From root@core3.amsl.com Fri Mar 5 09:45:02 2010 Return-Path: X-Original-To: syslog@ietf.org Delivered-To: syslog@core3.amsl.com Received: by core3.amsl.com (Postfix, from userid 0) id 4E6743A8D8A; Fri, 5 Mar 2010 09:45:02 -0800 (PST) From: Internet-Drafts@ietf.org To: i-d-announce@ietf.org Content-Type: Multipart/Mixed; Boundary="NextPart" Mime-Version: 1.0 Message-Id: <20100305174502.4E6743A8D8A@core3.amsl.com> Date: Fri, 5 Mar 2010 09:45:02 -0800 (PST) Cc: syslog@ietf.org Subject: [Syslog] I-D Action:draft-ietf-syslog-dtls-02.txt X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Mar 2010 17:45:02 -0000 --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Security Issues in Network Event Logging Working Group of the IETF. Title : Datagram Transport Layer Security (DTLS) Transport Mapping for Syslog Author(s) : J. Salowey, et al. Filename : draft-ietf-syslog-dtls-02.txt Pages : 17 Date : 2010-03-05 This document describes the transport of syslog messages over DTLS (Datagram Transport Level Security). It provides a secure transport for syslog messages in cases where a connection-less transport is desired. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-syslog-dtls-02.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Message/External-body; name="draft-ietf-syslog-dtls-02.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2010-03-05093635.I-D@ietf.org> --NextPart-- From jsalowey@cisco.com Fri Mar 5 09:49:18 2010 Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9C0C828C2FC for ; Fri, 5 Mar 2010 09:49:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M3owen9mn35I for ; Fri, 5 Mar 2010 09:49:17 -0800 (PST) Received: from sj-iport-4.cisco.com (sj-iport-4.cisco.com [171.68.10.86]) by core3.amsl.com (Postfix) with ESMTP id E8AE428C303 for ; Fri, 5 Mar 2010 09:49:17 -0800 (PST) Authentication-Results: sj-iport-4.cisco.com; dkim=neutral (message not signed) header.i=none X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AvsEAJ/SkEurR7H+/2dsb2JhbACbSHOfFJhZgk6CKQSDFw X-IronPort-AV: E=Sophos;i="4.49,588,1262563200"; d="scan'208";a="96478703" Received: from sj-core-2.cisco.com ([171.71.177.254]) by sj-iport-4.cisco.com with ESMTP; 05 Mar 2010 17:49:20 +0000 Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-2.cisco.com (8.13.8/8.14.3) with ESMTP id o25HnKbg025296 for ; Fri, 5 Mar 2010 17:49:20 GMT Received: from xmb-sjc-225.amer.cisco.com ([128.107.191.38]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 5 Mar 2010 09:49:20 -0800 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Fri, 5 Mar 2010 09:49:18 -0800 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: New Version: draft-ietf-syslog-dtls-02 Thread-Index: Acq8jC4a6B1dNp4NTaKvLelsk28wSg== From: "Joseph Salowey (jsalowey)" To: X-OriginalArrivalTime: 05 Mar 2010 17:49:20.0594 (UTC) FILETIME=[2F25F320:01CABC8C] Subject: [Syslog] New Version: draft-ietf-syslog-dtls-02 X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Mar 2010 17:49:18 -0000 I just submitted draft -02 of draft-ietf-syslog-dtls. Thanks to all the folks that submitted comments on the draft, I think I have incorporated them into the latest revision. Here is a summary of the changes: 1. Reworked the introduction with helpful suggestions from Chris Lonvick. 2. Removed the definition of connection and made sure when the term is used it refers to a "DTLS connection" 3. Cleaned up text about security requirements 4. Cleaned up text in section 5.1 5. Removed some extraneous text from section 5.3 6. Added certificate fingerprint as an example of what can be stored to help correlate identity with sent and received data. 7. Fixed text on message size 8. Removed section on "Cryptographic level" because it was confusing and did not add anything.=20 9. Changed SYSLOG and Syslog to syslog where appropriate. =20 I think the draft is ready to go to the IESG. =20 Thanks, Joe From turners@ieca.com Fri Mar 5 11:54:05 2010 Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 95DBF28C2F2 for ; Fri, 5 Mar 2010 11:54:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.372 X-Spam-Level: X-Spam-Status: No, score=-2.372 tagged_above=-999 required=5 tests=[AWL=0.226, BAYES_00=-2.599, UNPARSEABLE_RELAY=0.001] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p0pwYfsVVw9x for ; Fri, 5 Mar 2010 11:54:04 -0800 (PST) Received: from smtp115.biz.mail.re2.yahoo.com (smtp115.biz.mail.re2.yahoo.com [66.196.116.35]) by core3.amsl.com (Postfix) with SMTP id B5DA33A901E for ; Fri, 5 Mar 2010 11:54:04 -0800 (PST) Received: (qmail 88259 invoked from network); 5 Mar 2010 19:54:04 -0000 Received: from thunderfish.local (turners@96.231.117.33 with plain) by smtp115.biz.mail.re2.yahoo.com with SMTP; 05 Mar 2010 11:54:04 -0800 PST X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ X-YMail-OSG: wtvx8jEVM1nZyjjyTDaOl_Uc0Vsip_idHFkHrn94NcPsyWE39.X.avuZVgtQagkJO.oeQG6kB9XAfEd5DlNP7qPzuU3PWZULwEbtxv75xtTBQblHxY2CTKtiiweXO4n5yD45t_EQVFwOVApCA_xB3R0gwsOrOFr30G8TPBDvxMzcSvniFK6Ks5y4L6tCPxprneOdXNfUcBwtEeWLI1Odb4gmOybBo1GS6NwLfPCJ6r6AYD.TDk6G0cd_kzMIQWxM0wxkBZJq7uU.GQf2Fr3MLdypCvHaQll9psIqe5oM4784X59ZL2P3O8W8tEb5oF4OmG0dDjWuMBk9XX3hj8OhH.Vv_O7sYO5_gOAasEyY5vCoLh15.aLIonQVUcTO7eOrtt.urok8N2bEzeE1dySVM7GITf.acpo82GkEsI0i_4BG2qRmoQ-- X-Yahoo-Newman-Property: ymail-3 Message-ID: <4B91615A.5070106@ieca.com> Date: Fri, 05 Mar 2010 14:54:02 -0500 From: Sean Turner User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: syslog@ietf.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [Syslog] nits on draft-ietf-syslog-dtls-02 X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Mar 2010 19:54:05 -0000 Here are some comments on draft-ietf-syslog-dtls-02. All are nits. 1. Introduction: r/with TLS security [RFC5246]/with TLS [RFC5246] r/syslog Message/syslog message Upon first reading of the last paragraph, I was trying to figure out how I was going to use syslog/DTLS/UDP/DCCP. Can we use "in preference to" for "over" in the last sentence (or something other than "over"): OLD: If an operator has the choice of the two, it is recommended to use syslog over DTLS over DCCP. NEW: If an operator has the choice of the two, it is RECOMMENDED to use syslog over DTLS in preference to syslog over DCCP. 2. Terminology To align with the DTLS client definition: OLD: A "DTLS server" is an application that can receive a Client Hello from a client and reply with a Server Hello. NEW: A "DTLS server" is an application that can receive a DTLS Client Hello from a client and reply with a DTLS Server Hello. 4. Using DTLS to Secure Syslog r/Denial of Service attacks/Denial of Service attacks. 5.4.1 Message Size r/each DTLS record must fit within a single DTLS datagram/each DTLS record MUST fit within a single DTLS datagram spt From clonvick@cisco.com Fri Mar 5 14:47:56 2010 Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DAA2828C3CC for ; Fri, 5 Mar 2010 14:47:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.524 X-Spam-Level: X-Spam-Status: No, score=-10.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GFdr1X8fuMw2 for ; Fri, 5 Mar 2010 14:47:56 -0800 (PST) Received: from sj-iport-2.cisco.com (sj-iport-2.cisco.com [171.71.176.71]) by core3.amsl.com (Postfix) with ESMTP id EB41328C3A2 for ; Fri, 5 Mar 2010 14:47:55 -0800 (PST) Authentication-Results: sj-iport-2.cisco.com; dkim=neutral (message not signed) header.i=none X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AvsEAO4YkUurRN+K/2dsb2JhbACbSXOeAJhghHcEgxc X-IronPort-AV: E=Sophos;i="4.49,589,1262563200"; d="scan'208";a="244592707" Received: from sj-core-4.cisco.com ([171.68.223.138]) by sj-iport-2.cisco.com with ESMTP; 05 Mar 2010 22:47:58 +0000 Received: from sjc-cde-011.cisco.com (sjc-cde-011.cisco.com [171.69.16.68]) by sj-core-4.cisco.com (8.13.8/8.14.3) with ESMTP id o25Mlwet024828; Fri, 5 Mar 2010 22:47:58 GMT Date: Fri, 5 Mar 2010 14:47:58 -0800 (PST) From: Chris Lonvick To: Sean Turner In-Reply-To: <4B91615A.5070106@ieca.com> Message-ID: References: <4B91615A.5070106@ieca.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: syslog@ietf.org Subject: Re: [Syslog] nits on draft-ietf-syslog-dtls-02 X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Mar 2010 22:47:57 -0000 Hi Sean, Many thanks for this review. I'm going to ask Joe to _not_ incorporate these changes at this time as they are editorial. Joe can make the changes if the IESG asks for other changes, or during AUTH48. One comment in-line below. On Fri, 5 Mar 2010, Sean Turner wrote: > Here are some comments on draft-ietf-syslog-dtls-02. All are nits. > > 1. Introduction: > > r/with TLS security [RFC5246]/with TLS [RFC5246] > r/syslog Message/syslog message > > Upon first reading of the last paragraph, I was trying to figure out how I > was going to use syslog/DTLS/UDP/DCCP. Can we use "in preference to" for > "over" in the last sentence (or something other than "over"): > > OLD: > > If an operator has the choice of the two, it is recommended to use syslog > over DTLS over DCCP. > > NEW: > > If an operator has the choice of the two, it is RECOMMENDED to use syslog > over DTLS in preference to syslog over DCCP. I like the wording. I'm going to say to keep the "recommended" as lowercase since it's not a directive for the protocol but a recommendation for deployment. All the rest are good catches. Thanks, Chris > > 2. Terminology > > To align with the DTLS client definition: > > OLD: > > A "DTLS server" is an application that can receive a Client Hello from a > client and reply with a Server Hello. > > NEW: > > A "DTLS server" is an application that can receive a DTLS Client Hello from a > client and reply with a DTLS Server Hello. > > 4. Using DTLS to Secure Syslog > > r/Denial of Service attacks/Denial of Service attacks. > > 5.4.1 Message Size > > r/each DTLS record must fit within a single DTLS datagram/each DTLS record > MUST fit within a single DTLS datagram > > spt > _______________________________________________ > Syslog mailing list > Syslog@ietf.org > https://www.ietf.org/mailman/listinfo/syslog > From clonvick@cisco.com Fri Mar 5 15:00:15 2010 Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2CA0128C3EC for ; Fri, 5 Mar 2010 15:00:15 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.549 X-Spam-Level: X-Spam-Status: No, score=-10.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IQPRWp1AjYWm for ; Fri, 5 Mar 2010 15:00:14 -0800 (PST) Received: from sj-iport-3.cisco.com (sj-iport-3.cisco.com [171.71.176.72]) by core3.amsl.com (Postfix) with ESMTP id 52C8528C3CA for ; Fri, 5 Mar 2010 15:00:14 -0800 (PST) Authentication-Results: sj-iport-3.cisco.com; dkim=neutral (message not signed) header.i=none X-IronPort-AV: E=Sophos;i="4.49,589,1262563200"; d="scan'208";a="215702719" Received: from sj-core-3.cisco.com ([171.68.223.137]) by sj-iport-3.cisco.com with ESMTP; 05 Mar 2010 23:00:17 +0000 Received: from sjc-cde-011.cisco.com (sjc-cde-011.cisco.com [171.69.16.68]) by sj-core-3.cisco.com (8.13.8/8.14.3) with ESMTP id o25N0HT2026151; Fri, 5 Mar 2010 23:00:17 GMT Date: Fri, 5 Mar 2010 15:00:16 -0800 (PST) From: Chris Lonvick To: "Joseph Salowey (jsalowey)" , syslog@ietf.org In-Reply-To: Message-ID: References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: Re: [Syslog] New Version: draft-ietf-syslog-dtls-02 X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Mar 2010 23:00:15 -0000 Hi, I want to thank everyone who provided WGLC reviews and comments. These help a lot to keep this process going. (..and we got our draft in before the cutoff date. :) I've looked over these changes and feel that they address the WGLC comments that were received. I'd appreciate it if the people who did the reviews would also do a check. As everyone has noticed, this document is closely following RFC 5425 and I'd like to keep that format. David has written up a preliminary shepherding document. I'll edit that and send a copy around to the WG before submitting it to the IESG sometime next week. Many thanks, Chris On Fri, 5 Mar 2010, Joseph Salowey (jsalowey) wrote: > I just submitted draft -02 of draft-ietf-syslog-dtls. Thanks to all the > folks that submitted comments on the draft, I think I have incorporated > them into the latest revision. Here is a summary of the changes: > > 1. Reworked the introduction with helpful suggestions from Chris > Lonvick. > 2. Removed the definition of connection and made sure when the term is > used it refers to a "DTLS connection" > 3. Cleaned up text about security requirements > 4. Cleaned up text in section 5.1 > 5. Removed some extraneous text from section 5.3 > 6. Added certificate fingerprint as an example of what can be stored to > help correlate identity with sent and received data. > 7. Fixed text on message size > 8. Removed section on "Cryptographic level" because it was confusing and > did not add anything. > 9. Changed SYSLOG and Syslog to syslog where appropriate. > > I think the draft is ready to go to the IESG. > > Thanks, > > Joe > _______________________________________________ > Syslog mailing list > Syslog@ietf.org > https://www.ietf.org/mailman/listinfo/syslog > From rfgraveman@gmail.com Fri Mar 5 15:37:00 2010 Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 948F328C3FF for ; Fri, 5 Mar 2010 15:37:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h6HEBW6AfIh4 for ; Fri, 5 Mar 2010 15:36:59 -0800 (PST) Received: from mail-iw0-f183.google.com (mail-iw0-f183.google.com [209.85.223.183]) by core3.amsl.com (Postfix) with ESMTP id AEAEF3A87E7 for ; Fri, 5 Mar 2010 15:36:59 -0800 (PST) Received: by iwn13 with SMTP id 13so3167554iwn.14 for ; Fri, 05 Mar 2010 15:36:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=j6sLg4zgcStYRwVw1grRGuwRmMHTlGEdbw1SlxgjUUg=; b=UvjPXLKNCFAtsGVpKOHVL7ispOGsU6fsLqF80Sn72dURZ4+EFxdn1Ze3d5mGfi1L98 ToI+GUazrHnNm172Zn8KM4wGuX29R+/t3DOOI9nCt3JLqqr7ptr1bzhkmNHF79szCysU 0wkGu7Byu+X1Aj5JBjhBqXmAASXM20jPtPRAo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=kMPjlunIBdQ9rExJKKo7JC1yvsqf0azSCpkqdaIWjPTe03js2lk6zlu+/yBUqE+GZV dyYHAvTZd8u5CY5DJYXzDXs2MhXPbwAeQB2Mkgof/elSusUf8Sb1g5g9AxaNH2n5/nqW 