J1400A40YPDM7@szxga03-in.huawei.com> for syslog@ietf.org; Tue, 20 Jun 2006 09:56:01 +0800 (CST)
Received: from m19684 ([10.110.114.232]) by szxml04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTPA id <0J1400BR6YRQ93@szxml04-in.huawei.com> for syslog@ietf.org; Tue, 20 Jun 2006 09:57:29 +0800 (CST)
Date: Tue, 20 Jun 2006 09:46:44 +0800
From: Miao Fuyou <miaofy@huawei.com>
Subject: RE: [Syslog] ciphersuites was draft-ietf-syslog-transport-tls-01.txt
In-reply-to: <034301c69382$9e6839a0$0601a8c0@pc6>
To: 'Tom Petch' <nwnetworks@dial.pipex.com>
Message-id: <027b01c6940b$62d22c50$e8726e0a@china.huawei.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Mailer: Microsoft Office Outlook 11
Content-type: text/plain; charset="us-ascii"
Content-transfer-encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a8a20a483a84f747e56475e290ee868e
Cc: syslog@ietf.org
X-BeenThere: syslog@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@lists.ietf.org>
List-Help: <mailto:syslog-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@lists.ietf.org?subject=subscribe>
Errors-To: syslog-bounces@lists.ietf.org
Thread-index: AcaTi5xhytEuUEfZQZCKwibPxvjz7gAeKT8A Section 9 of RFC4346 says: "In the absence of an application profile standard specifying otherwise, a TLS compliant application MUST implement the cipher suite TLS_RSA_WITH_3DES_EDE_CBC_SHA." It is OK to mandate a ciphersuite for application profile(Syslog/TLS). But, note that the ciphersuite you suggested is the same one mandated in RFC4346. Maybe it is not necessary to mandate twice. RFC2818(HTTPS) does not specify ciphersuite. I believe TLS_RSA_WITH_3DES_EDE_CBC_SHA is one of the commonest ciphersuite and satisfies IESG, RFC4346 is relatively new and comes after Bellovin-Rescorla analysis. Server certificate is a MUST for non-anonymous key-exchange in section 7.4.2 of RFC4346, in which the relationship between certificate and ciphersuite is defined. This may the same case to whether ciphersuite should be specified in application profile. > -----Original Message----- > From: Tom Petch [mailto:nwnetworks@dial.pipex.com] > Sent: Monday, June 19, 2006 5:27 PM > To: syslog@ietf.org > Subject: Re: [Syslog] ciphersuites was > draft-ietf-syslog-transport-tls-01.txt > > Reading this I-D (-02 actually), I seem to recognise wording > from the TLS RFC but, I think, not enough to make clear what > TLS does and does not offer. The I-D talks of strong mutual > authentication, compression and encryption but fails to > mention ciphersuites. Compression is negotiated per se but > key exchange (eg RSA), authentication (eg SHA) and encryption > (eg 3DES-EDE) come as a package, a predefined list of > ciphersuites, and if the combination you want is not > predefined, tough (go write your own RFC). Equally, NULL, > NULL, NULL is a valid TLS ciphersuite, but rather weak on security. > > This may be all very familiar but I think it needs spelling > out because one ciphersuite must be REQUIRED to ensure > interoperability. As the I-D stands, this will be > TLS_RSA_WITH_3DES_EDE_CBC_SHA which, as the name suggests, > calls for a certificate with RSA public key valid for > encryption, 3DES_EDE and SHA. > > Earlier, I queried the support for TLS and was pointed at the > 220,000 hits on Google; my follow up question is, what is the > commonest ciphersuite in use, amongst those secure enough to > satisfy the IESG? (DES40_CBC will not do:-) > > Is this default what we want? SHA is fine for me. > Certificates are not present in all ciphersuites; the I-D > takes them for granted but fails to specify which. > Is encryption always wanted? As I have said before, it is an > irrelevance for the environments I am familiar with (although > I accept it is a requirement for > others) but do we insist it is always present? > > Tom Petch > > ----- Original Message ----- > From: "David B Harrington" <dbharrington@comcast.net> > To: <syslog@ietf.org> > Sent: Tuesday, May 09, 2006 4:26 PM > Subject: [Syslog] draft-ietf-syslog-transport-tls-01.txt > > > Hi, > > A new revision of the syslog/TLS draft is available. > http://www.ietf.org/internet-drafts/draft-ietf-syslog-transport-tls-01 > .txt > > We need reviewers. > Can we get > 1) a person to check the grammar? > 2) a person to check the syslog technical parts? > 3) a person to check compatibility with the other WG documents? > 4) a person to check the TLS technical parts? > > We also need general reviews of the document by multiple people. > > Thanks, > David Harrington > co-chair, Syslog WG > ietfdbh@comcast.net > > > _______________________________________________ > Syslog mailing list > Syslog@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/syslog > > > _______________________________________________ > Syslog mailing list > Syslog@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/syslog > _______________________________________________ Syslog mailing list Syslog@lists.ietf.org https://www1.ietf.org/mailman/listinfo/syslog
- [Syslog] draft-ietf-syslog-transport-tls-01.txt David B Harrington
- RE: [Syslog] draft-ietf-syslog-transport-tls-01.t… Rainer Gerhards
- Re: [Syslog] stream transport was draft-ietf-sysl… Tom Petch
- Re: [Syslog] ciphersuites was draft-ietf-syslog-t… Tom Petch
- RE: [Syslog] ciphersuites was draft-ietf-syslog-t… Miao Fuyou
- RE: [Syslog] stream transport wasdraft-ietf-syslo… Miao Fuyou
- Re: [Syslog] stream transport wasdraft-ietf-syslo… Darren J Moffat
- RE: [Syslog] stream transportwasdraft-ietf-syslog… Rainer Gerhards
- Re: [Syslog] delineated datagrams was draft-ietf-… Tom Petch
- [Syslog] stream transport David Harrington
- RE: [Syslog] delineated datagrams wasdraft-ietf-s… Miao Fuyou
- RE: [Syslog] delineated datagramswasdraft-ietf-sy… Rainer Gerhards
- RE: [Syslog] delineated datagrams Miao Fuyou
- RE: [Syslog] delineated datagrams Chris Lonvick
- RE: [Syslog] delineated datagrams Rainer Gerhards
- RE: [Syslog] delineated datagrams David Harrington
- RE: [Syslog] delineated datagrams Balazs Scheidler
- RE: [Syslog] delineated datagrams John Calcote
- RE: [Syslog] delineated datagrams Balazs Scheidler
- RE: [Syslog] delineated datagrams John Calcote
- RE: [Syslog] delineated datagrams Rainer Gerhards
- RE: [Syslog] delineated datagrams Balazs Scheidler
- RE: [Syslog] delineated datagrams Rainer Gerhards
- Re: [Syslog] delineated datagrams Chris Lonvick
- RE: [Syslog] delineated datagrams Rainer Gerhards
- RE: [Syslog] delineated datagrams David Harrington