IETF Logo Mail Archive

Re: [Syslog] Some revised text for syslog TLS

"Rainer Gerhards" <rgerhards@hq.adiscon.com> Wed, 28 May 2008 08:36 UTC

Return-Path: <syslog-bounces@ietf.org>
X-Original-To: syslog-archive@megatron.ietf.org
Delivered-To: ietfarch-syslog-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 53F283A6C9E; Wed, 28 May 2008 01:36:45 -0700 (PDT)
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E04F33A6BAA for <syslog@core3.amsl.com>; Wed, 28 May 2008 01:36:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.527
X-Spam-Level:
X-Spam-Status: No, score=-2.527 tagged_above=-999 required=5 tests=[AWL=0.072, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mii8Ui0r7eAK for <syslog@core3.amsl.com>; Wed, 28 May 2008 01:36:35 -0700 (PDT)
Received: from mailin.adiscon.com (hetzner.adiscon.com [85.10.198.18]) by core3.amsl.com (Postfix) with ESMTP id 9EEC83A6CB2 for <syslog@ietf.org>; Wed, 28 May 2008 01:35:53 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailin.adiscon.com (Postfix) with ESMTP id A13B97AD6D3; Wed, 28 May 2008 10:34:44 +0200 (CEST)
Received: from mailin.adiscon.com ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NhdKyDMxzZ7B; Wed, 28 May 2008 10:34:44 +0200 (CEST)
Received: from grfint2.intern.adiscon.com (p50989a7c.dip0.t-ipconnect.de [80.152.154.124]) by mailin.adiscon.com (Postfix) with ESMTP id 67FD27AD5EF; Wed, 28 May 2008 10:34:44 +0200 (CEST)
Content-class: urn:content-classes:message
Date: Wed, 28 May 2008 10:35:55 +0200
MIME-Version: 1.0
Message-ID: <577465F99B41C842AAFBE9ED71E70ABA3090C1@grfint2.intern.adiscon.com>
X-MimeOLE: Produced By Microsoft Exchange V6.5
In-Reply-To: <007701c8c015$2e530ca0$0601a8c0@allison>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Syslog] Some revised text for syslog TLS
Thread-Index: AcjALtaDi4KPokoPR+WREK3X8REvbQAbZb0g
References: <AC1CFD94F59A264488DC2BEC3E890DE505DFD90C@xmb-sjc-225.amer.cisco.com> <577465F99B41C842AAFBE9ED71E70ABA309093@grfint2.intern.adiscon.com> <007701c8c015$2e530ca0$0601a8c0@allison>
From: Rainer Gerhards <rgerhards@hq.adiscon.com>
To: "tom.petch" <cfinss@dial.pipex.com>, "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>, syslog@ietf.org
Subject: Re: [Syslog] Some revised text for syslog TLS
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: syslog-bounces@ietf.org
Errors-To: syslog-bounces@ietf.org

Tom,

inline...

<snip>

> > Do you or somebody else on this list (Tom?) have a clue why it may
be
> > useful to carry out such a check? (EDIT: check of IP address)
> 
> You have lost me here.  Suppose I am a server and I want to check that
> syslog
> only comes from someone I trust so I will configure an identifier in
> the server
> and want security credentials to authenticate an assertion of that
> identity.
> The IP address is the identity, and the certificate the security
> credential.
> 
> Or the host name is the identity and the certificate the security
> credential.
> 
> Or the MAC address is the identity and the certificate the security
> credential.
> 
> I do not see a difference (except that some identities are commoner
> than others
> as Pasi points out).

What is common is a big point. I think ipAddress inside certificates is
quite uncommon, so this may be a good indication that it doesn't justify
a MUST.

I have also thought about when this may be used at all. IMHO, this makes
only sense if the transport sender uses a proxy or is behind NAT. Using
a proxy for syslog senders is extremely uncommon. Being behind NAT is
uncommon (usually, syslog is not transmitted to the public Internet).
The remaining threat I see is that someone on the same local network
poisons ARP with a spoofed IP address and they tries to fool the syslog
server in listening to it. While possible, I think this is also quite
remote (but remote is not a good argument when it comes to security, I
know). What matters more is that this attack will NOT work if the
subject's name is checked against the certificate.

So what is the extra benefit of authorizing based on IP address? What is
the advantage of it? Is that so important that every syslog application
implementing MUST support it? I am even in doubt if if justifies a
SHOULD. To me it looks MAY would be sufficient, and this is covered by
the text. So I think the whole paragraph on ipAddress authentication can
simply be removed.

As a side-note, authentication based on IP addresses is even
problematic. In my experience IP ranges are more likely to change than
names, so sticking with names reduces the administrative cost when a
change is needed.

Rainer
> 
> Tom Petch
_______________________________________________
Syslog mailing list
Syslog@ietf.org
https://www.ietf.org/mailman/listinfo/syslog

v2.23.0 | Report a Bug | By Email