9uzSVKJlf7BnC4NWk1Q16kTxN+c9/xrydvaCU= MIME-Version: 1.0 Received: by 10.231.148.205 with SMTP id q13mr425287ibv.47.1267832217700; Fri, 05 Mar 2010 15:36:57 -0800 (PST) In-Reply-To: References: Date: Fri, 5 Mar 2010 18:36:57 -0500 Message-ID: <45c8c21a1003051536l738c036eu59cf4f1a089d5218@mail.gmail.com> From: Richard Graveman To: Chris Lonvick Content-Type: text/plain; charset=ISO-8859-1 Cc: syslog@ietf.org Subject: Re: [Syslog] New Version: draft-ietf-syslog-dtls-02 X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Mar 2010 23:37:00 -0000 Chis, > I've looked over these changes and feel that they address the WGLC comments > that were received. I strongly disagree on several counts. First, the new document says: Transmission of syslog Messages over UDP [RFC5426] defines how to provide unreliable, non-secure datagram transport for syslog. This transport is NOT RECOMMENDED. NOT RECOMMENDED means SHOULD NOT implement. SHOULD NOT implement means DEPRECATED. There was no WG discussion of deprecating RFC 5426. In fact, in some cases, protocol security may not be needed, for a variety of reasons. In other cases, security may already be provided by, say, IPsec, required in IPv6. Saying that the work completed just last year is deprecated without any WG discussion is absurd. Rich Graveman From rfgraveman@gmail.com Fri Mar 5 15:50:48 2010 Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2DA9C28C3FE for ; Fri, 5 Mar 2010 15:50:48 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 06AI4bikTLGY for ; Fri, 5 Mar 2010 15:50:47 -0800 (PST) Received: from mail-iw0-f183.google.com (mail-iw0-f183.google.com [209.85.223.183]) by core3.amsl.com (Postfix) with ESMTP id 548E928C386 for ; Fri, 5 Mar 2010 15:50:47 -0800 (PST) Received: by iwn13 with SMTP id 13so3178684iwn.14 for ; Fri, 05 Mar 2010 15:50:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=4NmpTsL7+IeHYiOfyLRsyYoHzm3KUqfxXxILaXLiAdg=; b=X1ML+rp+yZd/WZWEltjivFLDS5wFrLto/VEj+Q+RQrrvncsNrfYt/pOtJAw2PHi1fl P2GDR7yXOQLRd6uDgJgKsxWSrtXuJCMRSoBS+ED0LuAPUlyJGfJCMoIBzdgfa/ra+dmt GLE4MXzBMevxvwowUk7Wg3EuekOh3YJJZcY0Q= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=kZJp6XtyBenSN3XJE+1u9nmlYENqcWxkLDiBTm6IhqqmcyuHlIkjZeEzlvpT0UKLqH xZsbATnKe2u5C2XK2geEcmN8OHh6iiY4EIQLTON0jZYJNCeaDFYjVm6QxYDofMX0XmYt xcuAvqn/DbmRdYny6yMNsjGa9LnIgenp0WWUM= MIME-Version: 1.0 Received: by 10.231.167.204 with SMTP id r12mr434455iby.31.1267833047396; Fri, 05 Mar 2010 15:50:47 -0800 (PST) In-Reply-To: References: Date: Fri, 5 Mar 2010 18:50:47 -0500 Message-ID: <45c8c21a1003051550h32734387ob236cb1d3f5d3023@mail.gmail.com> From: Richard Graveman To: Chris Lonvick Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: syslog@ietf.org Subject: Re: [Syslog] New Version: draft-ietf-syslog-dtls-02 X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Mar 2010 23:50:48 -0000 > I've looked over these changes and feel that they address the WGLC commen= ts > that were received. =A0I'd appreciate it if the people who did the review= s > would also do a check. The draft uses RFC 4347 as an essential component. RFC 5746 says: This extension also can be used with Datagram TLS (DTLS) [RFC4347]. Although, for editorial simplicity, this document refers to TLS, all requirements in this document apply equally to DTLS. Because the need for the extensions in 5746 are somewhat application dependent, this application needs to say "use 5746" or "5746 does not apply for the following reasons ... ". Rich Graveman From j.schoenwaelder@jacobs-university.de Fri Mar 5 16:07:35 2010 Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A5D7828C401 for ; Fri, 5 Mar 2010 16:07:35 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.216 X-Spam-Level: X-Spam-Status: No, score=-2.216 tagged_above=-999 required=5 tests=[AWL=0.033, BAYES_00=-2.599, HELO_EQ_DE=0.35] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id huo0V+ExB3St for ; Fri, 5 Mar 2010 16:07:34 -0800 (PST) Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) by core3.amsl.com (Postfix) with ESMTP id 4354628C3FA for ; Fri, 5 Mar 2010 16:07:34 -0800 (PST) Received: from localhost (demetrius4.jacobs-university.de [212.201.44.49]) by hermes.jacobs-university.de (Postfix) with ESMTP id 969A5C0002; Sat, 6 Mar 2010 01:07:36 +0100 (CET) X-Virus-Scanned: amavisd-new at jacobs-university.de Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius4.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id niUUrXsLKVrN; Sat, 6 Mar 2010 01:07:35 +0100 (CET) Received: from elstar.local (elstar.iuhb02.iu-bremen.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 93559C0010; Sat, 6 Mar 2010 01:07:31 +0100 (CET) Received: by elstar.local (Postfix, from userid 501) id 60DD210BB50D; Sat, 6 Mar 2010 01:07:31 +0100 (CET) Date: Sat, 6 Mar 2010 01:07:31 +0100 From: Juergen Schoenwaelder To: Richard Graveman Message-ID: <20100306000731.GA415@elstar.local> Mail-Followup-To: Richard Graveman , Chris Lonvick , "syslog@ietf.org" References: <45c8c21a1003051536l738c036eu59cf4f1a089d5218@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <45c8c21a1003051536l738c036eu59cf4f1a089d5218@mail.gmail.com> User-Agent: Mutt/1.5.20 (2009-06-14) Cc: "syslog@ietf.org" Subject: Re: [Syslog] New Version: draft-ietf-syslog-dtls-02 X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: Juergen Schoenwaelder List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Mar 2010 00:07:35 -0000 On Sat, Mar 06, 2010 at 12:36:57AM +0100, Richard Graveman wrote: > Chis, > > > I've looked over these changes and feel that they address the WGLC comments > > that were received. > > I strongly disagree on several counts. First, the new document says: > > Transmission of syslog Messages over UDP [RFC5426] defines how to > provide unreliable, non-secure datagram transport for syslog. This > transport is NOT RECOMMENDED. > > NOT RECOMMENDED means SHOULD NOT implement. SHOULD NOT implement means > DEPRECATED. There was no WG discussion of deprecating RFC 5426. > > In fact, in some cases, protocol security may not be needed, for a > variety of reasons. In other cases, security may already be provided > by, say, IPsec, required in IPv6. > > Saying that the work completed just last year is deprecated without > any WG discussion is absurd. I also do not see why this document should make any statements concerning other transports. I still find the Introduction somewhat confusing to read. Here is an attempt to rewrite it and shorten it: --8<-- 1. Introduction The syslog protocol [RFC5424] is designed to run over different transports. This document defines the transport of syslog messages over the datagram transport layer security protocol (DTLS) [RFC4347]. The DTLS transport is designed to meet the requirements of deployments that need a secure datagram-based transport. DTLS has been mapped onto different transport layer protocols, including UDP [RFC0768] and DCCP [RFC4340]. This memo defines both options, namely syslog over DTLS over UDP and syslog over DTLS over DCCP. The syslog over DTLS over DCCP option is recommended over the syslog over DTLS over UDP option in deployments where adequate resource sharing and congestion control is required. --8<-- /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany Fax: +49 421 200 3103 From jsalowey@cisco.com Fri Mar 5 16:18:03 2010 Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0C16028C417 for ; Fri, 5 Mar 2010 16:18:03 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wy9QJDhzHi38 for ; Fri, 5 Mar 2010 16:18:01 -0800 (PST) Received: from sj-iport-4.cisco.com (sj-iport-4.cisco.com [171.68.10.86]) by core3.amsl.com (Postfix) with ESMTP id B287C28C415 for ; Fri, 5 Mar 2010 16:18:01 -0800 (PST) Authentication-Results: sj-iport-4.cisco.com; dkim=neutral (message not signed) header.i=none X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AvsEAAYukUurR7Hu/2dsb2JhbACbSnOeK5hfhHcEgxc X-IronPort-AV: E=Sophos;i="4.49,590,1262563200"; d="scan'208";a="96620672" Received: from sj-core-5.cisco.com ([171.71.177.238]) by sj-iport-4.cisco.com with ESMTP; 06 Mar 2010 00:18:04 +0000 Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-5.cisco.com (8.13.8/8.14.3) with ESMTP id o260I4m2007728; Sat, 6 Mar 2010 00:18:04 GMT Received: from xmb-sjc-225.amer.cisco.com ([128.107.191.38]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 5 Mar 2010 16:18:04 -0800 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Fri, 5 Mar 2010 16:18:02 -0800 Message-ID: In-Reply-To: <45c8c21a1003051550h32734387ob236cb1d3f5d3023@mail.gmail.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Syslog] New Version: draft-ietf-syslog-dtls-02 Thread-Index: Acq8vq4T05zyTZuGTASj3HnZQ05rgQAAx/Cg References: <45c8c21a1003051550h32734387ob236cb1d3f5d3023@mail.gmail.com> From: "Joseph Salowey (jsalowey)" To: "Richard Graveman" , "Chris Lonvick (clonvick)" X-OriginalArrivalTime: 06 Mar 2010 00:18:04.0417 (UTC) FILETIME=[7D3AE710:01CABCC2] Cc: syslog@ietf.org Subject: Re: [Syslog] New Version: draft-ietf-syslog-dtls-02 X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Mar 2010 00:18:03 -0000 > -----Original Message----- > From: Richard Graveman [mailto:rfgraveman@gmail.com] > Sent: Friday, March 05, 2010 3:51 PM > To: Chris Lonvick (clonvick) > Cc: Joseph Salowey (jsalowey); syslog@ietf.org > Subject: Re: [Syslog] New Version: draft-ietf-syslog-dtls-02 >=20 > > I've looked over these changes and feel that they address the WGLC > comments > > that were received. =A0I'd appreciate it if the people who did the = reviews > > would also do a check. >=20 > The draft uses RFC 4347 as an essential component. RFC 5746 says: >=20 > This extension also can be used with Datagram TLS (DTLS) [RFC4347]. > Although, for editorial simplicity, this document refers to TLS, = all > requirements in this document apply equally to DTLS. >=20 > Because the need for the extensions in 5746 are somewhat application > dependent, this application needs to say "use 5746" or "5746 does not > apply for the following reasons ... ". >=20 [Joe] Good point, I think we should say renegotiation is not allowed and = 5746 does not apply. If we want to allow renegotiation then we need to = include some warnings about renegotiation and say use 5746. I do not = think renegotiation is necessarily required for syslog.=20 > Rich Graveman From rfgraveman@gmail.com Fri Mar 5 16:21:51 2010 Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 53F063A9051 for ; Fri, 5 Mar 2010 16:21:51 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 719Ub4wVRFO7 for ; Fri, 5 Mar 2010 16:21:46 -0800 (PST) Received: from mail-iw0-f183.google.com (mail-iw0-f183.google.com [209.85.223.183]) by core3.amsl.com (Postfix) with ESMTP id 060AB3A904F for ; Fri, 5 Mar 2010 16:21:45 -0800 (PST) Received: by iwn13 with SMTP id 13so3203294iwn.14 for ; Fri, 05 Mar 2010 16:21:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=Gb6h3ilpll9AuYFiHFrW8jrVo5FeYh0scGC81rv8mOc=; b=GlN48oxpzuxpaAAKmabhAJOYv7ABtVzc3TPpzkfN4lqX2BQL319tf9q5EJ28+oTg8R +W3dQKPVi/Qjn2SrSR5n/9xMmyGhe5qISeBlaoZrvFjepGYyUWIqCUsAhGgVL6RkNre3 wpFRtKVlnsEHJvxkE0kqvlnfiysJvLpDCPSG8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=xEbzemvfDk+64TTtW+biJsT1w6r8qZRBD7yWcq/2mDwH7vYzfySj2BrMWvjSEjNs58 X10tJj8jwWBk5ZglB4xHd1BoMLwAd4CohAALsMT+zoBGGU3cqlt6BuDXLxIDWlC8mAg2 IrK5OlByz4FKqtCFcNF160LWD2DJTWi+t8Hvk= MIME-Version: 1.0 Received: by 10.231.148.205 with SMTP id q13mr448230ibv.47.1267834905054; Fri, 05 Mar 2010 16:21:45 -0800 (PST) In-Reply-To: References: Date: Fri, 5 Mar 2010 19:21:45 -0500 Message-ID: <45c8c21a1003051621w5f851e3q7fcb93af0050d8d8@mail.gmail.com> From: Richard Graveman To: Chris Lonvick Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: syslog@ietf.org Subject: Re: [Syslog] New Version: draft-ietf-syslog-dtls-02 X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Mar 2010 00:21:51 -0000 > I've looked over these changes and feel that they address the WGLC commen= ts > that were received. =A0I'd appreciate it if the people who did the review= s > would also do a check. Requiring certificates is a lot of extra baggage for worsened security. All the commonly encountered certificates today are based on signatures of weak hash functions, primarily SHA-1. Cipher suites like: 0x00,0xA8 TLS_PSK_WITH_AES_128_GCM_SHA256 [RFC5487] 0x00,0xA9 TLS_PSK_WITH_AES_256_GCM_SHA384 [RFC5487] do not suffer from the twin disease of weak and inefficient security and ought to be an option, as Tschonfig and Eronen say in 4279: ... pre-shared keys may be more convenient from a key management point of view. For instance, in closed environments where the connections are mostly configured manually in advance, it may be easier to configure a PSK than to use certificates. Another case is when the parties already have a mechanism for setting up a shared secret key, and that mechanism could be used to "bootstrap" a key for authenticating a TLS connection. This is precisely the environment is which I would expect to find a lot of syslog, as opposed to "TLS on the Web." Rich Graveman From j.schoenwaelder@jacobs-university.de Fri Mar 5 16:25:44 2010 Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 94D2E3A9046 for ; Fri, 5 Mar 2010 16:25:44 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.219 X-Spam-Level: X-Spam-Status: No, score=-2.219 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, HELO_EQ_DE=0.35] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0PaQku+7Zy8V for ; Fri, 5 Mar 2010 16:25:43 -0800 (PST) Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) by core3.amsl.com (Postfix) with ESMTP id AC0323A8CC9 for ; Fri, 5 Mar 2010 16:25:43 -0800 (PST) Received: from localhost (demetrius2.jacobs-university.de [212.201.44.47]) by hermes.jacobs-university.de (Postfix) with ESMTP id 1D432C0010 for ; Sat, 6 Mar 2010 01:25:46 +0100 (CET) X-Virus-Scanned: amavisd-new at jacobs-university.de Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius2.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id MaNFzOL8if25; Sat, 6 Mar 2010 01:25:44 +0100 (CET) Received: from elstar.local (elstar.iuhb02.iu-bremen.