IETF Logo Mail Archive

Re: [Uta] secdispatched: draft-ciphersuites-in-sec-syslog-01

"Fries, Steffen" <steffen.fries@siemens.com> Fri, 22 April 2022 05:44 UTC

Return-Path: <steffen.fries@siemens.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E01FA3A0039 for <uta@ietfa.amsl.com>; Thu, 21 Apr 2022 22:44:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=siemens.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mu51i5eJQvYW for <uta@ietfa.amsl.com>; Thu, 21 Apr 2022 22:44:20 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on0610.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0e::610]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E05B53A0029 for <uta@ietf.org>; Thu, 21 Apr 2022 22:44:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Lb84FGcCQ7PIz9DCu/jV6kHRfy+HpQxu6T8AxuHKzbMbenJe3G7NM4VQfl23Gg5QEoMNJQp8C8RMrGI3raEmNBs6dF5aQV2exLKSyyxyavVvA5tAY/Rcga2TOuvTTBNkonb6mcbAGk5iVIKuybCEt58zUJTfptjXCQcYwHpdekPgcRUkJJZDkg30KcbGGHBgerKo0O/nzcE2yiSN5K9WwRpKry5DzUshwe4FpLy+pW7mUUrk41l3VzZv9hHoB5OhvpRUzVjiZ9l0inoGL7BxGOcwa+CcZ8w4f1mStAMDIcjasPtdPFMrbQIg4pkRwRiEb/dFENU2YfZ0AaV7lDMLMQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ktpTm2YF0yJsCyI8RrsWMkAJaKHSnctbOoWbineE0pg=; b=PcsScZe/gPagqzoHVbCHFOlif2btLgo51nHbj51tUuPzMPsBVPVpVNcEi0J03+7UOsZ1KrenZPDRPhwYkFtq3sQyfePvb1Z4Q1E16sqH9nng8kmh1BgbcuEwiCqLZTHz3oJ0yt/07IZI/W5hGY4vY5BTFiMQWb7T85kCFMgC1my+6JBenjK6H4aBzWs6VXlU9LE6pK9sP77feLN28jju0fGZrlhf1/2UvKATgtsPznjDByJOh8wVrgsIUzWfhcnos71/nZakY7U/Vm0PgooPnvLz6zdLGwnznkXIne0T6nNA5+4rmQzVfIhqIyxJw5Np0gYtQmYu35h4jQikTsNbXA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ktpTm2YF0yJsCyI8RrsWMkAJaKHSnctbOoWbineE0pg=; b=EyzR3eoxxkU9kr5dcULO3ZtxL8YGl+WRBmI1LMAxm+vCoJcWsP7SMreqBHzKGtC1Dv6EFnfabqQR3s6M5n9ec1l6DW4y+DmAp0QfhU/ZVIyY+Pp7qxZM9nUQcisSXvus1rwx4513WHEdllwKbQit4j/JOtxYK8B+1f+zdOCUMuRiLf3LCxvnOjdNHAxqgrUt7WMwVPeLRFLqnYZ0Zz2tz+JhaHXSmXhWjF9ms52Hlvi3vLVzK2fbFiRdGNePJqeH1EtDE2HZr31qTUljuzvtPdAQB/hZR4XZGuXikYuch4L16akk6G+C8gdQvlaWa8f1zI4AJqCNL92JWk1JsdS9Xg==
Received: from DU0PR10MB5196.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:348::20) by PA4PR10MB5732.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:269::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5186.14; Fri, 22 Apr 2022 05:44:14 +0000
Received: from DU0PR10MB5196.EURPRD10.PROD.OUTLOOK.COM ([fe80::e063:7c80:e064:c020]) by DU0PR10MB5196.EURPRD10.PROD.OUTLOOK.COM ([fe80::e063:7c80:e064:c020%4]) with mapi id 15.20.5164.025; Fri, 22 Apr 2022 05:44:14 +0000
From: "Fries, Steffen" <steffen.fries@siemens.com>
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, Leif Johansson <leifj@sunet.se>, "uta@ietf.org" <uta@ietf.org>
Thread-Topic: [Uta] secdispatched: draft-ciphersuites-in-sec-syslog-01
Thread-Index: AQHYVSv5ETepS6sQWk+AfYei7F4dVqz6YEWA///0jICAARYLgA==
Date: Fri, 22 Apr 2022 05:44:13 +0000
Message-ID: <DU0PR10MB5196282B8ED6FF7BD48B5CC7F3F79@DU0PR10MB5196.EURPRD10.PROD.OUTLOOK.COM>
References: <54BCE9D9-3C20-4B0D-AB07-40CB56CB8BE8@sn3rd.com> <9B40447F-4197-4A70-9236-8490DB2F9975@sn3rd.com> <a57389e6-ddfa-eda6-f915-c25a8b4194d9@sunet.se> <9B36F695-3911-4C87-8D69-D09C2F0A4188@akamai.com>
In-Reply-To: <9B36F695-3911-4C87-8D69-D09C2F0A4188@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Enabled=true; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SetDate=2022-04-22T05:44:12Z; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Method=Standard; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Name=restricted-default; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ActionId=f7971012-cdf7-4816-a44c-0a96ee9ccd6f; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ContentBits=0
document_confidentiality: Restricted
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d6f44222-1109-4c93-138a-08da24232211
x-ms-traffictypediagnostic: PA4PR10MB5732:EE_
