Re: [Syslog] Some revised text for syslog TLS
"tom.petch" <cfinss@dial.pipex.com> Wed, 28 May 2008 14:57 UTC
Return-Path: <syslog-bounces@ietf.org>
X-Original-To: syslog-archive@megatron.ietf.org
Delivered-To: ietfarch-syslog-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5402C3A6A8C; Wed, 28 May 2008 07:57:20 -0700 (PDT)
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B60B43A6A8C for <syslog@core3.amsl.com>; Wed, 28 May 2008 07:57:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.438
X-Spam-Level:
X-Spam-Status: No, score=-2.438 tagged_above=-999 required=5 tests=[AWL=0.161, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gn+bMkdApTRl for <syslog@core3.amsl.com>; Wed, 28 May 2008 07:57:13 -0700 (PDT)
Received: from mk-outboundfilter-5.mail.uk.tiscali.com (mk-outboundfilter-5.mail.uk.tiscali.com [212.74.114.1]) by core3.amsl.com (Postfix) with ESMTP id C521928C13D for <syslog@ietf.org>; Wed, 28 May 2008 07:57:12 -0700 (PDT)
X-Trace: 35087263/mk-outboundfilter-5.mail.uk.tiscali.com/PIPEX/$ACCEPTED/pipex-temporary-group/213.116.60.30
X-SBRS: None
X-RemoteIP: 213.116.60.30
X-IP-MAIL-FROM: cfinss@dial.pipex.com
X-IP-BHB: Once
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AtoEACMPPUjVdDwe/2dsb2JhbACLaqJUAw
X-IronPort-AV: E=Sophos;i="4.27,555,1204502400"; d="scan'208";a="35087263"
X-IP-Direction: IN
Received: from 1cust30.tnt106.lnd4.gbr.da.uu.net (HELO allison) ([213.116.60.30]) by smtp.pipex.tiscali.co.uk with SMTP; 28 May 2008 15:57:14 +0100
Message-ID: <009a01c8c0ca$14fb4f00$0601a8c0@allison>
From: "tom.petch" <cfinss@dial.pipex.com>
To: Rainer Gerhards <rgerhards@hq.adiscon.com>, "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>, syslog <syslog@ietf.org>
References: <AC1CFD94F59A264488DC2BEC3E890DE505DFD90C@xmb-sjc-225.amer.cisco.com> <577465F99B41C842AAFBE9ED71E70ABA309093@grfint2.intern.adiscon.com> <007701c8c015$2e530ca0$0601a8c0@allison> <577465F99B41C842AAFBE9ED71E70ABA3090C1@grfint2.intern.adiscon.com>
Date: Wed, 28 May 2008 15:51:24 +0200
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Subject: Re: [Syslog] Some revised text for syslog TLS
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: "tom.petch" <cfinss@dial.pipex.com>
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: syslog-bounces@ietf.org
Errors-To: syslog-bounces@ietf.org
Inline Tom Petch ----- Original Message ----- From: "Rainer Gerhards" <rgerhards@hq.adiscon.com> To: "tom.petch" <cfinss@dial.pipex.com>; "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>; <syslog@ietf.org> Sent: Wednesday, May 28, 2008 10:35 AM Subject: RE: [Syslog] Some revised text for syslog TLS Tom, inline... <snip> > > Do you or somebody else on this list (Tom?) have a clue why it may be > > useful to carry out such a check? (EDIT: check of IP address) > > You have lost me here. Suppose I am a server and I want to check that > syslog > only comes from someone I trust so I will configure an identifier in > the server > and want security credentials to authenticate an assertion of that > identity. > The IP address is the identity, and the certificate the security > credential. > > Or the host name is the identity and the certificate the security > credential. > > Or the MAC address is the identity and the certificate the security > credential. > > I do not see a difference (except that some identities are commoner > than others > as Pasi points out). What is common is a big point. I think ipAddress inside certificates is quite uncommon, so this may be a good indication that it doesn't justify a MUST. I have also thought about when this may be used at all. IMHO, this makes only sense if the transport sender uses a proxy or is behind NAT. Using a proxy for syslog senders is extremely uncommon. Being behind NAT is uncommon (usually, syslog is not transmitted to the public Internet). The remaining threat I see is that someone on the same local network poisons ARP with a spoofed IP address and they tries to fool the syslog server in listening to it. While possible, I think this is also quite remote (but remote is not a good argument when it comes to security, I know). What matters more is that this attack will NOT work if the subject's name is checked against the certificate. So what is the extra benefit of authorizing based on IP address? What is the advantage of it? Is that so important that every syslog application implementing MUST support it? I am even in doubt if if justifies a SHOULD. To me it looks MAY would be sufficient, and this is covered by the text. So I think the whole paragraph on ipAddress authentication can simply be removed. As a side-note, authentication based on IP addresses is even problematic. In my experience IP ranges are more likely to change than names, so sticking with names reduces the administrative cost when a change is needed. <tp> I encounter networks where the devices do not have names, in any meaningful manner (perhaps just a default sysName left in by the manufacturer). Boxes are identified by address, layer 2 - MAC - or layer 3 - IP. What I am resisting is the need to allocate and maintain a namespace where none exists at present. This use of IP address is independent of what appears in the IP header of the packet; here it is serving as an identity for the box not as something to put in the source field of the IP header. In theory, if the IP address of the device changed, then you could keep the old address as an identity but I think that would be too bizarre. Tom Petch </tp> Rainer > > Tom Petch _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- [Syslog] Some revised text for syslog TLS Joseph Salowey (jsalowey)
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS Pasi.Eronen
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS Pasi.Eronen
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS Martin Schütte
- Re: [Syslog] Some revised text for syslog TLS Moehrke, John (GE Healthcare)
- Re: [Syslog] Some revised text for syslog TLS Anton Okmyanskiy (aokmians)
- Re: [Syslog] Some revised text for syslog TLS Pasi.Eronen
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS robert.horn
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS Pasi.Eronen
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- Re: [Syslog] Some revised text for syslog TLS robert.horn
- Re: [Syslog] Some revised text for syslog TLS Martin Schütte
- Re: [Syslog] Some revised text for syslog TLS Martin Schütte