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 9E53BC0002; Sat, 6 Mar 2010 01:25:44 +0100 (CET) Received: by elstar.local (Postfix, from userid 501) id 8D99010BB60A; Sat, 6 Mar 2010 01:25:44 +0100 (CET) Date: Sat, 6 Mar 2010 01:25:44 +0100 From: Juergen Schoenwaelder To: syslog@ietf.org Message-ID: <20100306002544.GB415@elstar.local> Mail-Followup-To: syslog@ietf.org References: <20100222165448.GB14118@elstar.local> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20100222165448.GB14118@elstar.local> User-Agent: Mutt/1.5.20 (2009-06-14) Subject: Re: [Syslog] js review of draft-ietf-syslog-dtls-01.txt X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: Juergen Schoenwaelder List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Mar 2010 00:25:44 -0000 On Mon, Feb 22, 2010 at 05:54:48PM +0100, Juergen Schoenwaelder wrote: > Both transport receiver and transport sender implementations MUST > provide means to generate a key pair and self-signed certificate in > the case that a key pair and certificate are not available through > another mechanism. > > I do not know the idea behind this requirement is or how I comply to > it. Is this expressing a requirement for the management interface of > the box? Or is the idea that this is used in some automated fashion > (which likely does not make sense but would be harmful if read this > way). This text seems to be unchanged in -02 and I still do not know how I implement this MUST. On Unix systems, people use tools such as openssl to create certificates etc. while a syslog implementation would typically links against a DTLS library and would not have itself a builtin option to create a self-signed certificate. So is this text putting up an implementation requirement that a syslog daemon must have a _built-in_ option to create a self-signed certificate? My concern is that key / certificate management is something pretty unrelated to the syslog over DTLS transport implementation itself and hence it is somewhat unclear how to implement the MUST. > The transport receiver and transport sender SHOULD provide mechanisms > to record the end-entity certificate for the purpose of correlating > it with the sent or received data. > > What is an end-entity certificate? And how do I correlate sent or > received data? The second part has been clarified in -02 but I still wonder what an "end entity certificate" is. Probably this is meant: The transport receiver and transport sender SHOULD provide mechanisms to record the certificate or certificate fingerprint of the remote endpoint for the purpose of correlating an identity with the sent or received data. > [...] Once the transport receiver gets a close_notify from the > transport sender, it MUST reply with a close_notify. > > Is it our job to define this? Does DTLS not specify how to handle > such DTLS alerts? I am still wondering why we need to specify this... /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany Fax: +49 421 200 3103 From jsalowey@cisco.com Fri Mar 5 16:48:00 2010 Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EF7A028C419 for ; Fri, 5 Mar 2010 16:48:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XtSKgX6LIvPo for ; Fri, 5 Mar 2010 16:48:00 -0800 (PST) Received: from sj-iport-4.cisco.com (sj-iport-4.cisco.com [171.68.10.86]) by core3.amsl.com (Postfix) with ESMTP id 2A81D28C0D7 for ; Fri, 5 Mar 2010 16:48:00 -0800 (PST) Authentication-Results: sj-iport-4.cisco.com; dkim=neutral (message not signed) header.i=none X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AvsEAA41kUurRN+K/2dsb2JhbACbS3OeIZhehHcEgxc X-IronPort-AV: E=Sophos;i="4.49,590,1262563200"; d="scan'208";a="96633228" Received: from sj-core-4.cisco.com ([171.68.223.138]) by sj-iport-4.cisco.com with ESMTP; 06 Mar 2010 00:48:02 +0000 Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-4.cisco.com (8.13.8/8.14.3) with ESMTP id o260m209003882; Sat, 6 Mar 2010 00:48:02 GMT Received: from xmb-sjc-225.amer.cisco.com ([128.107.191.38]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 5 Mar 2010 16:48:02 -0800 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Fri, 5 Mar 2010 16:48:01 -0800 Message-ID: In-Reply-To: <45c8c21a1003051621w5f851e3q7fcb93af0050d8d8@mail.gmail.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Syslog] New Version: draft-ietf-syslog-dtls-02 Thread-Index: Acq8wwMt4NqSvkkhSEW7WfJCvGLdzgAAD/ZQ References: <45c8c21a1003051621w5f851e3q7fcb93af0050d8d8@mail.gmail.com> From: "Joseph Salowey (jsalowey)" To: "Richard Graveman" , "Chris Lonvick (clonvick)" X-OriginalArrivalTime: 06 Mar 2010 00:48:02.0886 (UTC) FILETIME=[AD337E60:01CABCC6] Cc: syslog@ietf.org Subject: Re: [Syslog] New Version: draft-ietf-syslog-dtls-02 X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Mar 2010 00:48:01 -0000 The syslog over TLS document allows for certificates using full path = validation and certificate fingerprint matching. The DTLS document = takes the same approach. This may not fully address your SHA-1 concern, = but it does provide a mechanism to get things up and running without a = full PKI. =20 Also, the GCM cipher suites are not available in DTLS until we complete = DTLS 1.2. Other PSK cipher suites could be implemented with DTLS and = syslog, the current draft does not restrict them. =20 Joe=20 > -----Original Message----- > From: Richard Graveman [mailto:rfgraveman@gmail.com] > Sent: Friday, March 05, 2010 4:22 PM > To: Chris Lonvick (clonvick) > Cc: Joseph Salowey (jsalowey); syslog@ietf.org > Subject: Re: [Syslog] New Version: draft-ietf-syslog-dtls-02 >=20 > > I've looked over these changes and feel that they address the WGLC > comments > > that were received. =A0I'd appreciate it if the people who did the = reviews > > would also do a check. >=20 > Requiring certificates is a lot of extra baggage for worsened > security. All the commonly encountered certificates today are based on > signatures of weak hash functions, primarily SHA-1. Cipher suites > like: >=20 > 0x00,0xA8 TLS_PSK_WITH_AES_128_GCM_SHA256 [RFC5487] > 0x00,0xA9 TLS_PSK_WITH_AES_256_GCM_SHA384 [RFC5487] >=20 > do not suffer from the twin disease of weak and inefficient security > and ought to be an option, as Tschonfig and Eronen say in 4279: >=20 > ... pre-shared keys may be more convenient from a key > management point of view. For instance, in closed environments > where the connections are mostly configured manually in advance, > it may be easier to configure a PSK than to use certificates. > Another case is when the parties already have a mechanism for > setting up a shared secret key, and that mechanism could be used > to "bootstrap" a key for authenticating a TLS connection. >=20 > This is precisely the environment is which I would expect to find a > lot of syslog, as opposed to "TLS on the Web." >=20 > Rich Graveman From jsalowey@cisco.com Fri Mar 5 17:01:30 2010 Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3CE133A904C for ; Fri, 5 Mar 2010 17:01:30 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tAqIMUJk954e for ; Fri, 5 Mar 2010 17:01:28 -0800 (PST) Received: from sj-iport-2.cisco.com (sj-iport-2.cisco.com [171.71.176.71]) by core3.amsl.com (Postfix) with ESMTP id EC4103A89D6 for ; Fri, 5 Mar 2010 17:01:28 -0800 (PST) Authentication-Results: sj-iport-2.cisco.com; dkim=neutral (message not signed) header.i=none X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AvsEAJM4kUurR7Ht/2dsb2JhbACbS3OeF4sCCY1QAoJMG4IOBIMX X-IronPort-AV: E=Sophos;i="4.49,590,1262563200"; d="scan'208";a="244618022" Received: from sj-core-1.cisco.com ([171.71.177.237]) by sj-iport-2.cisco.com with ESMTP; 06 Mar 2010 01:01:31 +0000 Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id o2611Vbf003415; Sat, 6 Mar 2010 01:01:31 GMT Received: from xmb-sjc-225.amer.cisco.com ([128.107.191.38]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 5 Mar 2010 17:01:31 -0800 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Fri, 5 Mar 2010 17:01:30 -0800 Message-ID: In-Reply-To: <20100306002544.GB415@elstar.local> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Syslog] js review of draft-ietf-syslog-dtls-01.txt Thread-Index: Acq8w5JsV1ZwlXhmT3S5eRjQaMG4+gAAyVnQ References: <20100222165448.GB14118@elstar.local> <20100306002544.GB415@elstar.local> From: "Joseph Salowey (jsalowey)" To: "Juergen Schoenwaelder" , X-OriginalArrivalTime: 06 Mar 2010 01:01:31.0783 (UTC) FILETIME=[8F576170:01CABCC8] Subject: Re: [Syslog] js review of draft-ietf-syslog-dtls-01.txt X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Mar 2010 01:01:30 -0000 > -----Original Message----- > From: syslog-bounces@ietf.org [mailto:syslog-bounces@ietf.org] On Behalf > Of Juergen Schoenwaelder > Sent: Friday, March 05, 2010 4:26 PM > To: syslog@ietf.org > Subject: Re: [Syslog] js review of draft-ietf-syslog-dtls-01.txt >=20 > On Mon, Feb 22, 2010 at 05:54:48PM +0100, Juergen Schoenwaelder wrote: >=20 > > Both transport receiver and transport sender implementations MUST > > provide means to generate a key pair and self-signed certificate in > > the case that a key pair and certificate are not available through > > another mechanism. > > > > I do not know the idea behind this requirement is or how I comply to > > it. Is this expressing a requirement for the management interface of > > the box? Or is the idea that this is used in some automated fashion > > (which likely does not make sense but would be harmful if read this > > way). >=20 > This text seems to be unchanged in -02 and I still do not know how I > implement this MUST. On Unix systems, people use tools such as openssl > to create certificates etc. while a syslog implementation would > typically links against a DTLS library and would not have itself a > builtin option to create a self-signed certificate. So is this text > putting up an implementation requirement that a syslog daemon must > have a _built-in_ option to create a self-signed certificate? My > concern is that key / certificate management is something pretty > unrelated to the syslog over DTLS transport implementation itself and > hence it is somewhat unclear how to implement the MUST. >=20 [Joe] There was some discussion of this on the list. The conclusion was that this was not a GUI requirement but could be met by a script to generate a certificate an configure its use, which didn't see onerous to implementers. The same text is in the syslog TLS RFC. =20 > > The transport receiver and transport sender SHOULD provide mechanisms > > to record the end-entity certificate for the purpose of correlating > > it with the sent or received data. > > > > What is an end-entity certificate? And how do I correlate sent or > > received data? >=20 > The second part has been clarified in -02 but I still wonder what an > "end entity certificate" is. Probably this is meant: >=20 > The transport receiver and transport sender SHOULD provide > mechanisms to record the certificate or certificate fingerprint of > the remote endpoint for the purpose of correlating an identity with > the sent or received data. >=20 [Joe] End entity is RFC 5280 terminology. It refers to the owner of the public key that is used in the authentication versus a certificate authority that signs certificates.=20 > > [...] Once the transport receiver gets a close_notify from the > > transport sender, it MUST reply with a close_notify. > > > > Is it our job to define this? Does DTLS not specify how to handle > > such DTLS alerts? >=20 > I am still wondering why we need to specify this... >=20 [Joe] This is the same text as we used in the syslog TLS document. That being said it is likely redundant.=20 > /js >=20 > -- > Juergen Schoenwaelder Jacobs University Bremen gGmbH > Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany > Fax: +49 421 200 3103 > _______________________________________________ > Syslog mailing list > Syslog@ietf.org > https://www.ietf.org/mailman/listinfo/syslog From clonvick@cisco.com Sun Mar 7 07:03:12 2010 Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 50BCE28C10B for ; Sun, 7 Mar 2010 07:03:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.561 X-Spam-Level: X-Spam-Status: No, score=-10.561 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tjv26B5kr3Xd for ; Sun, 7 Mar 2010 07:03:11 -0800 (PST) Received: from sj-iport-4.cisco.com (sj-iport-4.cisco.com [171.68.10.86]) by core3.amsl.com (Postfix) with ESMTP id 7DC443A88C5 for ; Sun, 7 Mar 2010 07:03:11 -0800 (PST) Authentication-Results: sj-iport-4.cisco.com; dkim=neutral (message not signed) header.i=none X-IronPort-AV: E=Sophos;i="4.49,598,1262563200"; d="scan'208";a="96907531" Received: from sj-core-4.cisco.com ([171.68.223.138]) by sj-iport-4.cisco.com with ESMTP; 07 Mar 2010 15:03:15 +0000 Received: from sjc-cde-011.cisco.com (sjc-cde-011.cisco.com [171.69.16.68]) by sj-core-4.cisco.com (8.13.8/8.14.3) with ESMTP id o27F3F6r026033; Sun, 7 Mar 2010 15:03:15 GMT Date: Sun, 7 Mar 2010 07:03:15 -0800 (PST) From: Chris Lonvick To: Richard Graveman In-Reply-To: <45c8c21a1003051536l738c036eu59cf4f1a089d5218@mail.gmail.com> Message-ID: References: <45c8c21a1003051536l738c036eu59cf4f1a089d5218@mail.gmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: syslog@ietf.org Subject: Re: [Syslog] New Version: draft-ietf-syslog-dtls-02 X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Mar 2010 15:03:12 -0000 Hi Rich, Yeah; we got a little overzealous on that. Let's try this: Transmission of syslog Messages over UDP [RFC5426] defines how to provide unreliable, non-secure datagram transport for syslog. This transport should only be used as described in Section 4.3 of [RFC5426]. Thanks, Chris On Fri, 5 Mar 2010, Richard Graveman wrote: > Chis, > >> I've looked over these changes and feel that they address the WGLC comments >> that were received. > > I strongly disagree on several counts. First, the new document says: > > Transmission of syslog Messages over UDP [RFC5426] defines how to > provide unreliable, non-secure datagram transport for syslog. This > transport is NOT RECOMMENDED. > > NOT