IETF Logo Mail Archive

Re: [Syslog] Some revised text for syslog TLS

Martin Schütte <lists@mschuette.name> Mon, 26 May 2008 15:00 UTC

Return-Path: <syslog-bounces@ietf.org>
X-Original-To: syslog-archive@megatron.ietf.org
Delivered-To: ietfarch-syslog-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 069C83A69B8; Mon, 26 May 2008 08:00:52 -0700 (PDT)
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 50CD63A6BBB for <syslog@core3.amsl.com>; Mon, 26 May 2008 08:00:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.949
X-Spam-Level:
X-Spam-Status: No, score=-1.949 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wopxZZkoo17G for <syslog@core3.amsl.com>; Mon, 26 May 2008 08:00:45 -0700 (PDT)
Received: from mail.asta.uni-potsdam.de (mail.asta.uni-potsdam.de [141.89.58.198]) by core3.amsl.com (Postfix) with ESMTP id C5FB03A69B8 for <syslog@ietf.org>; Mon, 26 May 2008 08:00:44 -0700 (PDT)
Received: from localhost (mail.asta.uni-potsdam.de [141.89.58.198]) by mail.asta.uni-potsdam.de (Postfix) with ESMTP id 00DD71E357C for <syslog@ietf.org>; Mon, 26 May 2008 17:00:46 +0200 (CEST)
X-Virus-Scanned: on mail at asta.uni-potsdam.de
Received: from mail.asta.uni-potsdam.de ([141.89.58.198]) by localhost (mail.asta.uni-potsdam.de [141.89.58.198]) (amavisd-new, port 10024) with ESMTP id Eo8bu6-IvDEb for <syslog@ietf.org>; Mon, 26 May 2008 17:00:25 +0200 (CEST)
Received: from [192.168.178.21] (BAA18c6.baa.pppool.de [77.128.24.198]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "Martin Schuette", Issuer "AStA-CA" (verified OK)) by mail.asta.uni-potsdam.de (Postfix) with ESMTP id 093B81E36CA for <syslog@ietf.org>; Mon, 26 May 2008 17:00:22 +0200 (CEST)
Message-ID: <483AD08A.9090407@mschuette.name>
Date: Mon, 26 May 2008 17:00:26 +0200
From: Martin Schütte <lists@mschuette.name>
User-Agent: Thunderbird 2.0.0.14 (X11/20080511)
MIME-Version: 1.0
To: syslog@ietf.org
References: <AC1CFD94F59A264488DC2BEC3E890DE505DFD90C@xmb-sjc-225.amer.cisco.com> <577465F99B41C842AAFBE9ED71E70ABA309093@grfint2.intern.adiscon.com>
In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA309093@grfint2.intern.adiscon.com>
Subject: Re: [Syslog] Some revised text for syslog TLS
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: syslog-bounces@ietf.org
Errors-To: syslog-bounces@ietf.org

Rainer Gerhards schrieb:
> scenario. Please note that operators tend to use IP addresses over
> hostnames because of reliability reasons and early startup capability of
> the syslogd (before DNS resolutions is available). So this is of
> practical relevance.

As noted later this will require the IP adresses to be included in the 
x509 certificates. The usual verification against the Common Name 
requires DNS.

> In case of the server authenticating the client, there is no such
> obvious choice. I could use the remote client's IP address (provided by
> the transport stack) and verify that it matches the IP address inside
> the certificate. However, is this really useful?

I think it is necessary since it is a mutual authentication: the client 
verifies the server, and the server verifies the client.
Each Authentication has two steps: 1. verify the trust path to the cert 
(either by CA signature, having the cert itself configured as a trust 
anchor, or having its fingerprint) and 2. check if the cert matches the 
requesting host (by IP or DNS, by Common Name or subjectAltName).

> IMO, this is more or
> less a check if the remote cert is signed by a common CA. Something that
> may be useful, but does not depend on the client's IP be known.

> Do you or somebody else on this list (Tom?) have a clue why it may be
> useful to carry out such a check?

Maybe the second step should be configurable (like the first one) since 
it is comes down to policy, but the question is: Do you accept a 
connection from client A if it shows a certificate from client B?

You might want to if you use only one cert for all clients, but if every 
client has its own cert then you might not, because this situation 
indicates a serious misconfiguration or intrusion.

> Back on the topic of easy but still secure configuration, I could
> envision taken the reverse DNS name of the transport sender and checking
> that against the identity presented in the certificate. Anyone any
> thoughts/comments on this?

Ack. I am going to do the same.

> Again, all of this assumes a common root CA and certificates signed by
> it (not necessarily full PKI, but an "in-house CA").

Either that or a collection af all involved certificates.
It should not make a difference if a common CA is the trust anchor or if 
every cert itself is.

-- 
Martin
_______________________________________________
Syslog mailing list
Syslog@ietf.org
https://www.ietf.org/mailman/listinfo/syslog

v2.23.0 | Report a Bug | By Email