[Syslog] Issue 9, 9a, and 9b - from a Tim Polk COMMENT
Chris Lonvick <clonvick@cisco.com> Mon, 07 June 2010 17:25 UTC
Return-Path: <clonvick@cisco.com>
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 52F463A68BF for <syslog@core3.amsl.com>; Mon, 7 Jun 2010 10:25:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.64
X-Spam-Level:
X-Spam-Status: No, score=-8.64 tagged_above=-999 required=5 tests=[AWL=-0.641, BAYES_50=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lowhjcq6bRte for <syslog@core3.amsl.com>; Mon, 7 Jun 2010 10:25:13 -0700 (PDT)
Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com [171.68.10.87]) by core3.amsl.com (Postfix) with ESMTP id 1C6C528C8B9 for <syslog@ietf.org>; Mon, 7 Jun 2010 09:10:29 -0700 (PDT)
Authentication-Results: sj-iport-5.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhcFAP6qDEyrRN+J/2dsb2JhbACSLQGMGXGkYZoCgnqCHQSDSg
X-IronPort-AV: E=Sophos;i="4.53,378,1272844800"; d="scan'208";a="208313337"
Received: from sj-core-3.cisco.com ([171.68.223.137]) by sj-iport-5.cisco.com with ESMTP; 07 Jun 2010 15:20:09 +0000
Received: from sjc-cde-011.cisco.com (sjc-cde-011.cisco.com [171.69.16.68]) by sj-core-3.cisco.com (8.13.8/8.14.3) with ESMTP id o57FK9KT027017 for <syslog@ietf.org>; Mon, 7 Jun 2010 15:20:09 GMT
Date: Mon, 07 Jun 2010 08:20:09 -0700
From: Chris Lonvick <clonvick@cisco.com>
To: syslog@ietf.org
Message-ID: <Pine.GSO.4.63.1006070801470.27400@sjc-cde-011.cisco.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Subject: [Syslog] Issue 9, 9a, and 9b - from a Tim Polk COMMENT
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jun 2010 17:25:14 -0000
Issue 9 - Tim Polk COMMENT Comment: Given that disclosure is one of the primary threats described in Section 4, shouldn't the security considerations prohibit the use of cipher suites with NULL encryption? Prpposed resolution by Sean: vvv A.5 of RFC 5246, which is where the cipher suites for both TLS and DTLS end up pointing and is included in this I-Ds security considerations, includes the following: TLS_NULL_WITH_NULL_NULL is specified and is the initial state of a TLS connection during the first handshake on that channel, but MUST NOT be negotiated, as it provides no more protection than an unsecured connection. I could see how this might be worth repeating, but waned to make you aware it was in RFC 5246. ^^^ Tim responded: vvv Thanks for pointing out that text; that is helpful but not sufficient, though. I am actually worried about cipher suites that have authenticatio= n & integrity but NULL encryption as well. There are a bunch of those: CipherSuite TLS_RSA_WITH_NULL_MD5 =3D { 0x00,0x01 }; CipherSuite TLS_RSA_WITH_NULL_SHA =3D { 0x00,0x02 }; CipherSuite TLS_RSA_WITH_NULL_SHA256 =3D { 0x00,0x3B }; 0x00,0x2C TLS_PSK_WITH_NULL_SHA [RFC4785] 0x00,0x2D TLS_DHE_PSK_WITH_NULL_SHA [RFC4785] 0x00,0x2E TLS_RSA_PSK_WITH_NULL_SHA 0xC0,0x06 TLS_ECDHE_ECDSA_WITH_NULL_SHA [RFC4492] ...among others. (Pardon the formatting, pulled some from 5246 and others from the iana registry...) ^^^ Sean responsed: vvv Ah! I see your point now. How about we tweak the last paragraph in section 5.3 (obviously I'd like author input on this): OLD: Implementations MUST support DTLS 1.1 [RFC4347] and MUST support the mandatory to implement cipher suite, which is TLS_RSA_WITH_AES_128_CBC_SHA. NEW: Implementations MUST support DTLS 1.1 [RFC4347] and MUST at a minimum support the mandatory to implement cipher suite, which is TLS_RSA_WITH_AES_128_CBC_SHA. If additional cipher suites are supported, then implementations MUST NOT negotiate a cipher suite that employs NULL encryption, integrity, or authentication algorithms. ^^^ Sean's proposed resolution: vvv #3) Tim's point about restricting NULL cipher suites. At the end of section 5.3: OLD: Implementations MUST support DTLS 1.1 [RFC4347] and MUST support the mandatory to implement cipher suite, which is TLS_RSA_WITH_AES_128_CBC_SHA. NEW: Implementations MUST support DTLS 1.1 [RFC4347] and MUST at a minimum