x-microsoft-antispam-prvs: <PA4PR10MB57326CA439656B7C9C1B5F1DF3F79@PA4PR10MB5732.EURPRD10.PROD.OUTLOOK.COM>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: VucPX2z8snyXHsElr5zNDfqubJ1Ei8yG6olj3ntY2eqMpC4mUedvYFfYfNlmro01vRFyHAk3hODCV6zthUkfIkmunGfLOrVS60xMaxrGv1uWkgWyJCZ1S+L7ZDzaTTeVY4f91zOLy4stWYwJI0KnkKl361sDH4NeIJzl5yDA/MogCzxHNIAZzW6WIQ7NlrdsTLrj4qaMozu2Mum+RshYjR9aliNRkEnIYVX2/s78uakiRgMzUwE5g0F9sndOTg9RohSico8/RwTBegCxqN5rxrEnnapoIMi3URKAMBMz+luQVWuE/rxzvHnKynIT+5T7qZdBtg82+2XmJdIT/cpjtIwHoatdJOLQMFpLXHDdWF1CAhTTQAsB/UzVQiKJlXElkQWL0vmeAajXxkLr8s7Cjn2KjxgWmkbCE4l/kFt13Yd36L+lE40ThUKspQ5lepaEb0de0g4etv3Anp7VIBCR1V5QBHhGJWeuzn/J6U+mK4jqJpOu2rpDNnMclxG0l2otoYdenmXjR5m2VdqKWvHnXBNCNXPIAUXp5C15m5C0onvowSfBNJP66qzHAcjQklV6INFKWY10fFb1PAvap5fygosKB+4r75LZQrpDSjfFASOi5Wbr2VJPO0evTCnuUEhKw0Sch7cfyvGb0pW/wL11+1eI2ZH9CjLhC5YAfzV/Bo75WxmkQMWseDKQUXRK06N/t4Nda1a9eDfZaoVhvuT1V5/1x/PSmaWDwbgnJWrIvUqsVKAg0W0ZmWPyXzD1tSrZUysbdeTEKB5DRbhpA4lVsVspmxbhuEPYliAUFBytLIU=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DU0PR10MB5196.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(66556008)(55016003)(52536014)(66946007)(508600001)(966005)(45080400002)(8936002)(33656002)(82960400001)(64756008)(2906002)(7696005)(76116006)(66476007)(66446008)(6506007)(122000001)(53546011)(9686003)(26005)(71200400001)(8676002)(86362001)(83380400001)(5660300002)(316002)(38100700002)(38070700005)(110136005)(186003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: X93QnKcC8PHfi/KQYDDrgbRh7FDwXrA5K6Fr1z6y+t3AbsnzBvcSqi2o6z0yuh2ncAWK9lJws/GNpAS6ewysdqViMZEBdsil5tozF09tX0BX5rmPX5zxNchubwIv/2QXV7PlHi+y63v1gx8NIIxoZdrQeRAK6jqlMU1LNfVFTPtLE+ruJMZ40kLKqmG/MV1F+va7sW1MTZCfS4kkjAhr4s48f50SMcu7ll/IKjeXxL4tAcOf+K+Edqs4PpKir0i9mEJlPmpqIxQB9MGWkM18UJiv4jynxSQcOuAk7jadTKY4ZTtLe2BsB990M4QgL7a66vrLOYlVhqFK2MNUbaVA7bP8j5e29M4uHysS19UMsDZa0b7EJrgXdwFxORhsPmWC++3kmjS1iDzAFphdr6Ctz8f298qHtVPvepBDYpAtwDnyJOeVfu9p8Lrw1cHAoZdyz1Fwd2DRS1MynBkSO4PvmBRoqjrTLXlZawX0f4yYGLBdBbu9XGxEdctpR/Pg/XYq71zNFtsUV/n+PYfFO8juuno0b1Cgo2U7lHABIF6aqmD6da0LoFEcZCL9brpKQ7YpxSiCeOxLkxEJmXH1qnqbhOOrgoj4zH8Jk/I8JxpGmERB5mstaHrwgfpzkW+JrKmUDL86gvYHPsZrxrAkCozUrtVaoaB+9lsdmw5Zw+EwyA+BvbARV0CSfHSujWjvS3lmNNLmj6CWlO+4Xs+prtY90jMPoGsaD25HFqyB/vpfa7dQYJr5nJUDw5b5414OHnKhKme2o0qEE7mKBo6vbI21zXh3x6M289iQ1VWWn6YjUH0b4Pbdftb14kmsQ2P72OLwDLxUCcYJgGbD8xw4Iuou+/+bXdQEvWPkRn+/DyyRsXxrWOVDsS4NMBdbAlhhRV9mzJMCTA2wgpXOSN0Qfw9opjfefx6H7Mz6v0K8jT4QL4F/FyyAWmHU9g8tPp9cHvNMzrihSezkatI4vJlK+nQ1fvqr0urefiSf4N4IJzYT0ahkDZwAQaPbt9EYFyRuw/qN9Hjxd3elB2XgSip/rAowvBeUDTgkyLkIvPpUqbPy3KannM8CEAT65VzHFa9vBaL5ZUq2MAdsO6/IwPVzWZWxBv10/qdxjV3V7D5HjlattZuVaL7Lq3HiQ6df08Kr4MGbo+vc/ndZUsyPYRFFdwP9Wz7MVGTmHZGr8bi7SVzhNQRrcUuZOBncpcBbALDjNAF9RUOEfIeWkSOXEfgQPdRov7DYFSedd7rQpy1gbXKMrBotDlK39ChbmbedRRQ9hqfuR+aIGkiEYh/A7xH4AyMqPLEZKoSXsCbQZ7Cfgcf1SPIeIkIT24JtIAhtlfy2fwYU2gMiebCFdAuTH7B3KgmLFNyIT0QEO5ywoHR2+LUL8/sT8k3XehKBhVKLxkkBScIUr0cnAUQ3PnRiD6Od9G3oPujBmR94gKw83F3MfPc5qA65CVs14aB8e6Ji66bvf6tqhrn5wX6CiJepzIQvE4IOpCR5fUdi0xXFo5fLswsoiZOO6t1tFFPyc/IXlgDDW4EDsA/Th4ouFQXSrL5Kdx7NmieXiyCgYqAZLa27EnzjF9e5lPSqaFy75M/k/UlLM/Aq1EGRMtHdkMlVrtQMmNpEkWi9XATlPYR08a+AKz87/gU+4HOmMxZfuS89fwaWsWMXIb47XE6D7ygDJLWAW0IiXX6oFrpyjIvs8ZCj9MiiR9YA4ySyGdD2xjRTRYQ/kLMCFH+4CLR1Vr7xTgxakGnFmvkxWpSrZdlO8FJhjamlGrA=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU0PR10MB5196.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: d6f44222-1109-4c93-138a-08da24232211
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Apr 2022 05:44:13.9721 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: fX+iAAzgyRybPqftsP5Icblht/6lE1+XVdk5Caq80bJJvABhNS9PIu9T5fA1ue5W2QtBsuIqhracER+oz8/tUvpIfjBKlFhYR1vhh2C5Uu0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA4PR10MB5732
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/Emo3-FuG1DmTZZCtRREvHxiYQu8>
Subject: Re: [Uta] secdispatched: draft-ciphersuites-in-sec-syslog-01
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Apr 2022 05:44:30 -0000

