Re: [Syslog] FW: I-D Action:draft-ietf-syslog-dtls-00.txt
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Syslog] FW: I-D Action:draft-ietf-syslog-dtls-00.txt
- To: Eliot Lear <lear at cisco.com>
- Subject: Re: [Syslog] FW: I-D Action:draft-ietf-syslog-dtls-00.txt
- From: Sam Hartman <hartmans-ietf at mit.edu>
- Date: Wed, 28 Oct 2009 10:21:31 -0400
- Cc: "'Woundy, Richard'" <Richard_Woundy at cable.comcast.com>, deketelaere at tComLabs.com, enechamkin at broadcom.com, "'Ong, Lyndon'" <Lyong at Ciena.com>, 'Wes Hardaker' <wjhns1 at hardakers.net>, 'Margaret Wasserman' <mrw at lilacglade.org>, 'Sumanth Channabasappa' <sumanth at cablelabs.com>, 'Andi Kosich' <akosich at oiforum.com>, 'Sam Hartman' <hartmans-ietf at mit.edu>, v.marinov at jacobs-university.de, akarmaka at cisco.com, 'Huang Min' <huangmin123 at huawei.com>, syslog at ietf.org, 'Jeffrey Hutzelman' <jhutz at cmu.edu>
- Delivered-to: syslog at core3.amsl.com
- In-reply-to: <4AE834B4.6090209 at cisco.com> (Eliot Lear's message of "Wed\, 28 Oct 2009 13\:10\:28 +0100")
- List-archive: <http://www.ietf.org/mail-archive/web/syslog>
- List-help: <mailto:syslog-request@ietf.org?subject=help>
- List-id: Security Issues in Network Event Logging <syslog.ietf.org>
- List-post: <mailto:syslog@ietf.org>
- List-subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
- List-unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
- References: <AC1CFD94F59A264488DC2BEC3E890DE508E8A6EB at xmb-sjc-225.amer.cisco.com> <012201ca56e8$f0e4ac40$0601a8c0 at allison> <0cc801ca5752$e24aad00$0600a8c0 at china.huawei.com> <4AE834B4.6090209 at cisco.com>
- User-agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux)
>>>>> "Eliot" == Eliot Lear <lear at cisco.com> writes:
Eliot> Why is this necessary? Isn't it sufficient to import and
Eliot> make use of a self-signed certificate? Isn't it easy
Eliot> enough to run OpenSSL on a Mac or linux box and import the
Eliot> stuff? I could see an argument for usability concerns, but
Eliot> that's not sufficient grounds for a MUST.
Eliot> An aside about your 2119 language: I haven't reviewed all
Eliot> of it, nor am I an 2119 expert, but I can say that you will
Eliot> confuse people when you use MUST, SHALL, and REQUIRED.
Eliot> Section 5.3.2, 2nd para, last sentence:
>> The security parameters SHOULD be checked against the security
>> requirements of the requested session to make sure that the
>> resumed session provides proper security.
Eliot> I think what you are aiming at here is a downgrade attack.
Eliot> First, isn't this covered in DTLS? Otherwise, here I would
Eliot> argue for a MUST, and I would be more clear about what you
Eliot> are protecting against, such as the following:
>> In order to avoid downgrade attacks, an exiting session MUST
>> NOT be reused if its protection does not match the minimum
>> policy requirements of the new SYSLOG over DTLS session
>> request.
Eliot> Editorial:
Eliot> Same section ABNF: is it not customary to use lower case,
Eliot> particularly for non-terminals?
Eliot> Again, thanks to the authors for putting this out there.
Eliot> Eliot
Why isn't usability sufficient for a MUST in this case? Here's the
argument. Unless turning on security is as easy as not doing so, then
there is a sigfificant cost to security and we will not get the
benefits we should. As a result, especially because there are
significant passive attacks protected against by using DTLS, the
security of the protocol will be significantly improved by requiring
implementations provide a easy-to-enable security solution.
Generating a self-signed cert on a Mac or Linux box is *not* easy compared to running syslogd.
Sam, with his painless-security.com hat on.
Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.
