Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 042BE3A6B42 for ; Thu, 11 Mar 2010 22:07:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IFRmfeyYEQVw for ; Thu, 11 Mar 2010 22:07:53 -0800 (PST) Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com [171.68.10.87]) by core3.amsl.com (Postfix) with ESMTP id 825353A6AD8 for ; Thu, 11 Mar 2010 22:07:42 -0800 (PST) Authentication-Results: sj-iport-5.cisco.com; dkim=neutral (message not signed) header.i=none X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AvsEAJZomUurR7Ht/2dsb2JhbACaaXOiG5hkhHsEgxc X-IronPort-AV: E=Sophos;i="4.49,624,1262563200"; d="scan'208";a="164798562" Received: from sj-core-1.cisco.com ([171.71.177.237]) by sj-iport-5.cisco.com with ESMTP; 12 Mar 2010 06:07:48 +0000 Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id o2C67mhq009009; Fri, 12 Mar 2010 06:07:48 GMT Received: from xmb-sjc-225.amer.cisco.com ([128.107.191.38]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 11 Mar 2010 22:07:48 -0800 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Thu, 11 Mar 2010 22:07:44 -0800 Message-ID: In-Reply-To: <000201cac08b$882391a0$0601a8c0@allison> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Syslog] DTLS renegotiation Thread-Index: AcrAlBzKxNxQWz/KSTGI1Y3tdqnNcABFd6jA References: <000201cac08b$882391a0$0601a8c0@allison> From: "Joseph Salowey (jsalowey)" To: "tom.petch" , X-OriginalArrivalTime: 12 Mar 2010 06:07:48.0454 (UTC) FILETIME=[572B5860:01CAC1AA] Subject: Re: [Syslog] DTLS renegotiation X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Mar 2010 06:07:55 -0000 Hi Tom, The text I suggested is a bit vague. I like your replacement text. Joe > > 8.1 DTLS Renegotiation > > > > TLS and DTLS renegotiation may be vulnerable to attacks described in RFC > > 5746. Although RFC 5746 provides a fix for some of the issues, > > renegotiation can still cause problems for applications since connection > > security parameters can change without the application knowing it. > > There for it is RECOMMENDED that renegotiation be disabled for syslog > > over DTLS. If, for some reason, renegotiation is allowed then the > > specification in RFC 5746 MUST be followed and the implementation MUST > > make sure that the connection security parameters do not change during > > renegotiation. >=20 > I think that the last sentence goes too far and should be more like >=20 > " If renegotiation is allowed then the > > specification in RFC 5746 MUST be followed and the implementation MUST > > make sure that the connection still has adequate security and that any > identities extracted from client and serverthe certificates do not change > during > > renegotiation. >=20 > Well, a bit clumsy, but I would like to be specific on those two issues. > They > are nothing to do with the problem that RFC5746 addresses but the work > leading > up to RFC5746 did show that these are related issues with renegotiation. >=20 > Tom Petch >=20 >=20 > > _______________________________________________ > > Syslog mailing list > > Syslog@ietf.org > > https://www.ietf.org/mailman/listinfo/syslog