From root@core3.amsl.com Tue Dec 1 09:30:02 2009 Return-Path: X-Original-To: syslog@ietf.org Delivered-To: syslog@core3.amsl.com Received: by core3.amsl.com (Postfix, from userid 0) id 0BAB03A6A22; Tue, 1 Dec 2009 09:30:01 -0800 (PST) From: Internet-Drafts@ietf.org To: i-d-announce@ietf.org Content-Type: Multipart/Mixed; Boundary="NextPart" Mime-Version: 1.0 Message-Id: <20091201173002.0BAB03A6A22@core3.amsl.com> Date: Tue, 1 Dec 2009 09:30:02 -0800 (PST) Cc: syslog@ietf.org Subject: [Syslog] I-D Action:draft-ietf-syslog-sign-29.txt X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 17:30:02 -0000 --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Security Issues in Network Event Logging Working Group of the IETF. Title : Signed syslog Messages Author(s) : J. Kelsey, et al. Filename : draft-ietf-syslog-sign-29.txt Pages : 48 Date : 2009-12-01 This document describes a mechanism to add origin authentication, message integrity, replay resistance, message sequencing, and detection of missing messages to the transmitted syslog messages. This specification is intended to be used in conjunction with the work defined in RFC 5424, "The syslog Protocol". Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on June 4, 2010. Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the BSD License. This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-syslog-sign-29.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Message/External-body; name="draft-ietf-syslog-sign-29.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2009-12-01092122.I-D@ietf.org> --NextPart-- From rfgraveman@gmail.com Thu Dec 3 08:30:23 2009 Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D67E73A682B; Thu, 3 Dec 2009 08:30:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id omJ+BctRQsqv; Thu, 3 Dec 2009 08:30:23 -0800 (PST) Received: from mail-iw0-f195.google.com (mail-iw0-f195.google.com [209.85.223.195]) by core3.amsl.com (Postfix) with ESMTP id 060CC3A672F; Thu, 3 Dec 2009 08:30:22 -0800 (PST) Received: by iwn33 with SMTP id 33so1084448iwn.29 for ; Thu, 03 Dec 2009 08:30:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:cc:content-type; bh=gfj5exhdMXb0n5MfAzDnIF14Q9w1mDK55XMe51Zs9AQ=; b=CGI+h/5WLHsxwPXmvmJfc8Af8+Ny9bgXSNzCMISUs0ACkD1jM5Q0fn3TfRG4eE/3uz AfOCtYUpJY2Pq41M8aszlOtmiH7TKuk075xIv5iytpn6fNK0tCs8OjQ+uJGzhErlqnny 3WwQ7wYVvh/6pjE4kH9bu9+B+RVuVMaavdAw4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:cc:content-type; b=MO44woYx3qUieCrzQbSZRedCVNV2QeYrC7J/Ka+1GGc/FzaVPSYWMBiTbFKKlhpcsQ sxluMSCvew3wZqjGFb7y8J/ts/gnnRnFz049omU2jw3XLbfZq8FidR1vrPZWCc2jmqHM Z92Bk5EO3wE/fNDWSvD/UdQWJgwJW+V8PbPts= MIME-Version: 1.0 Received: by 10.231.5.90 with SMTP id 26mr3515113ibu.42.1259857810442; Thu, 03 Dec 2009 08:30:10 -0800 (PST) Date: Thu, 3 Dec 2009 11:30:10 -0500 Message-ID: <45c8c21a0912030830n154e849cy6e495b480d3c6c57@mail.gmail.com> From: Richard Graveman To: alex@cisco.com, john.kelsey@nist.gov, jon@callas.org, pasi.eronen@nokia.com Content-Type: text/plain; charset=ISO-8859-1 Cc: syslog@ietf.org, iesg@ietf.org Subject: [Syslog] draft-ietf-syslog-sign-29 X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 16:30:24 -0000 Thank you for your continued efforts to complete this important work. The -29 draft contains many improvements. Here are a few editorial comments. I hope you can save them for AUTH48. 