TOC 
Syslog Working GroupF. Miao
Internet-DraftY. Ma
Intended status: Standards TrackHuawei Technologies
Expires: May 21, 2008November 18, 2007


TLS Transport Mapping for Syslog
draft-ietf-syslog-transport-tls-11.txt

Status of this Memo

By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work in progress.”

The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt.

The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.

This Internet-Draft will expire on May 21, 2008.

Abstract

This document describes the use of Transport Layer Security (TLS) to provide a secure connection for the transport of syslog messages. This document describes the security threats to syslog and how TLS can be used to counter such threats.



Table of Contents

1.  Introduction
    1.1.  Terminology
2.  Security Requirements for Syslog
3.  TLS to Secure Syslog
4.  Protocol Elements
    4.1.  Port Assignment
    4.2.  Initiation
        4.2.1.  Server Identity
        4.2.2.  Client Identity
        4.2.3.  Cryptographic Level
    4.3.  Sending data
        4.3.1.  Message Length
    4.4.  Closure
5.  Security Considerations
    5.1.  Authentication and Certificates
    5.2.  Cipher Suites
6.  IANA Considerations
    6.1.  Port Number
7.  Acknowledgments
8.  References
    8.1.  Normative References
    8.2.  Informative References
§  Authors' Addresses
§  Intellectual Property and Copyright Statements




 TOC 

1.  Introduction

This document describes the use of Transport Layer Security (TLS (Dierks, T. and E. Rescorla, “The Transport Layer Security (TLS) Protocol Version 1.1,” April 2006.) [RFC4346]) to provide a secure connection for the transport of syslog (Gerhards, R., “The syslog Protocol,” September 2007.) [I‑D.ietf‑syslog‑protocol] messages. This document describes the security threats to syslog and how TLS can be used to counter such threats.



 TOC 

1.1.  Terminology

The following definitions are used in this document:

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.) [RFC2119].



 TOC 

2.  Security Requirements for Syslog

syslog messages may pass several hops to arrive at the intended collector. Some intermediary networks may not be trusted by the originator, relay, receiver, or all because the network is in a different security domain or at a different security level from the originator, relay, or collector. Another security concern is that the originator, relay, or receiver itself is in an insecure network.

There are several threats to be addressed for syslog security. The primary threats are:

The secondary threat is:

The following threats are deemed to be of lesser importance for syslog, and are not addressed in this document:



 TOC 

3.  TLS to Secure Syslog

TLS can be used as a secure transport to counter all the primary threats to syslog described in section 2:

Note: This secure transport (i.e. TLS) only secures syslog in a hop-by-hop manner, the threat of end-to-end message stream modification is not addressed in this document.



 TOC 

4.  Protocol Elements



 TOC 

4.1.  Port Assignment

A syslog transport sender is always a TLS client and a transport receiver is always a TLS server.

The TCP port NNN has been allocated as the default port for syslog over TLS, as defined in this document.

Note to RFC Editor: please replace NNN with the IANA-assigned value, and remove this note.



 TOC 

4.2.  Initiation

The transport sender should initiate a connection to the transport receiver and then send the TLS Client Hello to begin the TLS handshake. When the TLS handshake has finished the transport sender MAY then send the first syslog message.

TLS uses certificates (Housley, R., Polk, W., Ford, W., and D. Solo, “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile,” April 2002.) [RFC3280] to authenticate peers. Authentication in this specification means that the recipient of a certificate must actually validate the certificate rather than just accept a certificate. Validation includes constructing a certificate path to one of the configured trust anchors and validating that path, and the identity check against the rules defined in section 4.2.1 and section 4.2.2.



 TOC 

4.2.1.  Server Identity

A procedure similar to RFC2818 (Rescorla, E., “HTTP Over TLS,” May 2000.) [RFC2818] is used to check the server's identity in the certificate.

In general, the client is configured with the hostname or IP address of the TLS server. As a consequence, the hostname or IP address for the server is known to the client. If the hostname (or IP address) is available, the client MUST check it against the server's identity as presented in the server's certificate message, in order to prevent man-in-the-middle attacks.

If the client has external information as to the expected identity of the server, the hostname (or IP address) check MAY be omitted. (For instance, a client may be connecting to a machine whose address and hostname are dynamic but the client knows the certificate that the server will present.) In such cases, it is important to narrow the scope of acceptable certificates as much as possible in order to prevent man-in-the-middle attacks. In special cases, it may be appropriate for the client to simply ignore the server's identity, but it must be understood that this leaves the connection open to active attack.

If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is current practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.

