IETF Logo Mail Archive

Re: [Syslog] New Version: draft-ietf-syslog-dtls-02

"Joseph Salowey (jsalowey)" <jsalowey@cisco.com> Sat, 06 March 2010 00:48 UTC

Return-Path: <jsalowey@cisco.com>
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EF7A028C419 for <syslog@core3.amsl.com>; Fri, 5 Mar 2010 16:48:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XtSKgX6LIvPo for <syslog@core3.amsl.com>; Fri, 5 Mar 2010 16:48:00 -0800 (PST)
Received: from sj-iport-4.cisco.com (sj-iport-4.cisco.com [171.68.10.86]) by core3.amsl.com (Postfix) with ESMTP id 2A81D28C0D7 for <syslog@ietf.org>; Fri, 5 Mar 2010 16:48:00 -0800 (PST)
Authentication-Results: sj-iport-4.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEAA41kUurRN+K/2dsb2JhbACbS3OeIZhehHcEgxc
X-IronPort-AV: E=Sophos;i="4.49,590,1262563200"; d="scan'208";a="96633228"
Received: from sj-core-4.cisco.com ([171.68.223.138]) by sj-iport-4.cisco.com with ESMTP; 06 Mar 2010 00:48:02 +0000
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-4.cisco.com (8.13.8/8.14.3) with ESMTP id o260m209003882; Sat, 6 Mar 2010 00:48:02 GMT
Received: from xmb-sjc-225.amer.cisco.com ([128.107.191.38]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 5 Mar 2010 16:48:02 -0800
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 05 Mar 2010 16:48:01 -0800
Message-ID: <AC1CFD94F59A264488DC2BEC3E890DE509C5B848@xmb-sjc-225.amer.cisco.com>
In-Reply-To: <45c8c21a1003051621w5f851e3q7fcb93af0050d8d8@mail.gmail.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Syslog] New Version: draft-ietf-syslog-dtls-02
Thread-Index: Acq8wwMt4NqSvkkhSEW7WfJCvGLdzgAAD/ZQ
References: <AC1CFD94F59A264488DC2BEC3E890DE509C5B555@xmb-sjc-225.amer.cisco.com> <Pine.GSO.4.63.1003051448070.17566@sjc-cde-011.cisco.com> <45c8c21a1003051621w5f851e3q7fcb93af0050d8d8@mail.gmail.com>
From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
To: Richard Graveman <rfgraveman@gmail.com>, "Chris Lonvick (clonvick)" <clonvick@cisco.com>
X-OriginalArrivalTime: 06 Mar 2010 00:48:02.0886 (UTC) FILETIME=[AD337E60:01CABCC6]
Cc: syslog@ietf.org
Subject: Re: [Syslog] New Version: draft-ietf-syslog-dtls-02
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Mar 2010 00:48:01 -0000

The syslog over TLS document allows for certificates using full path validation and certificate fingerprint matching.  The DTLS document takes the same approach.  This may not fully address your SHA-1 concern, but it does provide a mechanism to get things up and running without a full PKI.  

Also, the GCM cipher suites are not available in DTLS until we complete DTLS 1.2.  Other PSK cipher suites could be implemented with DTLS and syslog, the current draft does not restrict them.  

Joe 


> -----Original Message-----
> From: Richard Graveman [mailto:rfgraveman@gmail.com]
> Sent: Friday, March 05, 2010 4:22 PM
> To: Chris Lonvick (clonvick)
> Cc: Joseph Salowey (jsalowey); syslog@ietf.org
> Subject: Re: [Syslog] New Version: draft-ietf-syslog-dtls-02
> 
> > I've looked over these changes and feel that they address the WGLC
> comments
> > that were received.  I'd appreciate it if the people who did the reviews
> > would also do a check.
> 
> Requiring certificates is a lot of extra baggage for worsened
> security. All the commonly encountered certificates today are based on
> signatures of weak hash functions, primarily SHA-1. Cipher suites
> like:
> 
> 0x00,0xA8     TLS_PSK_WITH_AES_128_GCM_SHA256          [RFC5487]
> 0x00,0xA9     TLS_PSK_WITH_AES_256_GCM_SHA384          [RFC5487]
> 
> do not suffer from the twin disease of weak and inefficient security
> and ought to be an option, as Tschonfig and Eronen say in 4279:
> 
>       ... pre-shared keys may be more convenient from a key
>       management point of view.  For instance, in closed environments
>       where the connections are mostly configured manually in advance,
>       it may be easier to configure a PSK than to use certificates.
>       Another case is when the parties already have a mechanism for
>       setting up a shared secret key, and that mechanism could be used
>       to "bootstrap" a key for authenticating a TLS connection.
> 
> This is precisely the environment is which I would expect to find a
> lot of syslog, as opposed to "TLS on the Web."
> 
> Rich Graveman

v2.23.0 | Report a Bug | By Email