[Syslog] Self-signed certs - was: Re: -transport-tls-12, section 4.2.3 (fingerprints)
Chris Lonvick <clonvick@cisco.com> Fri, 09 May 2008 13:31 UTC
Return-Path: <syslog-bounces@ietf.org>
X-Original-To: syslog-archive@megatron.ietf.org
Delivered-To: ietfarch-syslog-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C2DF228C1AD; Fri, 9 May 2008 06:31:45 -0700 (PDT)
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1ED273A6822 for <syslog@core3.amsl.com>; Fri, 9 May 2008 06:21:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.299
X-Spam-Level:
X-Spam-Status: No, score=-6.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_41=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rp8xNM40gMNs for <syslog@core3.amsl.com>; Fri, 9 May 2008 06:21:29 -0700 (PDT)
Received: from sj-iport-2.cisco.com (sj-iport-2.cisco.com [171.71.176.71]) by core3.amsl.com (Postfix) with ESMTP id 496E53A6801 for <syslog@ietf.org>; Fri, 9 May 2008 06:21:29 -0700 (PDT)
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-2.cisco.com with ESMTP; 09 May 2008 06:20:02 -0700
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id m49DK2aA004826; Fri, 9 May 2008 06:20:02 -0700
Received: from sjc-cde-011.cisco.com (sjc-cde-011.cisco.com [171.69.20.39]) by sj-core-5.cisco.com (8.13.8/8.13.8) with ESMTP id m49DK2dK003589; Fri, 9 May 2008 13:20:02 GMT
Date: Fri, 09 May 2008 06:20:02 -0700
From: Chris Lonvick <clonvick@cisco.com>
To: Rainer Gerhards <rgerhards@hq.adiscon.com>
In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA308FAA@grfint2.intern.adiscon.com>
Message-ID: <Pine.GSO.4.63.0805090536470.10011@sjc-cde-011.cisco.com>
References: <577465F99B41C842AAFBE9ED71E70ABA308FA8@grfint2.intern.adiscon.com> <AC1CFD94F59A264488DC2BEC3E890DE505C94F0F@xmb-sjc-225.amer.cisco.com> <577465F99B41C842AAFBE9ED71E70ABA308FAA@grfint2.intern.adiscon.com>
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2697; t=1210339202; x=1211203202; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=clonvick@cisco.com; z=From:=20Chris=20Lonvick=20<clonvick@cisco.com> |Subject:=20Self-signed=20certs=20-=20was=3A=20Re=3A=20[Sys log]=20-transport-tls-12,=20section=0A=204.2.3=20(fingerprin ts) |Sender:=20; bh=WgFQOC1MxADQIyNu/tpPtdv6lsG3vGvVyWglW7m931s=; b=K8VsXfaRTakPb2n9c8YMNvCgtCgO2ctfjdWSjOePxTtF8pUv+pw5K7hdSi xP0IfDCeErmcX3Da0psPvV45WR4r9UhJXXMdHWkOGidlEyxppU48Q85ARCCB jG9hv+10q4PO/EzfbrZxq8oKWwM3Y5ahSegsOMoIAxQ6CXbZlaF44=;
Authentication-Results: sj-dkim-1; header.From=clonvick@cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
Cc: syslog@ietf.org
Subject: [Syslog] Self-signed certs - was: Re: -transport-tls-12, section 4.2.3 (fingerprints)
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: syslog-bounces@ietf.org
Errors-To: syslog-bounces@ietf.org
Hi,
On Thu, 8 May 2008, Rainer Gerhards wrote:
<some elided for brevity>
> However, I wonder why it would be useful to auto-generate certs.
> Probably I am overlooking somehting obvious. But: isn't cert
> auto-generation equal to no authentication? After all, if a
> *self-signed* cert is generated by the remote peer AND we accept it,
> doesn't that essentially mean we accept any peer because the peer can
> put whatever it likes into the cert? I do not see why this is any better
> than having no cert at all...
It minimally protects against masquerade and disclosure, two of the
threats we agreed upon. It will also provide a TCP-based transport for
anyone who wishes/needs to have a mechanism to throttle the flow of
packets for congestion control - something that you cannot do with the UDP
transport.
Those are the reasons I can think of. You do raise a good point by
questioning this and I'd like to see some discussion from the WG. Are
these reasons sufficient to keep self-signed certs in the specification?
If so, should specific comments be made about their use?
WG Chair Hat sort'a on, sort'a off: I'm thinking that a self-signed cert
is the method of least effort to provide congestion control for syslog and
it should be included in the document just for that reason. This was the
objection raised by the Transport ADs when they saw that
syslog-transport-udp was the only REQUIRED transport. I agree that
self-signed certs don't really provide good protection and that should be
noted in the Security Considerations Section. If you don't agree with
this, please object now.
If you do agree with this, does the following text work:
===
(Perhaps as a third paragraph in Section 4.2.4)
Self-signed certificates will provide minimal protection against
modification and disclosure. Their use will not provide effective
protection against masqeurade unless they are used with certificate
fingerprint authorization lists. The use of self-signed certificates
without certificate fingerprint authorization lists is NOT RECOMMENDED.
However since tls is a tcp-based protocol, enabling tls, even with
self-signed certificates, will effectively enable congestion control in
the network. See Section 8.6 of [syslog-protocol].
And perhaps merge the first three sentences of the above with the second
paragraph in Sec Considerations section 5.1. Current:
The use of self-signed certificates with certificate fingerprint
authorization lists provides more protection from masquerade and man-
in-the-middle attacks than forgoing certificate validation and
authorization.
===
Thanks,
Chris
_______________________________________________
Syslog mailing list
Syslog@ietf.org
https://www.ietf.org/mailman/listinfo/syslog
- [Syslog] -transport-tls-12, section 4.2.3 (finger… Rainer Gerhards
- Re: [Syslog] -transport-tls-12, section 4.2.3 (fi… Rainer Gerhards
- [Syslog] Self-signed certs - was: Re: -transport-… Chris Lonvick
- Re: [Syslog] -transport-tls-12, section 4.2.3 (fi… Joseph Salowey (jsalowey)
- Re: [Syslog] -transport-tls-12, section 4.2.3 (fi… Rainer Gerhards
- [Syslog] Missing email? was: Re: -transport-tls-1… Chris Lonvick
- [Syslog] -transport-tls-12, section 4.2 suggestion robert.horn
- Re: [Syslog] Missing email? was: Re: -transport-t… Rainer Gerhards
- Re: [Syslog] -transport-tls-12, section 4.2 sugge… Joseph Salowey (jsalowey)
- Re: [Syslog] Self-signed certs - was: Re: -transp… Pasi.Eronen@nokia.com
- Re: [Syslog] -transport-tls-12, section 4.2 sugge… robert.horn