Matching is performed using the matching rules specified by RFC3280 (Housley, R., Polk, W., Ford, W., and D. Solo, “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile,” April 2002.) [RFC3280]. Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com. If the client is configured with IP address of the server, the hostname should be got first through a trusted mechanism such as a preconfigured hosts table or DNSSEC (Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, “DNS Security Introduction and Requirements,” March 2005.) [RFC4033].

If the iPAddress subjectAltName is present in the certificate, it must exactly match the IP address configured or resolved from the configured hostname through a trusted mechanism such as a preconfigured hosts table or DNSSEC.

It is recommended to use dNSName in the certificate rather than any other type subjectAltName for certificate verification, such as ipAddress. If more than one identity of a given type is presented in the certificate (e.g., more than one dNSName name), a match in any one of the set is considered acceptable.

If the hostname does not match the identity in the certificate, clients SHOULD log the error in some form or another (see next paragraph), and SHOULD terminate the connection with a bad certificate error. Clients MAY provide a configuration setting that disables this check but MUST enable it by default.

The application developer must take some care to consider the case when, for whatever reason, there is a problem with authenticating the other end of the connection. Since this problem will prevent log messages from being transmitted, each device having this problem should use whatever means are available to inform the administrator of the problem. This may include producing an error code on a console, returning an error to a user (if there is one), or writing a file to disk, being mindful that such writes should be rate limited in the case of attacks.



 TOC 

4.2.2.  Client Identity

If a server authenticates a client and the client presents a certificate to the server, the server MUST validate the certificate. Validation includes constructing a certificate path to one of the configured trust anchors and validating that path. However, identity check is not required even if subjectAltName is presented in the certificate.

The subjectAltName may be the host name, IP address, MAC, device ID, etc. SubjectAltName is not necessarily unique for different certificates. For example, certificates for some types of printer might use the same subjectAltName.

A client certificate may be issued by an operator when a device/application is being provisioned, or by a vendor when the device/application is manufactured. This document does not define how the client certificate is issued.



 TOC 

4.2.3.  Cryptographic Level

Syslog applications SHOULD be implemented in a manner that permits administrators, as a matter of local policy, to select the cryptographic level and authentication options they desire.

TLS permits the resumption of an earlier TLS session or the use of another active session when a new session is requested, in order to save the expense of another full TLS handshake. The security parameters of the resumed session are reused for the requested session. The security parameters SHOULD be checked against the security requirement of the requested session to make sure that the resumed session provides proper security.



 TOC 

4.3.  Sending data

All syslog messages MUST be sent as TLS "application data". It is possible that multiple syslog messages be contained in one TLS record, or that a syslog message be transferred in multiple TLS records. The application data is defined with the following ABNF (Crocker, D., Ed. and P. Overell, “Augmented BNF for Syntax Specifications: ABNF,” October 2005.) [RFC4234] expression:

APPLICATION-DATA = 1*SYSLOG-FRAME

SYSLOG-FRAME = MSG-LEN SP SYSLOG-MSG

MSG-LEN = NONZERO-DIGIT *DIGIT

SP = %d32

NONZERO-DIGIT = %d49-57

DIGIT = %d48 / NONZERO-DIGIT

SYSLOG-MSG is defined in syslog (Gerhards, R., “The syslog Protocol,” September 2007.) [I‑D.ietf‑syslog‑protocol] protocol.



 TOC 

4.3.1.  Message Length

The message length is the octet count of the SYSLOG-MSG in the SYSLOG-FRAME. A tranport receiver MUST use the message length to delimit a syslog message. There is no upper limit for a message length per se. However, in order to establish a baseline for interoperability, this specification requires that a transport receiver MUST be able to process messages with a length up to and including 2048 octets. Transport receiver SHOULD be able to process messages with lengths up to and including 8192 octets.



 TOC 

4.4.  Closure

A TLS client MUST close the associated TLS connection if the connection is not expected to deliver any syslog messages later. It MUST send a TLS close_notify alert before closing the connection. A client MAY choose to not wait for the server's close_notify alert and simply close the connection, thus generating an incomplete close on the server side. Once the server gets a close_notify from the client, it MUST reply with a close_notify unless it becomes aware that the connection has already been closed by the client (e.g., the closure was indicated by TCP).

When no data is received from a connection for a long time (where the application decides what "long" means), a server MAY close the connection. The server MUST attempt to initiate an exchange of close_notify alerts with the client before closing the connection. Servers that are unprepared to receive any more data MAY close the connection after sending the close_notify alert, thus generating an incomplete close on the client side. When the client has received the close_notify alert from the server and still has pending data to send, it SHOULD send the pending data before sending the close_notify alert.



 TOC 

5.  Security Considerations



 TOC 

5.1.  Authentication and Certificates

In security sensitive environments, it is recommended that mutual authentication be deployed as that will prevent masquerade attacks, modification of the messages, and disclosure of the contents of the messages. Mutual authentication means the TLS client and server are provisioned with necessary trust roots and must perform certificate validation.

