Oh, O.k., I missed the point - you meant receive syslog from unauthenticated
clients where the server has been authenticated. Yes, that is 'difficult'
with the current IPSEC specification. There have been a few proposals for
allowing asymmetric authentication, e.g. the server is authenticated by the
client using public-key-cryptography (X.509 certificates), and the client is
authenticated with a 'lighter' authentication method (password, pre-shared,
Token).
I guess I was thinking that the main concern would be to prevent clients
being spoofed, rather than servers (which seems harder).
Yes, IPSEC is certainly available in most routers/firewalls that provide VPN
services. Windows and Solaris also have IPSEC now.
Thanks,
Steve.
-----Original Message-----
From: Chris Calabrese [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 21, 2000 3:49 PM
To: Waters, Stephen
Cc: [EMAIL PROTECTED]
Subject: Re: IPSEC usage to protect syslog
But if you use BYPASS, then you get no advantage at all. With TLS you can
specify encryption with one-way authentication, and an application-level
encryption scheme fits the needs even better than either IPsec or TLS.
There is one big advantage of IPsec that I can see, however... A lot of
networking devices, even low-end ones, already have IPsec capabilities built
in. This might make it easier to sell the new protocol to Cisco, 3Com,
Nortel,
etc. who would already have code to do this on many of their devices.
"Waters, Stephen" wrote:
> Where traffic needs to be received from unauthenticated clients, that can
be
> achieved easily with most implementation of IPSEC - you specify a BYPASS
> policy to allow 'in the clear' traffic from a list of addresses, or any
not
> specked as requiring protection.
>
> I agree that 'stable storage' will always need to be part of application
> that require that. This is the approach taken by the Secure-BGP working
> group - digitally sign the BGP updates, but use IPSEC to get it safely
over
> the wire. While syslog and s-BGP application level techniques are
evolving,
> and to support syslog/BGP that will not get updated, IPSEC is a good
start,
> I think.
>
> Thanks for the reply,
> Steve.
>
>
>
> -----Original Message-----
> From: Chris Calabrese [mailto:[EMAIL PROTECTED]]
> Sent: Friday, August 18, 2000 4:20 PM
> To: Chris Lonvick
> Cc: Waters, Stephen; [EMAIL PROTECTED]
> Subject: Re: IPSEC usage to protect syslog
>
> In my opinion...
>
> The client needs to make sure rogue servers don't pick up their bits and
the
> server needs to make sure rogue clients aren't spoofing real ones. From
> this
> standpoint, IPsec is a bit overkill because, as Chris L. pointed out,
there
> are
> situations where the server wants to receive information from
> unauthenticated
> clients.
>
> Also, the ideal logging system would have the message
> authentication/encryption
> capabilities follow them onto stable storage, whereas IPsec is a purely
> on-the-wire system.