1. Section 2: "NOT RECOMMENDED" is also used below in the sense of RFC 2119, but it is not mentioned as such here. 2. Section 5.3.2.9, line 1: "is is" 3. Section 6, line 12: duplicats -> duplicates 4. Section 7.2, four lines above list item "f.": "the a" 5. [Ii]mplement[eo]rs is spelled multiple times with "or" and with "er" Richard Graveman From ietfdbh@comcast.net Tue Dec 15 06:57:04 2009 Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D83633A6A6E for ; Tue, 15 Dec 2009 06:57:04 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.736 X-Spam-Level: X-Spam-Status: No, score=-0.736 tagged_above=-999 required=5 tests=[AWL=-0.737, BAYES_50=0.001] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jpOvcagFzRZX for ; Tue, 15 Dec 2009 06:57:04 -0800 (PST) Received: from QMTA05.westchester.pa.mail.comcast.net (qmta05.westchester.pa.mail.comcast.net [76.96.62.48]) by core3.amsl.com (Postfix) with ESMTP id E3B663A6A6A for ; Tue, 15 Dec 2009 06:57:03 -0800 (PST) Received: from OMTA20.westchester.pa.mail.comcast.net ([76.96.62.71]) by QMTA05.westchester.pa.mail.comcast.net with comcast id HQ8P1d00A1YDfWL55SwrnC; Tue, 15 Dec 2009 14:56:51 +0000 Received: from Harrington73653 ([24.147.240.98]) by OMTA20.westchester.pa.mail.comcast.net with comcast id HSxM1d001284sdk3gSxMef; Tue, 15 Dec 2009 14:57:21 +0000 From: "David Harrington" To: Date: Tue, 15 Dec 2009 09:56:49 -0500 Message-ID: <052e01ca7d96$d4e2cc00$6601a8c0@china.huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 Thread-Index: Acp9ltRRDVprjHKKQsKXr7WkUHdKLA== Subject: [Syslog] reviews needed X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Dec 2009 14:57:04 -0000 Hi, Our syslog/dtls draft needs reviews. The isms WG is running a WGLC on their snmp/dtls draft. The ipfix WG has an ipfix/dtls draft. The TLS WG is addressing dead peer detection for dtls. It is important that these can work together on the same system. Consistency may be important to make it easier for operators. The requirements for dtls usage for syslog, and ipfix, and SNMP can be quite different. And there are more protocols to consider. My main concern is making sure DTLS can be configured in a relatively consistent manner to suit multiple protocol usages. It won't be good if an operator puts syslog/dtls and ipfix/dtls and snmp/dtls on the same system and faces conflicting requirements for configuration. We should probably pay close attention to aligning things like default values, trust assumptions, and configuration information models. Our draft is supposed to go to WGLC by March, so getting reviews of the current draft is really important. Please review the draft. Thanks, David Harrington dbharrington@comcast.net ietfdbh@comcast.net dharrington@huawei.com From hartmans@mit.edu Tue Dec 15 11:38:29 2009 Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 586903A68F5 for ; Tue, 15 Dec 2009 11:38:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.381 X-Spam-Level: X-Spam-Status: No, score=-2.381 tagged_above=-999 required=5 tests=[AWL=-0.116, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LcPCrp3tq1Cq for ; Tue, 15 Dec 2009 11:38:28 -0800 (PST) Received: from mail.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by core3.amsl.com (Postfix) with ESMTP id 9DDCB3A68F9 for ; Tue, 15 Dec 2009 11:38:28 -0800 (PST) Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 7814E201A2; Tue, 15 Dec 2009 14:38:14 -0500 (EST) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id F0F86409E; Tue, 15 Dec 2009 14:38:09 -0500 (EST) From: Sam Hartman To: "Joseph Salowey \(jsalowey\)" References: <012201ca56e8$f0e4ac40$0601a8c0@allison> <0cc801ca5752$e24aad00$0600a8c0@china.huawei.com> <4AE834B4.6090209@cisco.com> <9B6E2A8877C38245BFB15CC491A11DA7103310@GRFEXC.intern.adiscon.com> Date: Tue, 15 Dec 2009 14:38:09 -0500 In-Reply-To: (Joseph Salowey's message of "Tue, 15 Dec 2009 10:21:16 -0800") Message-ID: User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailman-Approved-At: Wed, 16 Dec 2009 08:12:28 -0800 Cc: , "Woundy, Richard" , deketelaere@tComLabs.com, enechamkin@broadcom.com, "Ong, Lyndon" , Wes Hardaker , Sumanth Channabasappa , Andi Kosich , Sam Hartman , Margaret Wasserman , v.marinov@jacobs-university.de, .org, "Anirban Karmakar \(akarmaka\)" , Huang Min , syslog@ietf.org, Jeffrey Hutzelman