In security insensitive environments, the client or server may forego certificate validation. Note that this opens up the protocol for an active man-in-the middle attack if none of the parties are authenticated against trust anchors. It is recommended that server is configured with certificate, and the client validates the certificate against provisioned trust anchors. If a server does not have a certificate and key/pair configured then it must generate a key pair and a self-signed certificate to make the protocol work. If the syslog client does not have a certificate then it may generate a self signed certificate.

The server MUST be implemented to support certificate and certificate generation, and certificate validation MUST be implemented for all clients. The Syslog client SHOULD be implementated to support certificate and certificate generation, and certificate validation SHOULD be inplemented for Syslog server. In order to provide better protection for future session the client and server MAY cache the certificate presented by its peer so it can compare the certificate with what is presented in subsequent connections. Note that generated certificates should be persistent in this case.

TLS authentication and the distribution of keys is based on certificates and asymmetric cryptography. This makes TLS transport more expensive than non-TLS plain transport. An attacker may initialize many TLS connections to a receiver as a denial of service attack. Since a receiver may act upon received data, for syslog over TLS, it is recommended that the server authenticate the client to ensure that information received is authentic.



 TOC 

5.2.  Cipher Suites

This specification specifies the following cipher suite required for all compliant implementation for minimum interoperability purposes:

TLS_RSA_WITH_AES_128_CBC_SHA

Operators MAY choose to disable older/weaker cipher suites for TLS despite the tradeoff of interoperability, for example, if the cipher suite specified in the specification is found weak in the future. This allows the future update of the specification to change mandatory-to-implement cipher requirement for interoperability. This also allows the TLS community to change its recommendations, and operators to follow those recommendations.

The implementers and deployers should be aware of the strengths of the public keys algorithm in the suite for exchanging symmetric keys, which is elaborated in BCP86 (Orman, H. and P. Hoffman, “Determining Strengths For Public Keys Used For Exchanging Symmetric Keys,” April 2004.) [RFC3766]. The implementers and deployers should also be aware of the latest TLS and other IETF cryptography standards including BCP86.



 TOC 

6.  IANA Considerations



 TOC 

6.1.  Port Number

IANA is requested to assign a TCP port number in the range 1..1023 in the http://www.iana.org/assignments/port-numbers registry which will be the default port for syslog over TLS, as defined in this document.



 TOC 

7.  Acknowledgments

Authors appreciate Eric Rescorla, Rainer Gerhards, Tom Petch, Anton Okmianski, Balazs Scheidler, Bert Wijnen, and Chris Lonvick for their effort on issues resolving discussion. Authors would also like to appreciate Balazs Scheidler, Tom Petch and other persons for their input on security threats of syslog. The authors would like to acknowledge David Harrington for his detailed reviews of the content and grammar of the document.



 TOC 

8.  References



 TOC 

8.1. Normative References

[RFC2119] Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” BCP 14, RFC 2119, March 1997 (TXT, HTML, XML).
[I-D.ietf-syslog-protocol] Gerhards, R., “The syslog Protocol,” draft-ietf-syslog-protocol-23 (work in progress), September 2007 (TXT).
[RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile,” RFC 3280, April 2002 (TXT).
[RFC3766] Orman, H. and P. Hoffman, “Determining Strengths For Public Keys Used For Exchanging Symmetric Keys,” BCP 86, RFC 3766, April 2004 (TXT).
[RFC4234] Crocker, D., Ed. and P. Overell, “Augmented BNF for Syntax Specifications: ABNF,” RFC 4234, October 2005 (TXT, HTML, XML).
[RFC4346] Dierks, T. and E. Rescorla, “The Transport Layer Security (TLS) Protocol Version 1.1,” RFC 4346, April 2006 (TXT).


 TOC 

8.2. Informative References

[RFC2818] Rescorla, E., “HTTP Over TLS,” RFC 2818, May 2000 (TXT).
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, “DNS Security Introduction and Requirements,” RFC 4033, March 2005 (TXT).


 TOC 

Authors' Addresses

  Fuyou Miao
  Huawei Technologies
  No. 3, Xinxi Rd
  Shangdi Information Industry Base
  Haidian District, Beijing 100085
  P. R. China
Phone:  +86 10 8288 2008
Email:  miaofy@huawei.com
URI:  www.huawei.com
  
  Yuzhi Ma
  Huawei Technologies
  No. 3, Xinxi Rd
  Shangdi Information Industry Base
  Haidian District, Beijing 100085
  P. R. China
Phone:  +86 10 8288 2008
Email:  myz@huawei.com
URI:  www.huawei.com


 TOC 

Full Copyright Statement

Intellectual Property