RECOMMENDED means SHOULD NOT implement. SHOULD NOT implement means > DEPRECATED. There was no WG discussion of deprecating RFC 5426. > > In fact, in some cases, protocol security may not be needed, for a > variety of reasons. In other cases, security may already be provided > by, say, IPsec, required in IPv6. > > Saying that the work completed just last year is deprecated without > any WG discussion is absurd. > > Rich Graveman > From rfgraveman@gmail.com Sun Mar 7 10:19:40 2010 Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EC22A3A8CAB for ; Sun, 7 Mar 2010 10:19:39 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G4L-6IpoEsBU for ; Sun, 7 Mar 2010 10:19:38 -0800 (PST) Received: from mail-iw0-f173.google.com (mail-iw0-f173.google.com [209.85.223.173]) by core3.amsl.com (Postfix) with ESMTP id C6BF13A8A86 for ; Sun, 7 Mar 2010 10:19:34 -0800 (PST) Received: by iwn3 with SMTP id 3so180498iwn.13 for ; Sun, 07 Mar 2010 10:19:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=rgXOyP0wCXoFemkPoQeYFqf6SqoeYT6+fhRES81F0w8=; b=WlXhy3f8M4dBpA2iWMM8CcQknkBkqA8pqBjY+s0VfeupO3ULlfUDz0udXwj32qmHeb joMx9fm6j8VF0mLbMN0f6WakqqvZSyRwOkBcZ5Rk38Qfa7aDiAPiwLfs4MXjSw9HY/Nv +gzW/q5Jwpz3GyZQDLAaqXmKNMexyJxpV7PnQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=seoo3/HKv4AaORL0JsFWInQmVUJqcbkWoRv9pw17QZG+R4EKGuMz2+hZ14Yv2mWVkc EgxfQd4idFjWGGZVoFuUNjQvhYKWStFQgRkHTIil3cxCRCMtyhzkA6HF7skNe63Se3vb HhJxMNiuZ5m1WEkSuTxJDpzu6BGaAtnLRWJV8= MIME-Version: 1.0 Received: by 10.231.149.201 with SMTP id u9mr9828ibv.1.1267985869380; Sun, 07 Mar 2010 10:17:49 -0800 (PST) In-Reply-To: References: <45c8c21a1003051536l738c036eu59cf4f1a089d5218@mail.gmail.com> Date: Sun, 7 Mar 2010 13:17:49 -0500 Message-ID: <45c8c21a1003071017j4afd5653n8e191f0e0efd3e89@mail.gmail.com> From: Richard Graveman To: Chris Lonvick Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: syslog@ietf.org Subject: Re: [Syslog] New Version: draft-ietf-syslog-dtls-02 X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Mar 2010 18:19:40 -0000 Thanks, Chris. That work. Rich On Sun, Mar 7, 2010 at 10:03 AM, Chris Lonvick wrote: > Hi Rich, > > Yeah; we got a little overzealous on that. =A0Let's try this: > > =A0 Transmission of syslog Messages over UDP [RFC5426] defines how to > =A0 provide unreliable, non-secure datagram transport for syslog. =A0This > =A0 transport should only be used as described in Section 4.3 of [RFC5426= ]. > > Thanks, > Chris > > On Fri, 5 Mar 2010, Richard Graveman wrote: > >> Chis, >> >>> I've looked over these changes and feel that they address the WGLC >>> comments >>> that were received. >> >> I strongly disagree on several counts. First, the new document says: >> >> =A0Transmission of syslog Messages over UDP [RFC5426] defines how to >> =A0provide unreliable, non-secure datagram transport for syslog. =A0This >> =A0transport is NOT RECOMMENDED. >> >> NOT RECOMMENDED means SHOULD NOT implement. SHOULD NOT implement means >> DEPRECATED. There was no WG discussion of deprecating RFC 5426. >> >> In fact, in some cases, protocol security may not be needed, for a >> variety of reasons. In other cases, security may already be provided >> by, say, IPsec, required in IPv6. >> >> Saying that the work completed just last year is deprecated without >> any WG discussion is absurd. >> >> Rich Graveman >> > From jsalowey@cisco.com Sun Mar 7 14:29:25 2010 Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 60B263A8A33 for ; Sun, 7 Mar 2010 14:29:25 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vdEgMGVuKFqR for ; Sun, 7 Mar 2010 14:29:24 -0800 (PST) Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com [171.68.10.87]) by core3.amsl.com (Postfix) with ESMTP id 967F43A6920 for ; Sun, 7 Mar 2010 14:29:24 -0800 (PST) Authentication-Results: sj-iport-5.cisco.com; dkim=neutral (message not signed) header.i=none X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AvsEALe3k0urR7H+/2dsb2JhbACbRnOgHpdChHgEgxc X-IronPort-AV: E=Sophos;i="4.49,599,1262563200"; d="scan'208";a="162069548" Received: from sj-core-2.cisco.com ([171.71.177.254]) by sj-iport-5.cisco.com with ESMTP; 07 Mar 2010 22:29:28 +0000 Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-2.cisco.com (8.13.8/8.14.3) with ESMTP id o27MTS7v027738 for ; Sun, 7 Mar 2010 22:29:28 GMT Received: from xmb-sjc-225.amer.cisco.com ([128.107.191.38]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Sun, 7 Mar 2010 14:29:28 -0800 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Sun, 7 Mar 2010 14:29:25 -0800 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: DTLS renegotiation Thread-Index: Acq+RaRsuyzh+nlURgKHbyrKUt4oWg== From: "Joseph Salowey (jsalowey)" To: X-OriginalArrivalTime: 07 Mar 2010 22:29:28.0270 (UTC) FILETIME=[A62146E0:01CABE45] Subject: [Syslog] DTLS renegotiation X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Mar 2010 22:29:25 -0000 Richard pointed out that we should cover issues DTLS renegotiation. Recently, as you may have been aware, there have been vulnerabilities discovered with TLS renegotiation. In general, DTLS tends to be less vulnerable to the attacks described, but there still can be issues. During renegotiation new parameters can be renegotiated for the connection and, with most libraries, the application does not know that a change occurred. In general I think it would be best to avoid renegotiation, however this means that in the case of extremely long lived connections the connection will need to be broken and started again at some point. =20 Below is the text I suggest adding to the security considerations of the document. =20 8.1 DTLS Renegotiation TLS and DTLS renegotiation may be vulnerable to attacks described in RFC 5746. Although RFC 5746 provides a fix for some of the issues, renegotiation can still cause problems for applications since connection security parameters can change without the application knowing it. There for it is RECOMMENDED that renegotiation be disabled for syslog over DTLS. If, for some reason, renegotiation is allowed then the specification in RFC 5746 MUST be followed and the implementation MUST make sure that the connection security parameters do not change during renegotiation. =20 From cfinss@dial.pipex.com Mon Mar 8 08:01:05 2010 Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 287A33A69DA for ; Mon, 8 Mar 2010 08:01:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.513 X-Spam-Level: X-Spam-Status: No, score=-2.513 tagged_above=-999 required=5 tests=[AWL=0.086, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7bm+pkDKcmVp for ; Mon, 8 Mar 2010 08:01:03 -0800 (PST) Received: from mk-outboundfilter-6.mail.uk.tiscali.com (mk-outboundfilter-6.mail.uk.tiscali.com [212.74.114.14]) by core3.amsl.com (Postfix) with ESMTP id 41E583A69D7 for ; Mon, 8 Mar 2010 08:01:03 -0800 (PST) X-Trace: 189038485/mk-outboundfilter-6.mail.uk.tiscali.com/PIPEX/$PIPEX-ACCEPTED/pipex-customers/62.188.105.142/None/cfinss@dial.pipex.com X-SBRS: None X-RemoteIP: 62.188.105.142 X-IP-MAIL-FROM: cfinss@dial.pipex.com X-SMTP-AUTH: X-MUA: Microsoft Outlook Express 6.00.2800.1106Produced By Microsoft MimeOLE V6.00.2800.1106 X-IP-BHB: Once X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AoQGAJOtlEs+vGmO/2dsb2JhbACBehkYhSmIcotVrQ0JjH4CC4JBG4IPBA X-IronPort-AV: E=Sophos;i="4.49,602,1262563200"; d="scan'208";a="189038485" X-IP-Direction: IN Received: from 1cust142.tnt2.lnd9.gbr.da.uu.net (HELO allison) ([62.188.105.142]) by smtp.pipex.tiscali.co.uk with SMTP; 08 Mar 2010 16:01:04 +0000 Message-ID: <000b01cabed0$00424ae0$0601a8c0@allison> From: "tom.petch" To: "Joseph Salowey \(jsalowey\)" , "Juergen Schoenwaelder" , "syslog" References: <20100222165448.GB14118@elstar.local><20100306002544.GB415@elstar.local> Date: Mon, 8 Mar 2010 15:34:41 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: Re: [Syslog] js review of draft-ietf-syslog-dtls-01.txt X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: "tom.petch" List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Mar 2010 16:01:05 -0000 ----- Original Message ----- From: "Joseph Salowey (jsalowey)" To: "Juergen Schoenwaelder" ; Sent: Saturday, March 06, 2010 2:01 AM > > -----Original Message----- > > From: syslog-bounces@ietf.org [mailto:syslog-bounces@ietf.org] On > Behalf > > Of Juergen Schoenwaelder > > Sent: Friday, March 05, 2010 4:26 PM > > On Mon, Feb 22, 2010 at 05:54:48PM +0100, Juergen Schoenwaelder wrote: > > > > > Both transport receiver and transport sender implementations MUST > > > provide means to generate a key pair and self-signed certificate > in > > > the case that a key pair and certificate are not available > through > > > another mechanism. > > > > > > I do not know the idea behind this requirement is or how I comply to > > > it. Is this expressing a requirement for the management interface of > > > the box? Or is the idea that this is used in some automated fashion > > > (which likely does not make sense but would be harmful if read this > > > way). > > > > This text seems to be unchanged in -02 and I still do not know how I > > implement this MUST. On Unix systems, people use tools such as openssl > > to create certificates etc. while a syslog implementation would > > typically links against a DTLS library and would not have itself a > > builtin option to create a self-signed certificate. So is this text > > putting up an implementation requirement that a syslog daemon must > > have a _built-in_ option to create a self-signed certificate? My > > concern is that key / certificate management is something pretty > > unrelated to the syslog over DTLS transport implementation itself and > > hence it is somewhat unclear how to implement the MUST. > > > [Joe] There was some discussion of this on the list. The conclusion was > that this was not a GUI requirement but could be met by a script to > generate a certificate an configure its use, which didn't see onerous to > implementers. The same text is in the syslog TLS RFC. The key point is "The same text is in the syslog TLS RFC. " We established consensus on this and got it accepted by all parties (IETF, IESG etc) so there needs to be a very good reason to change it, and I have not yet heard one. > > > The transport receiver and transport sender SHOULD provide > mechanisms > > > to record the end-entity certificate for the purpose of > correlating > > > it with the sent or received data. > > > > > > What is an end-entity certificate? And how do I correlate sent or > > > received data? > > > > The second part has been clarified in -02 but I still wonder what an > > "end entity certificate" is. Probably this is meant: > > > > The transport receiver and transport sender SHOULD provide > > mechanisms to record the certificate or certificate fingerprint of > > the remote endpoint for the purpose of correlating an identity with > > the sent or received data. > > > [Joe] End entity is RFC 5280 terminology. It refers to the owner of the > public key that is used in the authentication versus a certificate > authority that signs certificates. > > > > [...] Once the transport receiver gets a close_notify from the > > > transport sender, it MUST reply with a close_notify. > > > > > > Is it our job to define this? Does DTLS not specify how to handle > > > such DTLS alerts? > > > > I am still wondering why we need to specify this... > > > [Joe] This is the same text as we used in the syslog TLS document. That > being said it is likely redundant. The key point is "This is the same text as we used in the syslog TLS document. " We established consensus on this and got it accepted by all parties (IETF, IESG etc) so there needs to be a very good reason to change it, and I have not yet heard one. Tom Petch > > /js > > -- > > Juergen Schoenwaelder Jacobs University Bremen gGmbH > > Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany > > Fax: +49 421 200 3103 From j.schoenwaelder@jacobs-university.de Mon Mar 8 08:35:16 2010 Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EE1A23A6A3A for ; Mon, 8 Mar 2010 08:35:15 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.924 X-Spam-Level: X-Spam-Status: No, score=-1.924 tagged_above=-999 required=5 tests=[AWL=-0.275, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_35=0.6] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kTPPLtdMXgPI for ; Mon, 8 Mar 2010 08:35:14 -0800 (PST) Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) by core3.amsl.com (Postfix) with ESMTP id D28AB3A69C8 for ; Mon, 8 Mar 2010 08:35:12 -0800 (PST) Received: from localhost (demetrius1.jacobs-university.de [212.201.44.46]) by hermes.jacobs-university.de (Postfix) with ESMTP id 6577AC001A; Mon, 8 Mar 2010 17:35:16 +0100 (CET) X-Virus-Scanned: amavisd-new at jacobs-university.de Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius1.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id QhzVCtSt8Yzg; Mon, 8 Mar 2010 17:35:14 +0100 (CET) Received: from elstar.local (elstar.iuhb02.iu-bremen.