Re: [Syslog] -transport-tls-12, IP addresses
"tom.petch" <cfinss@dial.pipex.com> Tue, 13 May 2008 10:50 UTC
Return-Path: <syslog-bounces@ietf.org>
X-Original-To: syslog-archive@megatron.ietf.org
Delivered-To: ietfarch-syslog-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AE92B3A67A5; Tue, 13 May 2008 03:50:10 -0700 (PDT)
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0CA6E3A67A5 for <syslog@core3.amsl.com>; Tue, 13 May 2008 03:50:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.239
X-Spam-Level:
X-Spam-Status: No, score=-2.239 tagged_above=-999 required=5 tests=[AWL=-0.240, BAYES_00=-2.599, J_CHICKENPOX_35=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 81Q-xT18INrj for <syslog@core3.amsl.com>; Tue, 13 May 2008 03:50:08 -0700 (PDT)
Received: from mk-outboundfilter-5.mail.uk.tiscali.com (mk-outboundfilter-5.mail.uk.tiscali.com [212.74.114.1]) by core3.amsl.com (Postfix) with ESMTP id EC2F43A67A1 for <syslog@ietf.org>; Tue, 13 May 2008 03:50:06 -0700 (PDT)
X-Trace: 26327891/mk-outboundfilter-5.mail.uk.tiscali.com/PIPEX/$ACCEPTED/pipex-customers/62.188.135.74
X-SBRS: None
X-RemoteIP: 62.188.135.74
X-IP-MAIL-FROM: cfinss@dial.pipex.com
X-IP-BHB: Once
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApsEAL8OKUg+vIdK/2dsb2JhbACLUaERBA
X-IP-Direction: IN
Received: from 1cust74.tnt6.lnd4.gbr.da.uu.net (HELO allison) ([62.188.135.74]) by smtp.pipex.tiscali.co.uk with SMTP; 13 May 2008 11:48:48 +0100
Message-ID: <021a01c8b4dd$ef034480$0601a8c0@allison>
From: "tom.petch" <cfinss@dial.pipex.com>
To: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>, syslog@ietf.org
References: <577465F99B41C842AAFBE9ED71E70ABA308F92@grfint2.intern.adiscon.com> <020601c8b1cb$e23d3a40$0601a8c0@allison> <AC1CFD94F59A264488DC2BEC3E890DE505C95872@xmb-sjc-225.amer.cisco.com>
Date: Tue, 13 May 2008 11:36:43 +0200
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Subject: Re: [Syslog] -transport-tls-12, IP addresses
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: "tom.petch" <cfinss@dial.pipex.com>
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: syslog-bounces@ietf.org
Errors-To: syslog-bounces@ietf.org
<inline> Tom Petch ----- Original Message ----- From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com> To: "tom.petch" <cfinss@dial.pipex.com>; "Rainer Gerhards" <rgerhards@hq.adiscon.com>; <syslog@ietf.org> Sent: Monday, May 12, 2008 6:15 AM Subject: RE: [Syslog] -transport-tls-12, IP addresses Hi Tom, How would you think this would be deployed? In order for an IP address match to be secure in most environments the IP address in the configuration of the transport sender would have to match against an IP address in a subject field within the certificate. Would it be reasonable for a syslog receiver to have a certificate issued to it that has its IP address in a subject field? <tp> yes, I do think that it would be reasonable:-) It comes back to the environment in which I see syslog, of large numbers of low function devices with little infrastructure. Gold standard security needs PKI, CRLs, (secure) DNS etc which is great for full function devices. Entry level security operates with IP addresses - which must already be known to the syslog originator - and shared certs, self-signed certs, +/- fingerprints etc so I think that IP address as an identity should be allowed. Tom Petch </tp> Joe > -----Original Message----- > From: syslog-bounces@ietf.org > [mailto:syslog-bounces@ietf.org] On Behalf Of tom.petch > Sent: Friday, May 09, 2008 4:54 AM > To: Rainer Gerhards; syslog@ietf.org > Subject: Re: [Syslog] -transport-tls-12, IP addresses > > I think that we should allow IP addresses. At the entry > level network box, I think that they are widely used. > > Tom Petch > > > ----- Original Message ----- > From: "Rainer Gerhards" <rgerhards@hq.adiscon.com> > To: <syslog@ietf.org> > Sent: Wednesday, May 07, 2008 10:39 PM > Subject: [Syslog] -transport-tls-12, IP addresses > > > > Joe, > > > > [Editor's Note: How useful is it to match against IP > address? Do we > > expect deployments to issue certificates with IP > addresses in them? > > Are IP addresses typically used in configuration? ] > > > > I find this a tough question. In my experience, it is not > uncommon to > > configure forwarding via IP addresses instead of hostnames. > One reason > > for this is because of reliability of the logging system > when DNS is > > not (yet --> system startup) available. On the other hand, > I find it > > even a bit disturbing to have a certificate issued for an > IP address. > > But it may make sense. I personally would expect that > operators tend > > to use hostnames inside the certificate. The problem, of > course, would > > be that the configuration then needs both the name and IP address... > > > > I hope this is useful information, even though I am undecided. > > > > Rainer > > _______________________________________________ > > Syslog mailing list > > Syslog@ietf.org > > https://www.ietf.org/mailman/listinfo/syslog > > _______________________________________________ > Syslog mailing list > Syslog@ietf.org > https://www.ietf.org/mailman/listinfo/syslog > _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog
- [Syslog] -transport-tls-12, IP addresses Rainer Gerhards
- Re: [Syslog] -transport-tls-12, IP addresses Moehrke, John (GE Healthcare)
- Re: [Syslog] -transport-tls-12, IP addresses Joseph Salowey (jsalowey)
- Re: [Syslog] -transport-tls-12, IP addresses tom.petch
- Re: [Syslog] -transport-tls-12, IP addresses Joseph Salowey (jsalowey)
- Re: [Syslog] -transport-tls-12, IP addresses tom.petch