Hi all,

Thank you for taking up this issue. We started the discussion based on work we are currently doing in IEC TC57 WG15, in the context of security event logging. As we rely on syslog and are using TLS to secure it, there was a request to be able to support it with current cipher suites as also motivated in the authors notes. That said, I would support adoption as well. 

While reading the current version of the draft I came across the following formulation in section 4 and section 5: 
"The mandatory to implement cipher suite is REQUIRED to be TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256."
 
The choice is perfectly fine and also matches the supported ciphersuites in the TLS profile in IEC 62351. In the IEC discussion we assumed that the use of alternative ciphersuites is also possible. While the use of alternative ciphersuites is not ruled out explicitly, would it make sense to add a sentence like: 
"Other ciphersuites MAY be supported depending on the security policy of the operator. They should be assessed to provide appropriate security for the intended use."
 
Background for the formulation is to have an explicit statement regarding support of other ciphersuites. Interoperability by the draft is achieved only with the mandator to implement ciphersuite. This is clear. But if an operator decides to use for instance TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 it should be possible.  

Best regards
Steffen

> -----Original Message-----
> From: Uta <uta-bounces@ietf.org> On Behalf Of Salz, Rich
> Sent: Donnerstag, 21. April 2022 14:59
> To: Leif Johansson <leifj@sunet.se>; uta@ietf.org
> Subject: Re: [Uta] secdispatched: draft-ciphersuites-in-sec-syslog-01
> 
> >    Folks - is there any interest working on this in UTA?
> 
> I support adoption.  I'll read and give feedback.  Should be a pretty easy doc to
> finish off.
> 
> _______________________________________________
> Uta mailing list
> Uta@ietf.org
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf
> .org%2Fmailman%2Flistinfo%2Futa&amp;data=05%7C01%7Csteffen.fries%40sie
> mens.com%7Cfe25baaac1d444bd40fb08da2396c405%7C38ae3bcd95794fd4add
> ab42e1495d55a%7C1%7C0%7C637861427694289898%7CUnknown%7CTWFpb
> GZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6M
> n0%3D%7C3000%7C%7C%7C&amp;sdata=cHP3uc2qOAilxXAbNqaV4FqaraNrRQ
> Yuz2k5mCcLBcw%3D&amp;reserved=0

v2.23.0 | Report a Bug | By Email