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 9A608C000A; Mon, 8 Mar 2010 17:35:11 +0100 (CET) Received: by elstar.local (Postfix, from userid 501) id C283910C1043; Mon, 8 Mar 2010 17:35:09 +0100 (CET) Date: Mon, 8 Mar 2010 17:35:09 +0100 From: Juergen Schoenwaelder To: "tom.petch" Message-ID: <20100308163509.GA3386@elstar.local> Mail-Followup-To: "tom.petch" , "Joseph Salowey (jsalowey)" , syslog References: <20100222165448.GB14118@elstar.local> <20100306002544.GB415@elstar.local> <000b01cabed0$00424ae0$0601a8c0@allison> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <000b01cabed0$00424ae0$0601a8c0@allison> User-Agent: Mutt/1.5.20 (2009-06-14) Cc: syslog Subject: Re: [Syslog] js review of draft-ietf-syslog-dtls-01.txt X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: Juergen Schoenwaelder List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Mar 2010 16:35:16 -0000 On Mon, Mar 08, 2010 at 03:34:41PM +0100, tom.petch wrote: > ----- Original Message ----- > From: "Joseph Salowey (jsalowey)" > To: "Juergen Schoenwaelder" ; > > Sent: Saturday, March 06, 2010 2:01 AM > > > > -----Original Message----- > > > From: syslog-bounces@ietf.org [mailto:syslog-bounces@ietf.org] On > > Behalf > > > Of Juergen Schoenwaelder > > > Sent: Friday, March 05, 2010 4:26 PM > > > On Mon, Feb 22, 2010 at 05:54:48PM +0100, Juergen Schoenwaelder wrote: > > > > > > > Both transport receiver and transport sender implementations MUST > > > > provide means to generate a key pair and self-signed certificate > > in > > > > the case that a key pair and certificate are not available > > through > > > > another mechanism. > > > > > > > > I do not know the idea behind this requirement is or how I comply to > > > > it. Is this expressing a requirement for the management interface of > > > > the box? Or is the idea that this is used in some automated fashion > > > > (which likely does not make sense but would be harmful if read this > > > > way). > > > > > > This text seems to be unchanged in -02 and I still do not know how I > > > implement this MUST. On Unix systems, people use tools such as openssl > > > to create certificates etc. while a syslog implementation would > > > typically links against a DTLS library and would not have itself a > > > builtin option to create a self-signed certificate. So is this text > > > putting up an implementation requirement that a syslog daemon must > > > have a _built-in_ option to create a self-signed certificate? My > > > concern is that key / certificate management is something pretty > > > unrelated to the syslog over DTLS transport implementation itself and > > > hence it is somewhat unclear how to implement the MUST. > > > > > [Joe] There was some discussion of this on the list. The conclusion was > > that this was not a GUI requirement but could be met by a script to > > generate a certificate an configure its use, which didn't see onerous to > > implementers. The same text is in the syslog TLS RFC. > > The key point is > "The same text is in the syslog TLS RFC. " > We established consensus on this and got it accepted by all parties > (IETF, IESG etc) so there needs to be a very good reason to change > it, and I have not yet heard one. I am not convinced by the argument but I will shut up. > > > > The transport receiver and transport sender SHOULD provide > > mechanisms > > > > to record the end-entity certificate for the purpose of > > correlating > > > > it with the sent or received data. > > > > > > > > What is an end-entity certificate? And how do I correlate sent or > > > > received data? > > > > > > The second part has been clarified in -02 but I still wonder what an > > > "end entity certificate" is. Probably this is meant: > > > > > > The transport receiver and transport sender SHOULD provide > > > mechanisms to record the certificate or certificate fingerprint of > > > the remote endpoint for the purpose of correlating an identity with > > > the sent or received data. > > > > > [Joe] End entity is RFC 5280 terminology. It refers to the owner of the > > public key that is used in the authentication versus a certificate > > authority that signs certificates. > > > > > > [...] Once the transport receiver gets a close_notify from the > > > > transport sender, it MUST reply with a close_notify. > > > > > > > > Is it our job to define this? Does DTLS not specify how to handle > > > > such DTLS alerts? > > > > > > I am still wondering why we need to specify this... > > > > > [Joe] This is the same text as we used in the syslog TLS document. That > > being said it is likely redundant. > > The key point is > "This is the same text as we used in the syslog TLS document. " > We established consensus on this and got it accepted by all parties (IETF, IESG > etc) so there needs to be a very good reason to change it, and I have not yet > heard one. Same as above. It is just good to receive an answer to points raised. /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany Fax: +49 421 200 3103 From clonvick@cisco.com Mon Mar 8 10:49:48 2010 Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 85D0B3A6B1A for ; Mon, 8 Mar 2010 10:49:48 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.569 X-Spam-Level: X-Spam-Status: No, score=-10.569 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wldqrX0ZYmbr for ; Mon, 8 Mar 2010 10:49:47 -0800 (PST) Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com [171.68.10.87]) by core3.amsl.com (Postfix) with ESMTP id C2C493A69D5 for ; Mon, 8 Mar 2010 10:49:47 -0800 (PST) Authentication-Results: sj-iport-5.cisco.com; dkim=neutral (message not signed) header.i=none X-IronPort-AV: E=Sophos;i="4.49,603,1262563200"; d="scan'208";a="162471386" Received: from sj-core-3.cisco.com ([171.68.223.137]) by sj-iport-5.cisco.com with ESMTP; 08 Mar 2010 18:49:52 +0000 Received: from sjc-cde-011.cisco.com (sjc-cde-011.cisco.com [171.69.16.68]) by sj-core-3.cisco.com (8.13.8/8.14.3) with ESMTP id o28InpWc015358; Mon, 8 Mar 2010 18:49:51 GMT Date: Mon, 8 Mar 2010 10:49:51 -0800 (PST) From: Chris Lonvick To: Richard Graveman In-Reply-To: <45c8c21a1003051621w5f851e3q7fcb93af0050d8d8@mail.gmail.com> Message-ID: References: <45c8c21a1003051621w5f851e3q7fcb93af0050d8d8@mail.gmail.com> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; boundary="-559023410-838545539-1268069503=:21786" Content-ID: Cc: syslog@ietf.org Subject: Re: [Syslog] New Version: draft-ietf-syslog-dtls-02 X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Mar 2010 18:49:48 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. ---559023410-838545539-1268069503=:21786 Content-Type: TEXT/PLAIN; format=flowed; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Content-ID: Hi Rich, I appreciate the review. RFC 4279 also says: =3D=3D=3D=3D=3D The ciphersuites defined in this document are intended for a rather limited set of applications, usually involving only a very small number of clients and servers. Even in such environments, other alternatives may be more appropriate. If the main goal is to avoid Public-Key Infrastructures (PKIs), another possibility worth considering is using self-signed certificates with public key fingerprints. Instead of manually configuring a shared secret in, for instance, some configuration file, a fingerprint (hash) of the other party's public key (or certificate) could be placed there instead. =3D=3D=3D=3D=3D This is why we have the parts in there about "MUST be able to generate a=20 self-signed cert" (identical language to RFC 5425), and the use of=20 fingerprints (reference back to 5425). I understand what you're saying about SHA-1, however I don't think that=20 will be an issue since the signature on the certificate is not even=20 verified if you use fingerprints. I'll also back up and say that I havn't= =20 seen the IESG give specific guidance about not using SHA-1. Thanks, Chris On Fri, 5 Mar 2010, Richard Graveman wrote: >> I've looked over these changes and feel that they address the WGLC comme= nts >> that were received. =A0I'd appreciate it if the people who did the revie= ws >> would also do a check. > > Requiring certificates is a lot of extra baggage for worsened > security. All the commonly encountered certificates today are based on > signatures of weak hash functions, primarily SHA-1. Cipher suites > like: > > 0x00,0xA8 TLS_PSK_WITH_AES_128_GCM_SHA256 [RFC5487] > 0x00,0xA9 TLS_PSK_WITH_AES_256_GCM_SHA384 [RFC5487] > > do not suffer from the twin disease of weak and inefficient security > and ought to be an option, as Tschonfig and Eronen say in 4279: > > ... pre-shared keys may be more convenient from a key > management point of view. For instance, in closed environments > where the connections are mostly configured manually in advance, > it may be easier to configure a PSK than to use certificates. > Another case is when the parties already have a mechanism for > setting up a shared secret key, and that mechanism could be used > to "bootstrap" a key for authenticating a TLS connection. > > This is precisely the environment is which I would expect to find a > lot of syslog, as opposed to "TLS on the Web." > > Rich Graveman > ---559023410-838545539-1268069503=:21786-- From clonvick@cisco.com Mon Mar 8 13:53:00 2010 Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D01D13A69E2 for ; Mon, 8 Mar 2010 13:53:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.274 X-Spam-Level: X-Spam-Status: No, score=-10.274 tagged_above=-999 required=5 tests=[AWL=-0.275, BAYES_00=-2.599, J_CHICKENPOX_35=0.6, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LNT3HwAHxpat for ; Mon, 8 Mar 2010 13:52:59 -0800 (PST) Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com [171.68.10.87]) by core3.amsl.com (Postfix) with ESMTP id 22BB03A69CA for ; Mon, 8 Mar 2010 13:52:54 -0800 (PST) Authentication-Results: sj-iport-5.cisco.com; dkim=neutral (message not signed) header.i=none X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AvsEAAMBlUurRN+K/2dsb2JhbACbMHOhaZgthHgEgxc X-IronPort-AV: E=Sophos;i="4.49,604,1262563200"; d="scan'208";a="162537787" Received: from sj-core-4.cisco.com ([171.68.223.138]) by sj-iport-5.cisco.com with ESMTP; 08 Mar 2010 21:52:46 +0000 Received: from sjc-cde-011.cisco.com (sjc-cde-011.cisco.com [171.69.16.68]) by sj-core-4.cisco.com (8.13.8/8.14.3) with ESMTP id o28LqkjQ012178; Mon, 8 Mar 2010 21:52:46 GMT Date: Mon, 8 Mar 2010 13:52:45 -0800 (PST) From: Chris Lonvick To: "tom.petch" In-Reply-To: <007301ca9f74$d7dba800$0601a8c0@allison> Message-ID: References: <007301ca9f74$d7dba800$0601a8c0@allison> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: syslog@ietf.org Subject: Re: [Syslog] Review comments on draft-gerhards-syslog-plain-tcp-01.txt X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Mar 2010 21:53:00 -0000 Hi Tom, I got all excited about the next version of draft-ietf-syslog-dtls getting in before the cutoff time that I went ahead and edited plain-tcp. :-) Comments in-line. On Wed, 27 Jan 2010, tom.petch wrote: > Review comments on tcp-01 (as the subject line says:-) > > What is the intended status? The I-D does not say; I would aim for Standards > Track. CML> Yup. Now it says Standards Track. > > s.3 > "Traditional TCP implementations do not use any backchannel mechanism " > suggest > "Traditional implementations of syslog over TCP do not use any backchannel > mechanism " CML> Sounds good. > > "abilities of TCP" > suggest > "capabilities of TCP" CML> Good. > > s3.3 > I think that the ABNF rules should be amended so that the rule with > = > comes before the rule with > =/ CML> Makes sense. > > Add at the end > > " SYSLOG-MSG is defined in the syslog protocol [RFC5424]." CML> Added. > > A.2 > %d10 is LF not NL; I do not know which you mean. CML> I've seen it called both. I'm trying to track down a normative reference. Do you have one? Till then, I'm going to leave it as NL (%d10). [Pending review by Rainer.] > > And, perhaps the most important, somewhere I think you should cover the nature > of TCP; give it a message and it will buffer it, may be for days, and then lose > it because the connection is taken down. Should you recommend the use of PSH > for all messages? CML> I added a paragraph near the end of the Introduction about that. (Which I have not run by Rainer yet. :) Let me know if that's what you were thinking about. CML> We appreciate the review. The updated draft should be out soon and I'll ask for another review of it rsn. Thanks, Chris > > Tom Petch > > ----- Original Message ----- > From: "Chris Lonvick" > To: > Sent: Tuesday, January 26, 2010 7:24 PM > Subject: [Syslog] Review comments on draft-gerhards-syslog-plain-tcp-01.txt > > >> Hi Folks, >> > > From root@core3.amsl.com Mon Mar 8 14:15:03 2010 Return-Path: X-Original-To: syslog@ietf.org Delivered-To: syslog@core3.amsl.com Received: by core3.amsl.com (Postfix, from userid 0) id EFC173A6A45; Mon, 8 Mar 2010 14:15:02 -0800 (PST) From: Internet-Drafts@ietf.org To: i-d-announce@ietf.org Content-Type: Multipart/Mixed; Boundary="NextPart" Mime-Version: 1.0 Message-Id: <20100308221502.EFC173A6A45@core3.amsl.com> Date: Mon, 8 Mar 2010 14:15:02 -0800 (PST) Cc: syslog@ietf.org Subject: [Syslog] I-D Action:draft-ietf-syslog-dtls-03.txt X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Mar 2010 22:15:03 -0000 --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Security Issues in Network Event Logging Working Group of the IETF. Title : Datagram Transport Layer Security (DTLS) Transport Mapping for Syslog Author(s) : J. Salowey, et al. Filename : draft-ietf-syslog-dtls-03.txt Pages : 18 Date : 2010-03-08 This document describes the transport of syslog messages over DTLS (Datagram Transport Level Security). It provides a secure transport for syslog messages in cases where a connection-less transport is desired. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-syslog-dtls-03.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Message/External-body; name="draft-ietf-syslog-dtls-03.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2010-03-08140025.I-D@ietf.org> --NextPart-- From clonvick@cisco.com Mon Mar 8 20:16:05 2010 Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 704363A67EC for ; Mon, 8 Mar 2010 20:16:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.535 X-Spam-Level: X-Spam-Status: No, score=-10.535 tagged_above=-999 required=5 tests=[AWL=0.064, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k-0YXBiHAevG for ; Mon, 8 Mar 2010 20:16:02 -0800 (PST) Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by core3.amsl.com (Postfix) with ESMTP id 6722F3A67DF for ; Mon, 8 Mar 2010 20:16:02 -0800 (PST) Authentication-Results: sj-iport-1.cisco.com; dkim=neutral (message not signed) header.i=none X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AjsFAIpalUurRN+J/2dsb2JhbACPQgGLbnOhAJhdhHgEgxc X-IronPort-AV: E=Sophos;i="4.49,605,1262563200"; d="scan'208";a="306644639" Received: from sj-core-3.cisco.com ([171.68.223.137]) by sj-iport-1.cisco.com with ESMTP; 09 Mar 2010 04:16:06 +0000 Received: from sjc-cde-011.cisco.com (sjc-cde-011.cisco.com [171.69.16.68]) by sj-core-3.cisco.com (8.13.8/8.14.3) with ESMTP id o294G6sP027121 for ; Tue, 9 Mar 2010 04:16:06 GMT Date: Mon, 8 Mar 2010 20:16:06 -0800 (PST) From: Chris Lonvick To: syslog@ietf.