At 04:27 PM 3/3/00 -0500, Chris Calabrese wrote:
>
> Hey folks,
>
> This list got awfully quiet since the holidays.
> Anybody still out there?
>
> I've got a very rough draft of an Internet Draft
> for the stuff we were working on towards the end
> of last year, and I'm looking for co-authors to finish
> it off. See the attached.
>
> Also, I was browsing around the IETF web site today
> looking at the drafts from the Intrusion Detection
> Working Group. Some interesting stuff in there,
> though they've glossed over some of the security
> issues IMO. You can check it out for yourself at
> http://www.ietf.org/ids.by.wg/idwg.html
>
> --
> Chris Calabrese
> Internet Infrastructure and Security
> Merck-Medco Managed Care, L.L.C.
> [EMAIL PROTECTED]
Hi Chris & Everyone,
Things did get quiet, but that doesn't mean things weren't happening. :-)
I've been working with the ADs and have obtained permission to hold another
BoF in Adelaide. Below is the proposed agenda and charter for the WG. This
has not been scheduled yet but I'll get the information out to everyone just
as soon as I get something back.
I'll comment some more on Chris' draft in another email.
Thanks,
Chris
--------------------------------------------------------------------------
Hello Secretariat,
I am requesting a 1 hour BOF to discuss the formation of a new
Working Group in the Security Area for Secure Syslog.
Many thanks,
Chris Lonvick
+1.512.378.1182
---Syslog BOF Agenda
Agenda:
Introduction and Level Setting -30 minutes
o Syslog as de facto network event logging standard although the
protocol has never been described in an Internet Draft. There
are security weaknesses in the protocol. At a high layer, these
include
- no authentication of the sender or receiver
- no verification of delivery of the messages
On the other hand, it does have a widespread implementation and
most users understand its scalability charactersitics.
o Although machine authentication can be delivered through SSL/TLS or
IPSec, a simpler mechanism may be considered for syslog, such as
something similar to authenticated RIP or BGP. Along with this, a
lightweight integrity check would be desireable.
o A feedback mechanism between the message sender and the message
receiver should be considered for verifiable delivery of the
messages. This mechanism should also have a mechanism for message
authentication and integrity.
o Because an important component of any solution will be the ease of
transition from the existing mechanism, we will initially explore the
use of shared secrets within the existing protocol with the intent of
not impacting non-participants.
o IPSec or TLS may be used for confidentiality.
Goals of a Secure Syslog Working Group -20 minutes
o Post as an Internet Draft the observed behavior of the Syslog
protocol for consideration as a Standards Track RFC.
o Post as an Internet Draft the specification for an
authenticated Syslog for consideration as a Standards Track
RFC.
o Post as an Internet Draft the specification for an
authenticated Syslog with verifiable delivery and message
integrity for consideration as a Standards Track RFC.
o Revise drafts as necessary and advance these Internet Drafts
to Standards Track RFCs.
POSSIBLE BOF/WORKING GROUP CHARTER
Description of Working Group:
Syslog is a de facto standard for logging system events. However, the
protocol component of this event logging system has not been formerly
documented. While the protocol has been very useful and scaleable, it
has some known but undocumented security problems. For instance, the
messages are unauthenticated and there is no mechanism to provide verified
delivery and message integrity.
The goal of this working group is to document and address the security and
integrity problems of the existing Syslog mechanism. In order to accomplish
this task we will document the existing protocol. The working group will
also explore and develop a standard to address the security problems.
Message authentication can be addressed in well-known ways using shared
secrets or public keys. Because an important component of any solution will
be the ease of transition from the existing mechanism, we will initially
explore the use of shared secrets within the existing protocol with the
intent of not impacting non-participants. Verifiable delivery, message
integrity and authentication can also be explored in a tcp-based message
delivery protocol.
Goals and Milestones:
May 2000 Post as an Internet Draft the observed behavior of
the Syslog protocol for consideration as a Standards Track RFC.
Jul 2000 Post as an Internet Draft the specification for an
authenticated Syslog for consideration as a Standards Track RFC.
Aug 2000 Post as an Internet Draft the specification for an authenticated
Syslog with verifiable delivery and message integrity for
consideration as a Standards Track RFC.
Dec 2000 Revise drafts as necessary and advance these Internet Drafts to
Standards Track RFCs.
---end