Subject: Re: [Syslog] FW: I-D Action:draft-ietf-syslog-dtls-00.txt X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Dec 2009 19:38:29 -0000 I also think that the sort of shell scripts discussed earlier in the thread would be sufficient to meet the MUST. From jsalowey@cisco.com Tue Dec 15 10:21:34 2009 Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EC8C03A6AC2 for ; Tue, 15 Dec 2009 10:21:33 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.494 X-Spam-Level: X-Spam-Status: No, score=-6.494 tagged_above=-999 required=5 tests=[AWL=0.105, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IKq9VSsLF0ZP for ; Tue, 15 Dec 2009 10:21:31 -0800 (PST) Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by core3.amsl.com (Postfix) with ESMTP id 80FE63A68A9 for ; Tue, 15 Dec 2009 10:21:31 -0800 (PST) Authentication-Results: sj-iport-1.cisco.com; dkim=neutral (message not signed) header.i=none X-IronPort-AV: E=Sophos;i="4.47,401,1257120000"; d="scan'208";a="280117153" Received: from sj-core-1.cisco.com ([171.71.177.237]) by sj-iport-1.cisco.com with ESMTP; 15 Dec 2009 18:21:18 +0000 Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id nBFILH81009253; Tue, 15 Dec 2009 18:21:18 GMT Received: from xmb-sjc-225.amer.cisco.com ([128.107.191.38]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 15 Dec 2009 10:21:17 -0800 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Tue, 15 Dec 2009 10:21:16 -0800 Message-ID: In-Reply-To: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Syslog] FW: I-D Action:draft-ietf-syslog-dtls-00.txt Thread-Index: Acpce7CZ1OSv9e7+SZW8RejMjaQ8/whNzmkg References: <012201ca56e8$f0e4ac40$0601a8c0@allison><0cc801ca5752$e24aad00$0600a8c0@china.huawei.com><4AE834B4.6090209@cisco.com> <9B6E2A8877C38245BFB15CC491A11DA7103310@GRFEXC.intern.adiscon.com> From: "Joseph Salowey (jsalowey)" To: "Sam Hartman" , "Rainer Gerhards" X-OriginalArrivalTime: 15 Dec 2009 18:21:17.0493 (UTC) FILETIME=[64A98650:01CA7DB3] X-Mailman-Approved-At: Wed, 16 Dec 2009 08:12:48 -0800 Cc: "Woundy, Richard" , deketelaere@tComLabs.com, enechamkin@broadcom.com, "Ong, Lyndon" , Margaret Wasserman , Wes Hardaker , Sumanth Channabasappa , Andi Kosich , v.marinov@jacobs-university.de, "Anirban Karmakar \(akarmaka\)" , Huang Min , syslog@ietf.org, Jeffrey Hutzelman Subject: Re: [Syslog] FW: I-D Action:draft-ietf-syslog-dtls-00.txt X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Dec 2009 18:21:34 -0000 SO the text for this particular paragraph (including the MUST) is the same as text in RFC 5425 (SYSLOG-TLS) section 4.2.1. Unless we have implementation or deployment experience that suggests otherwise I think we should keep the same text. =20 Joe > -----Original Message----- > From: Sam Hartman [mailto:hartmans-ietf@mit.edu]=20 > Sent: Tuesday, November 03, 2009 3:49 AM > To: Rainer Gerhards > Cc: Sam Hartman; Eliot Lear; David Harrington; tom.petch;=20 > Joseph Salowey (jsalowey); syslog@ietf.org; Wes Hardaker;=20 > Juergen Schoenwaelder; Huang Min; Sharon Chisholm; Alexander=20 > Clemm (alex); Glenn M. Keeni; Miao Fuyou; Anton Okmyanskiy=20 > (aokmians); Anirban Karmakar (akarmaka);=20 > v.marinov@jacobs-university.de; Woundy, Richard; Sumanth=20 > Channabasappa; deketelaere@tComLabs.com;=20 > enechamkin@broadcom.com; Richard Graveman; Ong, Lyndon; Andi=20 > Kosich; Margaret Wasserman; Jeffrey Hutzelman > Subject: Re: [Syslog] FW: I-D Action:draft-ietf-syslog-dtls-00.txt >=20 > I think including a script to generate certificates and=20 > configure their use would meet this requirement, so I=20 > definitely think it is something that you could do. >=20 > I'm not at all convinced that generating a cert if you don't=20 > have one would be wrong. > Debian has chosen to do that for a number of applications we=20 > ship and it seems to work out well. =20 >=20