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: [Syslog] Latest syslog/dtls draft - please review X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Mar 2010 04:16:05 -0000 Hi Folks, Joe got an updated draft in under the deadline. :-) We've had a lot of discussion over the past few day about the issues raised in the WGLC and Joe worked hard to address them with new text. Would everyone please review this revision and send comments back to the list? Please send comments back even to say that you've reviewed and have no issues with the new text. The document is here: http://tools.ietf.org/html/draft-ietf-syslog-dtls-03 And the diffs from -02 to -03 are here: http://tools.ietf.org/wg/syslog/draft-ietf-syslog-dtls/draft-ietf-syslog-dtls-03-from-02.diff.html Many thanks, Chris From j.schoenwaelder@jacobs-university.de Tue Mar 9 00:04:46 2010 Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D91333A6862 for ; Tue, 9 Mar 2010 00:04:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.193 X-Spam-Level: X-Spam-Status: No, score=-2.193 tagged_above=-999 required=5 tests=[AWL=0.056, BAYES_00=-2.599, HELO_EQ_DE=0.35] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w7LfEGhiyo6T for ; Tue, 9 Mar 2010 00:04:46 -0800 (PST) Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) by core3.amsl.com (Postfix) with ESMTP id E3B383A67EE for ; Tue, 9 Mar 2010 00:04:45 -0800 (PST) Received: from localhost (demetrius1.jacobs-university.de [212.201.44.46]) by hermes.jacobs-university.de (Postfix) with ESMTP id 04242C000A; Tue, 9 Mar 2010 09:04:50 +0100 (CET) X-Virus-Scanned: amavisd-new at jacobs-university.de Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius1.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id XnVffnlCY0Cm; Tue, 9 Mar 2010 09:04:49 +0100 (CET) Received: from elstar.local (elstar.iuhb02.iu-bremen.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id D39ECC0007; Tue, 9 Mar 2010 09:04:48 +0100 (CET) Received: by elstar.local (Postfix, from userid 501) id 8AEEF10C3C25; Tue, 9 Mar 2010 09:04:47 +0100 (CET) Date: Tue, 9 Mar 2010 09:04:47 +0100 From: Juergen Schoenwaelder To: Chris Lonvick Message-ID: <20100309080447.GB5248@elstar.local> Mail-Followup-To: Chris Lonvick , "syslog@ietf.org" References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.20 (2009-06-14) Cc: "syslog@ietf.org" Subject: Re: [Syslog] Latest syslog/dtls draft - please review X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: Juergen Schoenwaelder List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Mar 2010 08:04:46 -0000 On Tue, Mar 09, 2010 at 05:16:06AM +0100, Chris Lonvick wrote: > Joe got an updated draft in under the deadline. :-) > > We've had a lot of discussion over the past few day about the issues > raised in the WGLC and Joe worked hard to address them with new text. > Would everyone please review this revision and send comments back to the > list? Please send comments back even to say that you've reviewed and have > no issues with the new text. The changes look good to me. There is a small editorial nit that slipped in (just in case another rev is needed): s/Denial of Service Denial of service/Denial of service/ /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany Fax: +49 421 200 3103 From clonvick@cisco.com Tue Mar 9 14:06:01 2010 Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E4A663A698D for ; Tue, 9 Mar 2010 14:06:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.543 X-Spam-Level: X-Spam-Status: No, score=-10.543 tagged_above=-999 required=5 tests=[AWL=0.056, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MFFrFP17ds8g for ; Tue, 9 Mar 2010 14:06:00 -0800 (PST) Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com [171.68.10.87]) by core3.amsl.com (Postfix) with ESMTP id E97FC3A6837 for ; Tue, 9 Mar 2010 14:05:59 -0800 (PST) Authentication-Results: sj-iport-5.cisco.com; dkim=neutral (message not signed) header.i=none X-Files: None : None X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: As8GAJ9UlkurRN+K/2dsb2JhbACDC4wBAYt2c6UKiCeQcIJOgUFqBIMX X-IronPort-AV: E=Sophos;i="4.49,610,1262563200"; d="p7s'?scan'208";a="163166719" Received: from sj-core-4.cisco.com ([171.68.223.138]) by sj-iport-5.cisco.com with ESMTP; 09 Mar 2010 22:06:04 +0000 Received: from sjc-cde-011.cisco.com (sjc-cde-011.cisco.com [171.69.16.68]) by sj-core-4.cisco.com (8.13.8/8.14.3) with ESMTP id o29M64ND004814 for ; Tue, 9 Mar 2010 22:06:04 GMT Date: Tue, 9 Mar 2010 14:06:04 -0800 (PST) From: Chris Lonvick To: syslog@ietf.org Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/Mixed; boundary="===============0814116585==" Content-ID: Subject: [Syslog] [saag] representation and verification of identity in certificates (fwd) X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Mar 2010 22:06:01 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --===============0814116585== Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Hi Folks, I know that some of you are interested in this topic. We've already resolved it for our WG so please don't bring it up here. :-) Regards, Chris --===============0814116585== Content-Type: MULTIPART/SIGNED; micalg=sha1; boundary=------------ms050001070505060602060700; protocol="application/pkcs7-signature" Content-ID: Content-Description: This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --------------ms050001070505060602060700 Content-Type: TEXT/PLAIN; charset=UTF-8 Content-Transfer-Encoding: QUOTED-PRINTABLE Content-ID: A small, informal design team has been working on an I-D that attempts to define recommended procedures for representing and verifying server identities in X.509 certificates intended for use in applications that employ TLS. We have just published version -03 of that I-D: http://tools.ietf.org/html/draft-saintandre-tls-server-id-check-03 Because this work touches on security in a wide variety of application protocols (HTTP, IMAP, LDAP, SMTP, XMPP, NNTP, NETCONF, SysLog, SIP, etc.) through the re-use of both TLS and the PKI, there is no one list where we can hold a focused discussion. Therefore we have created a new list, certid@ietf.org, to which you can subscribe here: https://www.ietf.org/mailman/listinfo/certid Please join the discussion there if you have an interest in this topic. Thanks! Peter --=20 Peter Saint-Andre https://stpeter.im/ --------------ms050001070505060602060700 Content-Type: APPLICATION/PKCS7-SIGNATURE; name=smime.p7s Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: S/MIME Cryptographic Signature Content-Disposition: attachment; filename=smime.p7s MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIWnDCC B1cwggY/oAMCAQICAVUwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQK Ew1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBT aWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAzIFByaW1hcnkgSW50ZXJtZWRpYXRl IENsaWVudCBDQTAeFw0wOTA3MDYwMDAwMDFaFw0xMDA3MDYyMzU5NTlaMIHCMQswCQYDVQQG EwJVUzERMA8GA1UECBMIQ29sb3JhZG8xDzANBgNVBAcTBkRlbnZlcjEiMCAGA1UEChMZWE1Q UCBTdGFuZGFyZHMgRm91bmRhdGlvbjEsMCoGA1UECxMjU3RhcnRDb20gVHJ1c3RlZCBDZXJ0 aWZpY2F0ZSBNZW1iZXIxGjAYBgNVBAMTEVBldGVyIFNhaW50LUFuZHJlMSEwHwYJKoZIhvcN AQkBFhJzdHBldGVyQHN0cGV0ZXIuaW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQCas7Mrnh02GakN8sft+HJpU4MwBxEgrGDZ2ZzUxDDt2sEhM+9Q74h955MtgMhK3TeBf6Hs hDh/8Z9G//k2qNA0M2S5rejTqrmW0Jabca/L7BUZ0GhnU2N/2zeciFUmuZ4A2l1T5IMX2ZVP XnNIaefBtbImJAbDz3T0vxkzTtcqgW3wL83PMDiqiuM+e1k+VPvOW4f5ZSGkPIhYCDpWqNE5 wZvjrLNMc8jZOPs9DrsYuIVwU72Vhy1tkEh+w6YpYHrdEUAe+eKe6TuxqZ60e9z3O36uiV// Ms274iD6PbA/IGazJgaAdg6tvPehwTYGJAGmv3PsJKkLGjgoh+RrrM1LAgMBAAGjggOKMIID hjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUH AwQwHQYDVR0OBBYEFOyws3XWgIY9FP1POVqjdZP9Lu38MB0GA1UdEQQWMBSBEnN0cGV0ZXJA c3RwZXRlci5pbTCBqAYDVR0jBIGgMIGdgBR7iZySlyShhEcCy3T8LvSs3DLl86GBgaR/MH0x CzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUg RGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBTdGFydENvbSBDZXJ0aWZp Y2F0aW9uIEF1dGhvcml0eYIBDzCCAUcGA1UdIASCAT4wggE6MIIBNgYLKwYBBAGBtTcBAgAw ggElMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMDQG CCsGAQUFBwIBFihodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9pbnRlcm1lZGlhdGUucGRmMIG8 BggrBgEFBQcCAjCBrzAUFg1TdGFydENvbSBMdGQuMAMCAQEagZZMaW1pdGVkIExpYWJpbGl0 eSwgcmVhZCB0aGUgc2VjdGlvbiAqTGVnYWwgTGltaXRhdGlvbnMqIG9mIHRoZSBTdGFydENv bSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBQb2xpY3kgYXZhaWxhYmxlIGF0IGh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwYwYDVR0fBFwwWjAroCmgJ4YlaHR0cDovL3d3 dy5zdGFydHNzbC5jb20vY3J0dTMtY3JsLmNybDAroCmgJ4YlaHR0cDovL2NybC5zdGFydHNz bC5jb20vY3J0dTMtY3JsLmNybDCBjgYIKwYBBQUHAQEEgYEwfzA5BggrBgEFBQcwAYYtaHR0 cDovL29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFzczMvY2xpZW50L2NhMEIGCCsGAQUFBzAC hjZodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MzLmNsaWVudC5jYS5j cnQwIwYDVR0SBBwwGoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUA A4IBAQBgv4xFXZqDKSOtnPOVbqOh1brj7oxRaVYk7N0MJG7x9Y/wkO3iwRwizVLcC1bA+D/R gyFilXx6IQWE63Ge2tu+Y4w5QoHYwuUFQuBZuxvZpOa3ykdgPlBQaBM8m+Ien0skwNggaizA X9Pc/sMLpP3jkO1iSF4agy4r5Ed+4G10mP5X0zO3gQwq9Uj4F9tX+58kU+fM1P8Sh+BYR4r/ kSbKE3tWcMaKblWPGwX0nYD26Je7Qb+uX/J5lCgozBrHXQWq8N98iklASf2pv+32Oi1dEjmM UgAm/J2+YmxaI02+c+H6QH8+F3RUjCiRg9XqUNjcrNrnTFnm/iMMZADktsXPMIIHVzCCBj+g AwIBAgIBVTANBgkqhkiG9w0BAQUFADCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcx ODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDMgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50 IENBMB4XDTA5MDcwNjAwMDAwMVoXDTEwMDcwNjIzNTk1OVowgcIxCzAJBgNVBAYTAlVTMREw DwYDVQQIEwhDb2xvcmFkbzEPMA0GA1UEBxMGRGVudmVyMSIwIAYDVQQKExlYTVBQIFN0YW5k YXJkcyBGb3VuZGF0aW9uMSwwKgYDVQQLEyNTdGFydENvbSBUcnVzdGVkIENlcnRpZmljYXRl IE1lbWJlcjEaMBgGA1UEAxMRUGV0ZXIgU2FpbnQtQW5kcmUxITAfBgkqhkiG9w0BCQEWEnN0 cGV0ZXJAc3RwZXRlci5pbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqzsyue HTYZqQ3yx+34cmlTgzAHESCsYNnZnNTEMO3awSEz71DviH3nky2AyErdN4F/oeyEOH/xn0b/ +Tao0DQzZLmt6NOquZbQlptxr8vsFRnQaGdTY3/bN5yIVSa5ngDaXVPkgxfZlU9ec0hp58G1 siYkBsPPdPS/GTNO1yqBbfAvzc8wOKqK4z57WT5U+85bh/llIaQ8iFgIOlao0TnBm+Oss0xz yNk4+z0Ouxi4hXBTvZWHLW2QSH7Dpilget0RQB754p7pO7GpnrR73Pc7fq6JX/8yzbviIPo9 sD8gZrMmBoB2Dq2896HBNgYkAaa/c+wkqQsaOCiH5GuszUsCAwEAAaOCA4owggOGMAkGA1Ud EwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAdBgNV HQ4EFgQU7LCzddaAhj0U/U85WqN1k/0u7fwwHQYDVR0RBBYwFIESc3RwZXRlckBzdHBldGVy LmltMIGoBgNVHSMEgaAwgZ2AFHuJnJKXJKGERwLLdPwu9KzcMuXzoYGBpH8wfTELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFs IENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g QXV0aG9yaXR5ggEPMIIBRwYDVR0gBIIBPjCCATowggE2BgsrBgEEAYG1NwECADCCASUwLgYI KwYBBQUHAgEWImh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUH AgEWKGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwgbwGCCsGAQUF BwICMIGvMBQWDVN0YXJ0Q29tIEx0ZC4wAwIBARqBlkxpbWl0ZWQgTGlhYmlsaXR5LCByZWFk IHRoZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRp ZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFpbGFibGUgYXQgaHR0cDovL3d3dy5zdGFy dHNzbC5jb20vcG9saWN5LnBkZjBjBgNVHR8EXDBaMCugKaAnhiVodHRwOi8vd3d3LnN0YXJ0 c3NsLmNvbS9jcnR1My1jcmwuY3JsMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9j cnR1My1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2Nz cC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMy9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6 Ly93d3cuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczMuY2xpZW50LmNhLmNydDAjBgNV HRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBAGC/ jEVdmoMpI62c85Vuo6HVuuPujFFpViTs3QwkbvH1j/CQ7eLBHCLNUtwLVsD4P9GDIWKVfHoh BYTrcZ7a275jjDlCgdjC5QVC4Fm7G9mk5rfKR2A+UFBoEzyb4h6fSyTA2CBqLMBf09z+wwuk /eOQ7WJIXhqDLivkR37gbXSY/lfTM7eBDCr1SPgX21f7nyRT58zU/xKH4FhHiv+RJsoTe1Zw xopuVY8bBfSdgPbol7tBv65f8nmUKCjMGsddBarw33yKSUBJ/am/7fY6LV0SOYxSACb8nb5i bFojTb5z4fpAfz4XdFSMKJGD1epQ2Nys2udMWeb+IwxkAOS2xc8wggfiMIIFyqADAgECAgEP MA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQu MSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQD EyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzEwMjQyMTAzMzJaFw0x MjEwMjIyMTAzMzJaMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEr MCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMv U3RhcnRDb20gQ2xhc3MgMyBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0EwggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5o0luEj4gypQIp71Xi2TlXyLYrj9WkRy+d9BO 0FHPYnAsC99/jx/ibNRwIfAoFhZd+LDscdRSckvwuFSz0bKg3z+9o7cwlVAC9AwMWe8IM0Lx c+8etYxsX4WIamG9fjzzi5GAW5ESKzzIN3SxHSplyGCWFwx/pgf1f4y6O9/ym+4f6zaDYP6B x0r+SaJcr6eSGNm7X3EwX1v7XpRBY+aw019o7k72d0IX910F+XGt0OwNdM61Ff3FiTiexeUZ bWxCGm6GZl+SQVG9xYVIgHQaLXoQF+g2wzrmKCbVcZhqH+hrlRnD6PfCuEyX/BR6PlAPRDlQ 6f1u3wqik+LF5P15AgMBAAGjggNbMIIDVzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBpjAd BgNVHQ4EFgQUe4mckpckoYRHAst0/C70rNwy5fMwgagGA1UdIwSBoDCBnYAUTgvvGqRAW6UX aYcwyjRoQ9BBrvKhgYGkfzB9MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRk LjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UE AxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHmCAQEwCQYDVR0SBAIwADA9Bggr BgEFBQcBAQQxMC8wLQYIKwYBBQUHMAKGIWh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2Nh LmNydDBgBgNVHR8EWTBXMCygKqAohiZodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvc2ZzY2Et Y3JsLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMIIBXQYD VR0gBIIBVDCCAVAwggFMBgsrBgEEAYG1NwEBBDCCATswLwYIKwYBBQUHAgEWI2h0dHA6Ly9j ZXJ0LnN0YXJ0Y29tLm9yZy9wb2xpY3kucGRmMDUGCCsGAQUFBwIBFilodHRwOi8vY2VydC5z dGFydGNvbS5vcmcvaW50ZXJtZWRpYXRlLnBkZjCB0AYIKwYBBQUHAgIwgcMwJxYgU3RhcnQg Q29tbWVyY2lhbCAoU3RhcnRDb20pIEx0ZC4wAwIBARqBl0xpbWl0ZWQgTGlhYmlsaXR5LCBy ZWFkIHRoZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENl cnRpZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFpbGFibGUgYXQgaHR0cDovL2NlcnQu c3RhcnRjb20ub3JnL3BvbGljeS5wZGYwEQYJYIZIAYb4QgEBBAQDAgAHMFAGCWCGSAGG+EIB DQRDFkFTdGFydENvbSBDbGFzcyAzIFByaW1hcnkgSW50ZXJtZWRpYXRlIEZyZWUgU1NMIEVt YWlsIENlcnRpZmljYXRlczANBgkqhkiG9w0BAQUFAAOCAgEAUpcEDdsKFRCxFBxcSm+8oMTT