support the mandatory to implement cipher suite, which is TLS_RSA_WITH_AES_128_CBC_SHA. If additional cipher suites are supported, then implementations MUST NOT negotiate a cipher suite that employs NULL encryption, integrity, or authentication algorithms. ^^^ Tom Petch responded: vvv I disagree. The threat of disclosure comes from RFC5425 s2 "Some data in syslog messages is sensitive and may be useful to an attacker, such as the password of an authorized administrator or user." but the fact that someone, somewhere may put a password in a syslog message I do not see as grounds for requiring everyone else in the world to encrypt everything. Encryption is a pain, it costs, and we should not require it unless it can be justified; these are remote, low-powered network boxes we are talking about, not enterprise servers. So while I agree we should require authentication, I see no justification for encryption. ^^^ Action: I'd like to get some additional discussion going on this. ============================================== issue 9A - Sean also suggested this: vvv #3) Tim's point about restricting NULL cipher suites. At the end of section 5.3: OLD: Implementations MUST support DTLS 1.1 [RFC4347] and MUST support the mandatory to implement cipher suite, which is TLS_RSA_WITH_AES_128_CBC_SHA. NEW: Implementations MUST support DTLS 1.1 [RFC4347] and MUST at a minimum support the mandatory to implement cipher suite, which is TLS_RSA_WITH_AES_128_CBC_SHA. If additional cipher suites are supported, then implementations MUST NOT negotiate a cipher suite that employs NULL encryption, integrity, or authentication algorithms. ^^^ ACTION: Waiting on discussion for Issue 9. =============================================== Issue 9B - Sean also suggests: #6) Section 9. Tim pointed out that because this I-D relies on self-signed certificates it needs to say something about certificates (I looked in DTLS/TLS and they don't point to 5280), keeping the private key private, generating good random #s, and taking care when installing trust anchors. Most of this is in RFC 5280 so if we add it to the first line of the security considerations we're good except for the make a good private key and installing the trust anchor. Suggested text below: OLD: The security considerations in [RFC5425], [RFC5246] and [RFC4347] apply to this document. NEW (yes I reordered them so Alfred won't complain later): The security considerations in [RFC4347], [RFC5246], [RFC5425], and [RFC5280] apply to this document. and we should add two new paragraphs: 9.2 Private Key Generation Transport receiver and transport sender implementations generate their own key pairs. An inadequate random number generator (RNG) or an inadequate pseudo-random number generator (PRNG) to generate these keys can result in little or no security. See [RFC4086] for random number generation guidance. 9.3 Trust Anchor Installation and Storage Trust anchor installation and storage is critical. Transmission of a trust anchor, especially self-signed certificates used as trust anchors, from transport receiver to transport sender for installation requires an out-of-band step(s). Care must be taken to ensure the installed trust anchor is in fact the correct trust anchor. The fingerprint mechanism in Section 5.3.1 can be used by the transport sender to ensure the transport receiver's self-signed certificate is properly installed. Trust anchor information must be securely stored. Changes to trust anchor information can cause acceptance of certificates that should be rejected. ACTION: I'm also going to ask for more discussion on this.
- [Syslog] Issue 9, 9a, and 9b - from a Tim Polk CO… Chris Lonvick
- Re: [Syslog] Issue 9, 9a, and 9b - from a Tim Pol… t.petch
- Re: [Syslog] Issue 9, 9a, and 9b - from a Tim Pol… Sean Turner
- Re: [Syslog] Issue 9, 9a, and 9b - from a Tim Pol… Chris Lonvick
- Re: [Syslog] Issue 9, 9a, and 9b - from a Tim Pol… robert.horn
- Re: [Syslog] Issue 9, 9a, and 9b - from a Tim Pol… t.petch