fpS7fbZkxWHx5fHDjvAgaBQ+oY0tk4xtbD6VxeHYjxI63+hj8jICnqeVXPe34Bu+XzekIn2T lrnPCQobKdQF2p52QgUvIxSURed0jcBaCBV22DSKaUqDOzD/Tx6VQy78zpblXjRH7OALE/+H jzJVmspdnBUUtQOLYgPo924xkxR25VDdgtEE5vAXa/g2oCeZhy0ZEO4NbgIayAYCJcJRDz0h dD2Ahec65Kw6LB3N7VXEjiRR5/WoKwH/QteRzPJbFDc1somrApjm2cyg+5nbm1RHeFIz+GxX luRrPztvhNcby0PtAjqwY1txi4sW0R6ZJPuZ2DZ1/dzckoFhyZgFyOX3SEkNXVLldjTzneFJ FnVSzDbc720vq184jR7pYoI9+f5QJ96a0iLxEAG8SJ5auBwXI/w2FmKmwmdMvJ8/17+B4sMC IRrXrDQl2xzpVXh/Qcmk5nf+w8HFmqATGy1OUAQbXga7AySAUaYhvvFk50u0bO5DiUGwzrJO 3TrwvaC2Ei4EFaBmIVgG7TfU5TaaY9IcJSCQ7AGUYE3RFSRpsLOoA3DsxP42YERgS/Nxw29+ YqZtPoO2QPbNpI7xnHVCfNBabx3oDIf438nFfv8spw5BQqBSbEF1izJA57eE64CzHnt7lB20 OFD11avYopwxggPKMIIDxgIBATCBkjCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcx ODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDMgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50 IENBAgFVMAkGBSsOAwIaBQCgggIMMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI hvcNAQkFMQ8XDTEwMDMwOTE4NDQ1NlowIwYJKoZIhvcNAQkEMRYEFGpKbBS+nmGTxzjQuWo5 tEpAz7CiMF8GCSqGSIb3DQEJDzFSMFAwCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqG SIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBowYJ KwYBBAGCNxAEMYGVMIGSMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRk LjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UE AxMvU3RhcnRDb20gQ2xhc3MgMyBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAVUw gaUGCyqGSIb3DQEJEAILMYGVoIGSMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRD b20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4 MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMyBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQg Q0ECAVUwDQYJKoZIhvcNAQEBBQAEggEAfOcREdMu7C6XXMkbbeROprnTPbcjgLyds5Juph26 JqcqQUORSoebtuWHliLZ0HBs/KlaW4yZin9n+9wM3K5X9ZDQ+S/+W3YwwQ0s3RHKkxi0P4vb HnkI/a9g4gwganOKGO53amNM7rf70Sm1S0V78NvMD8lMExaHUYdG8Dg/hM4bZr67V9ssnPQb Bj6EojT8o/5LzFaDanmHlA+CdnHbPEb8ESBj/HGHhYMglxNJUt/4bgIogsT6ZrfGdaSmE4Ug Z4walaFPI4x3e55zakXyYNur95p2sz8602vVJeN9wwgp2u8U3suq2kkH//9shNoJ/7g8oiFc QC3E9hoba6ItmAAAAAAAAA== --------------ms050001070505060602060700-- --===============0814116585== Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: Content-Description: Content-Disposition: inline _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag --===============0814116585==-- From wwwrun@core3.amsl.com Tue Mar 9 08:37:11 2010 Return-Path: X-Original-To: syslog@ietf.org Delivered-To: syslog@core3.amsl.com Received: by core3.amsl.com (Postfix, from userid 30) id 5433F3A6830; Tue, 9 Mar 2010 08:37:11 -0800 (PST) To: jsalowey@cisco.com, rgerhards@adiscon.com, tomSecurity@network-engineer.co.uk, fhyfeng@gmail.com From: IETF Secretariat Message-Id: <20100309163711.5433F3A6830@core3.amsl.com> Date: Tue, 9 Mar 2010 08:37:11 -0800 (PST) X-Mailman-Approved-At: Wed, 10 Mar 2010 08:18:49 -0800 Cc: tim.polk@nist.gov, pasi.eronen@nokia.com, syslog@ietf.org, ipr-announce@ietf.org Subject: [Syslog] Posting of IPR Disclosure related to HUAWEI TECHNOLOGIES CO., LTD's Statement about IPR related to RFC 5425 and draft-ietf-syslog-dtls-01 X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Mar 2010 16:37:11 -0000 Dear Joseph Salowey, Rainer Gerhards, Tom Petch, Huaweisymantec Technologies: An IPR disclosure that pertains to your Internet-Draft entitled "Datagram Transport Layer Security (DTLS) Transport Mapping for Syslog" (draft-ietf-syslog-dtls) was submitted to the IETF Secretariat on 2010-02-27 and has been posted on the "IETF Page of Intellectual Property Rights Disclosures" (https://datatracker.ietf.org/ipr/1271/). The title of the IPR disclosure is "HUAWEI TECHNOLOGIES CO.,LTD's Statement about IPR related to RFC 5425 and draft-ietf-syslog-dtls-01." The IETF Secretariat From wwwrun@core3.amsl.com Tue Mar 9 08:37:11 2010 Return-Path: X-Original-To: syslog@ietf.org Delivered-To: syslog@core3.amsl.com Received: by core3.amsl.com (Postfix, from userid 30) id 5C51D3A6950; Tue, 9 Mar 2010 08:37:11 -0800 (PST) To: jsalowey@cisco.com,miaofy@huawei.com,myz@huawei.com From: IETF Secretariat Message-Id: <20100309163711.5C51D3A6950@core3.amsl.com> Date: Tue, 9 Mar 2010 08:37:11 -0800 (PST) X-Mailman-Approved-At: Wed, 10 Mar 2010 08:18:49 -0800 Cc: tim.polk@nist.gov, pasi.eronen@nokia.com, syslog@ietf.org, ipr-announce@ietf.org Subject: [Syslog] Posting of IPR Disclosure related to HUAWEI TECHNOLOGIES CO., LTD's Statement about IPR related to RFC 5425 and draft-ietf-syslog-dtls-01 X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Mar 2010 16:37:11 -0000 Dear Joseph Salowey, Miao Fuyou, Ma Yuzhi: An IPR disclosure that pertains to your RFC entitled "Transport Layer Security (TLS) Transport Mapping for Syslog " (RFC5425) was submitted to the IETF Secretariat on 2010-02-27 and has been posted on the "IETF Page of Intellectual Property Rights Disclosures" (https://datatracker.ietf.org/ipr/1271/). The title of the IPR disclosure is "HUAWEI TECHNOLOGIES CO.,LTD's Statement about IPR related to RFC 5425 and draft-ietf-syslog-dtls-01." The IETF Secretariat From cfinss@dial.pipex.com Wed Mar 10 12:56:00 2010 Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3E0163A6996 for ; Wed, 10 Mar 2010 12:56:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.435 X-Spam-Level: X-Spam-Status: No, score=-2.435 tagged_above=-999 required=5 tests=[AWL=0.164, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GUufItJc85qT for ; Wed, 10 Mar 2010 12:55:59 -0800 (PST) Received: from mk-outboundfilter-5.mail.uk.tiscali.com (mk-outboundfilter-5.mail.uk.tiscali.com [212.74.114.1]) by core3.amsl.com (Postfix) with ESMTP id 38F953A690C for ; Wed, 10 Mar 2010 12:55:59 -0800 (PST) X-Trace: 246473706/mk-outboundfilter-5.mail.uk.tiscali.com/PIPEX/$PIPEX-ACCEPTED/pipex-customers/62.188.100.234/None/cfinss@dial.pipex.com X-SBRS: None X-RemoteIP: 62.188.100.234 X-IP-MAIL-FROM: cfinss@dial.pipex.com X-SMTP-AUTH: X-MUA: Microsoft Outlook Express 6.00.2800.1106Produced By Microsoft MimeOLE V6.00.2800.1106 X-IP-BHB: Once X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AoAJAPKVl0s+vGTq/2dsb2JhbACBehkYhSmISYsqvAANhGwE X-IronPort-AV: E=Sophos;i="4.49,616,1262563200"; d="scan'208";a="246473706" X-IP-Direction: IN Received: from 1cust234.tnt1.lnd9.gbr.da.uu.net (HELO allison) ([62.188.100.234]) by smtp.pipex.tiscali.co.uk with SMTP; 10 Mar 2010 20:56:02 +0000 Message-ID: <000201cac08b$882391a0$0601a8c0@allison> From: "tom.petch" To: "Joseph Salowey \(jsalowey\)" , References: Date: Wed, 10 Mar 2010 20:37:53 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: Re: [Syslog] DTLS renegotiation X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: "tom.petch" List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Mar 2010 20:56:00 -0000 ---- Original Message ----- From: "Joseph Salowey (jsalowey)" To: Sent: Sunday, March 07, 2010 11:29 PM Subject: [Syslog] DTLS renegotiation > Richard pointed out that we should cover issues DTLS renegotiation. > Recently, as you may have been aware, there have been vulnerabilities > discovered with TLS renegotiation. In general, DTLS tends to be less > vulnerable to the attacks described, but there still can be issues. > During renegotiation new parameters can be renegotiated for the > connection and, with most libraries, the application does not know that > a change occurred. In general I think it would be best to avoid > renegotiation, however this means that in the case of extremely long > lived connections the connection will need to be broken and started > again at some point. > > Below is the text I suggest adding to the security considerations of the > document. > > > 8.1 DTLS Renegotiation > > TLS and DTLS renegotiation may be vulnerable to attacks described in RFC > 5746. Although RFC 5746 provides a fix for some of the issues, > renegotiation can still cause problems for applications since connection > security parameters can change without the application knowing it. > There for it is RECOMMENDED that renegotiation be disabled for syslog > over DTLS. If, for some reason, renegotiation is allowed then the > specification in RFC 5746 MUST be followed and the implementation MUST > make sure that the connection security parameters do not change during > renegotiation. I think that the last sentence goes too far and should be more like " If renegotiation is allowed then the > specification in RFC 5746 MUST be followed and the implementation MUST > make sure that the connection still has adequate security and that any identities extracted from client and serverthe certificates do not change during > renegotiation. Well, a bit clumsy, but I would like to be specific on those two issues. They are nothing to do with the problem that RFC5746 addresses but the work leading up to RFC5746 did show that these are related issues with renegotiation. Tom Petch > _______________________________________________ > Syslog mailing list > Syslog@ietf.org > https://www.ietf.org/mailman/listinfo/syslog From cfinss@dial.pipex.com Wed Mar 10 12:56:01 2010 Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 062C53A690C for ; Wed, 10 Mar 2010 12:56:01 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.15 X-Spam-Level: X-Spam-Status: No, score=-2.15 tagged_above=-999 required=5 tests=[AWL=-0.151, BAYES_00=-2.599, J_CHICKENPOX_35=0.6] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lxhHszx9mwHA for ; Wed, 10 Mar 2010 12:56:00 -0800 (PST) Received: from mk-outboundfilter-5.mail.uk.tiscali.com (mk-outboundfilter-5.mail.uk.tiscali.com [212.74.114.1]) by core3.amsl.com (Postfix) with ESMTP id CC5873A697C for ; Wed, 10 Mar 2010 12:55:59 -0800 (PST) X-Trace: 246473709/mk-outboundfilter-5.mail.uk.tiscali.com/PIPEX/$PIPEX-ACCEPTED/pipex-customers/62.188.100.234/None/cfinss@dial.pipex.com X-SBRS: None X-RemoteIP: 62.188.100.234 X-IP-MAIL-FROM: cfinss@dial.pipex.com X-SMTP-AUTH: X-MUA: Microsoft Outlook Express 6.00.2800.1106Produced By Microsoft MimeOLE V6.00.2800.1106 X-IP-BHB: Once X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AoAJAPKVl0s+vGTq/2dsb2JhbACBehkYhSmISYsqvAANhGwE X-IronPort-AV: E=Sophos;i="4.49,616,1262563200"; d="scan'208";a="246473709" X-IP-Direction: IN Received: from 1cust234.tnt1.lnd9.gbr.da.uu.net (HELO allison) ([62.188.100.234]) by smtp.pipex.tiscali.co.uk with SMTP; 10 Mar 2010 20:56:03 +0000 Message-ID: <000301cac08b$88e3d460$0601a8c0@allison> From: "tom.petch" To: "Chris Lonvick" References: <007301ca9f74$d7dba800$0601a8c0@allison> Date: Wed, 10 Mar 2010 20:43:42 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Cc: syslog@ietf.org Subject: Re: [Syslog] Review comments on draft-gerhards-syslog-plain-tcp-01.txt X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: "tom.petch" List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Mar 2010 20:56:01 -0000 Extracting one of the two unresolved issues "> > A.2 > > %d10 is LF not NL; I do not know which you mean. > > CML> I've seen it called both. I'm trying to track down a normative > reference. Do you have one? Till then, I'm going to leave it as NL > (%d10). [Pending review by Rainer.] " RFC20/RFC020/RFC0020 says that LF is 0/10 and I do not think that it has changed since:-) Tom Petch ----- Original Message ----- From: "Chris Lonvick" To: "tom.petch" Cc: Sent: Monday, March 08, 2010 10:52 PM Subject: Re: [Syslog] Review comments on draft-gerhards-syslog-plain-tcp-01.txt > Hi Tom, > > I got all excited about the next version of draft-ietf-syslog-dtls getting > in before the cutoff time that I went ahead and edited plain-tcp. :-) > > Comments in-line. > > On Wed, 27 Jan 2010, tom.petch wrote: > > > Review comments on tcp-01 (as the subject line says:-) > > > > What is the intended status? The I-D does not say; I would aim for Standards > > Track. > > CML> Yup. Now it says Standards Track. > > > > > s.3 > > "Traditional TCP implementations do not use any backchannel mechanism " > > suggest > > "Traditional implementations of syslog over TCP do not use any backchannel > > mechanism " > > CML> Sounds good. > > > > > "abilities of TCP" > > suggest > > "capabilities of TCP" > > CML> Good. > > > > > s3.3 > > I think that the ABNF rules should be amended so that the rule with > > = > > comes before the rule with > > =/ > > CML> Makes sense. > > > > > Add at the end > > > > " SYSLOG-MSG is defined in the syslog protocol [RFC5424]." > > CML> Added. > > > > > A.2 > > %d10 is LF not NL; I do not know which you mean. > > CML> I've seen it called both. I'm trying to track down a normative > reference. Do you have one? Till then, I'm going to leave it as NL > (%d10). [Pending review by Rainer.] > > > > > And, perhaps the most important, somewhere I think you should cover the nature > > of TCP; give it a message and it will buffer it, may be for days, and then lose > > it because the connection is taken down. Should you recommend the use of PSH > > for all messages? > > CML> I added a paragraph near the end of the Introduction about that. > (Which I have not run by Rainer yet. :) Let me know if that's what you > were thinking about. > > CML> We appreciate the review. The updated draft should be out soon and > I'll ask for another review of it rsn. > > Thanks, > Chris > > > > > Tom Petch > > > > ----- Original Message ----- > > From: "Chris Lonvick" > > To: > > Sent: Tuesday, January 26, 2010 7:24 PM > > Subject: [Syslog] Review comments on draft-gerhards-syslog-plain-tcp-01.txt > > > > > >> Hi Folks, > >> > > > > From rgerhards@hq.adiscon.com Thu Mar 11 06:46:39 2010 Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E31D23A6B9D for ; Thu, 11 Mar 2010 06:46:39 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_35=0.6] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QAKt3lqCqedt for ; Thu, 11 Mar 2010 06:46:39 -0800 (PST) Received: from mailin.adiscon.com (hetzner.adiscon.com [85.10.198.18]) by core3.amsl.com (Postfix) with ESMTP id 32CDF3A6A25 for ; Thu, 11 Mar 2010 06:46:29 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mailin.adiscon.com (Postfix) with ESMTP id 855AE241C004; Thu, 11 Mar 2010 15:21:43 +0100 (CET) Received: from mailin.adiscon.com ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fvEo3TN6hx6T; Thu, 11 Mar 2010 15:21:43 +0100 (CET) Received: from GRFEXC.intern.adiscon.com (pd95c774a.dip0.t-ipconnect.de [217.92.119.74]) by mailin.adiscon.com (Postfix) with ESMTP id 3A2F3241C002; Thu, 11 Mar 2010 15:21:43 +0100 (CET) Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Thu, 11 Mar 2010 15:46:30 +0100 Message-ID: <9B6E2A8877C38245BFB15CC491A11DA7103A77@GRFEXC.intern.adiscon.com> X-MimeOLE: Produced By Microsoft Exchange V6.5 X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Syslog] Review comments ondraft-gerhards-syslog-plain-tcp-01.txt Thread-Index: AcrAlCxxxmCPoZe8RS6eS7DA7vy0DQAlVOeQ References: <007301ca9f74$d7dba800$0601a8c0@allison> <000301cac08b$88e3d460$0601a8c0@allison> From: "Rainer Gerhards" To: "tom.petch" , "Chris Lonvick" Cc: syslog@ietf.org Subject: Re: [Syslog] Review comments ondraft-gerhards-syslog-plain-tcp-01.txt X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Mar 2010 14:46:40 -0000 sorry, folks, just a short note: unfortunately, I got totally swamped = with a couple of really important issues (to me, of course). Being in a small = shop, it is not easy to always be as responsive as one likes. I will try to = follow up ASAP, but probably not before Monday. Rainer > -----Original Message----- > From: syslog-bounces@ietf.org [mailto:syslog-bounces@ietf.org] On > Behalf Of tom.petch > Sent: Wednesday, March 10, 2010 8:44 PM > To: Chris Lonvick > Cc: syslog@ietf.org > Subject: Re: [Syslog] Review comments ondraft-gerhards-syslog-plain- > tcp-01.txt >=20 > Extracting one of the two unresolved issues > "> > A.2 > > > %d10 is LF not NL; I do not know which you mean. > > > > CML> I've seen it called both. I'm trying to track down a normative > > reference. Do you have one? Till then, I'm going to leave it as NL > > (%d10). [Pending review by Rainer.] > " > RFC20/RFC020/RFC0020 says that LF is 0/10 and I do not think > that it has changed since:-) >=20 > Tom Petch >=20 > ----- Original Message ----- > From: "Chris Lonvick" > To: "tom.petch" > Cc: > Sent: Monday, March 08, 2010 10:52 PM > Subject: Re: [Syslog] Review comments on draft-gerhards-syslog-plain- > tcp-01.txt >=20 >=20 > > Hi Tom, > > > > I got all excited about the next version of draft-ietf-syslog-dtls > getting > > in before the cutoff time that I went ahead and edited plain-tcp. = :- > ) > > > > Comments in-line. > > > > On Wed, 27 Jan 2010, tom.petch wrote: > > > > > Review comments on tcp-01 (as the subject line says:-) > > > > > > What is the intended status? The I-D does not say; I would aim = for > Standards > > > Track. > > > > CML> Yup. Now it says Standards Track. > > > > > > > > s.3 > > > "Traditional TCP implementations do not use any backchannel > mechanism " > > > suggest > > > "Traditional implementations of syslog over TCP do not use any > backchannel > > > mechanism " > > > > CML> Sounds good. > > > > > > > > "abilities of TCP" > > > suggest > > > "capabilities of TCP" > > > > CML> Good. > > > > > > > > s3.3 > > > I think that the ABNF rules should be amended so that the rule = with > > > =3D > > > comes before the rule with > > > =3D/ > > > > CML> Makes sense. > > > > > > > > Add at the end > > > > > > " SYSLOG-MSG is defined in the syslog protocol [RFC5424]." > > > > CML> Added. > > > > > > > > A.2 > > > %d10 is LF not NL; I do not know which you mean. > > > > CML> I've seen it called both. I'm trying to track down a normative > > reference. Do you have one? Till then, I'm going to leave it as NL > > (%d10). [Pending review by Rainer.] > > > > > > > > And, perhaps the most important, somewhere I think you should = cover > the > nature > > > of TCP; give it a message and it will buffer it, may be for days, > and then > lose > > > it because the connection is taken down. Should you recommend the > use of > PSH > > > for all messages? > > > > CML> I added a paragraph near the end of the Introduction about = that. > > (Which I have not run by Rainer yet. :) Let me know if that's what > you > > were thinking about. > > > > CML> We appreciate the review. The updated draft should be out soon > and > > I'll ask for another review of it rsn. > > > > Thanks, > > Chris > > > > > > > > Tom Petch > > > > > > ----- Original Message ----- > > > From: "Chris Lonvick" > > > To: > > > Sent: Tuesday, January 26, 2010 7:24 PM > > > Subject: [Syslog] Review comments on draft-gerhards-syslog-plain- > tcp-01.txt > > > > > > > > >> Hi Folks, > > >> > > > > > > >=20 > _______________________________________________ > Syslog mailing list > Syslog@ietf.org > https://www.ietf.org/mailman/listinfo/syslog From jsalowey@cisco.com Thu Mar 11 22:07:55 2010 Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 042BE3A6B42 for ; Thu, 11 Mar 2010 22:07:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IFRmfeyYEQVw for ; Thu, 11 Mar 2010 22:07:53 -0800 (PST) Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com [171.68.10.87]) by core3.amsl.com (Postfix) with ESMTP id 825353A6AD8 for ; Thu, 11 Mar 2010 22:07:42 -0800 (PST) Authentication-Results: sj-iport-5.cisco.com; dkim=neutral (message not signed) header.i=none X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AvsEAJZomUurR7Ht/2dsb2JhbACaaXOiG5hkhHsEgxc X-IronPort-AV: E=Sophos;i="4.49,624,1262563200"; d="scan'208";a="164798562" Received: from sj-core-1.cisco.com ([171.71.177.237]) by sj-iport-5.cisco.com with ESMTP; 12 Mar 2010 06:07:48 +0000 Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id o2C67mhq009009; Fri, 12 Mar 2010 06:07:48 GMT Received: from xmb-sjc-225.amer.cisco.com ([128.107.191.38]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 11 Mar 2010 22:07:48 -0800 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Thu, 11 Mar 2010 22:07:44 -0800 Message-ID: In-Reply-To: <000201cac08b$882391a0$0601a8c0@allison> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Syslog] DTLS renegotiation Thread-Index: AcrAlBzKxNxQWz/KSTGI1Y3tdqnNcABFd6jA References: <000201cac08b$882391a0$0601a8c0@allison> From: "Joseph Salowey (jsalowey)" To: "tom.petch" , X-OriginalArrivalTime: 12 Mar 2010 06:07:48.0454 (UTC) FILETIME=[572B5860:01CAC1AA] Subject: Re: [Syslog] DTLS renegotiation X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Mar 2010 06:07:55 -0000 Hi Tom, The text I suggested is a bit vague. I like your replacement text. Joe > > 8.1 DTLS Renegotiation > > > > TLS and DTLS renegotiation may be vulnerable to attacks described in RFC > > 5746. Although RFC 5746 provides a fix for some of the issues, > > renegotiation can still cause problems for applications since connection > > security parameters can change without the application knowing it. > > There for it is RECOMMENDED that renegotiation be disabled for syslog > > over DTLS. If, for some reason, renegotiation is allowed then the > > specification in RFC 5746 MUST be followed and the implementation MUST > > make sure that the connection security parameters do not change during > > renegotiation. >=20 > I think that the last sentence goes too far and should be more like >=20 > " If renegotiation is allowed then the > > specification in RFC 5746 MUST be followed and the implementation MUST > > make sure that the connection still has adequate security and that any > identities extracted from client and serverthe certificates do not change > during > > renegotiation. >=20 > Well, a bit clumsy, but I would like to be specific on those two issues. > They > are nothing to do with the problem that RFC5746 addresses but the work > leading > up to RFC5746 did show that these are related issues with renegotiation. >=20 > Tom Petch >=20 >=20 > > _______________________________________________ > > Syslog mailing list > > Syslog@ietf.org > > https://www.ietf.org/mailman/listinfo/syslog From cfinss@dial.pipex.com Fri Mar 12 13:08:44 2010 Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 00C073A6901 for ; Fri, 12 Mar 2010 13:08:44 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.735 X-Spam-Level: X-Spam-Status: No, score=-0.735 tagged_above=-999 required=5 tests=[AWL=-1.380, BAYES_50=0.001, DATE_IN_PAST_03_06=0.044, J_CHICKENPOX_35=0.6] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WmKtOSFmXnOi for ; Fri, 12 Mar 2010 13:08:43 -0800 (PST) Received: from mk-outboundfilter-2.mail.uk.tiscali.com (mk-outboundfilter-2.mail.uk.tiscali.com [212.74.114.38]) by core3.amsl.com (Postfix) with ESMTP id 1411C3A68D9 for ; Fri, 12 Mar 2010 13:08:41 -0800 (PST) X-Trace: 301601066/mk-outboundfilter-2.mail.uk.tiscali.com/PIPEX/$PIPEX-ACCEPTED/pipex-customers/62.188.105.109/None/cfinss@dial.pipex.com X-SBRS: None X-RemoteIP: 62.188.105.109 X-IP-MAIL-FROM: cfinss@dial.pipex.com X-SMTP-AUTH: X-MUA: Microsoft Outlook Express 6.00.2800.1106Produced By Microsoft MimeOLE V6.00.2800.1106 X-IP-BHB: Once X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Ag8IADo8mks+vGlt/2dsb2JhbAAugUwZGIUqiFOLNrwmDYRuBA X-IronPort-AV: E=Sophos;i="4.49,628,1262563200"; d="scan'208";a="301601066" X-IP-Direction: IN Received: from 1cust109.tnt2.lnd9.gbr.da.uu.net (HELO allison) ([62.188.105.109]) by smtp.pipex.tiscali.co.uk with SMTP; 12 Mar 2010 21:08:46 +0000 Message-ID: <000e01cac21f$a28ced80$0601a8c0@allison> From: "tom.petch" To: "Chris Lonvick" References: <007301ca9f74$d7dba800$0601a8c0@allison> Date: Fri, 12 Mar 2010 17:05:59 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Cc: syslog@ietf.org Subject: Re: [Syslog] Review comments on draft-gerhards-syslog-plain-tcp-01.txt X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: "tom.petch" List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Mar 2010 21:08:44 -0000 Eliding the previously agreed parts Tom Petch ----- Original Message ----- From: "Chris Lonvick" To: "tom.petch" Cc: Sent: Monday, March 08, 2010 10:52 PM Subject: Re: [Syslog] Review comments on draft-gerhards-syslog-plain-tcp-01.txt > Hi Tom, > > I got all excited about the next version of draft-ietf-syslog-dtls getting > in before the cutoff time that I went ahead and edited plain-tcp. :-) > > Comments in-line. > > On Wed, 27 Jan 2010, tom.petch wrote: > > > And, perhaps the most important, somewhere I think you should cover the nature > > of TCP; give it a message and it will buffer it, may be for days, and then lose > > it because the connection is taken down. Should you recommend the use of PSH > > for all messages? > > CML> I added a paragraph near the end of the Introduction about that. > (Which I have not run by Rainer yet. :) Let me know if that's what you > were thinking about. Yes, your new paragraph is exactly what I had in mind. > CML> We appreciate the review. The updated draft should be out soon and > I'll ask for another review of it rsn. > > Thanks, > Chris > > > Tom Petch From root@core3.amsl.com Tue Mar 23 16:30:06 2010 Return-Path: X-Original-To: syslog@ietf.org Delivered-To: syslog@core3.amsl.com Received: by core3.amsl.com (Postfix, from userid 0) id 3F7973A6B99; Tue, 23 Mar 2010 16:30:03 -0700 (PDT) From: Internet-Drafts@ietf.org To: i-d-announce@ietf.org Content-Type: Multipart/Mixed; Boundary="NextPart" Mime-Version: 1.0 Message-Id: <20100323233004.3F7973A6B99@core3.amsl.com> Date: Tue, 23 Mar 2010 16:30:03 -0700 (PDT) Cc: syslog@ietf.org Subject: [Syslog] I-D Action:draft-ietf-syslog-dtls-04.txt X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Mar 2010 23:30:06 -0000 --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Security Issues in Network Event Logging Working Group of the IETF. Title : Datagram Transport Layer Security (DTLS) Transport Mapping for Syslog Author(s) : J. Salowey, et al. Filename : draft-ietf-syslog-dtls-04.txt Pages : 18 Date : 2010-03-23 This document describes the transport of syslog messages over DTLS (Datagram Transport Level Security). It provides a secure transport for syslog messages in cases where a connection-less transport is desired. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-syslog-dtls-04.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Message/External-body; name="draft-ietf-syslog-dtls-04.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2010-03-23162918.I-D@ietf.org> --NextPart-- From clonvick@cisco.com Mon Mar 29 07:43:33 2010 Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 470003A693B for ; Mon, 29 Mar 2010 07:43:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -8.169 X-Spam-Level: X-Spam-Status: No, score=-8.169 tagged_above=-999 required=5 tests=[AWL=1.300, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f5ZiFwjR+9vU for ; Mon, 29 Mar 2010 07:43:32 -0700 (PDT) Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com [171.68.10.87]) by core3.amsl.com (Postfix) with ESMTP id A8F2D3A68B3 for ; Mon, 29 Mar 2010 07:43:32 -0700 (PDT) Authentication-Results: sj-iport-5.cisco.com; dkim=neutral (message not signed) header.i=none X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AiQGAFNZsEurR7Hu/2dsb2JhbACPPQEBi21xpz2YYYUBBIMe X-IronPort-AV: E=Sophos;i="4.51,329,1267401600"; d="scan'208";a="173943041" Received: from sj-core-5.cisco.com ([171.71.177.238]) by sj-iport-5.cisco.com with ESMTP; 29 Mar 2010 14:43:59 +0000 Received: from sjc-cde-011.cisco.com (sjc-cde-011.cisco.com [171.69.16.68]) by sj-core-5.cisco.com (8.13.8/8.14.3) with ESMTP id o2TEhxPO017658 for ; Mon, 29 Mar 2010 14:43:59 GMT Date: Mon, 29 Mar 2010 07:43:59 -0700 (PDT) From: Chris Lonvick To: syslog@ietf.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: [Syslog] Status update X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Mar 2010 14:43:33 -0000 Hi Folks, Things are looking good. Joe has updated syslog/dtls based upon the WG feedback, and I've written up a proto shepherding document and given it to Sean Turner - our new Advisor. Sean is going to need some time to come up to speed on this. (Welcome to the new role, Sean. :-) syslog/sign is progressing through the RFC Editors queue in a timely manner. David and I have recommended that the WG be concluded when syslog/dtls is approved by the IESG. :-) Please join me in thanking Pasi Eronen for all of his time and effort. Thanks, Chris