Hi Alfonso,
At 07:16 PM 10/25/00 +0200, Alfonso De Gregorio wrote:
>On Tue, 24 Oct 2000, Chris Lonvick wrote:
>
>> 1. Should some wording go into the Authenticated and Reliable IDs that
>> explicitly states what is to be done with messages received? Perhaps
>> the Authenticated relay must wrap the Traditional message into an
>> Authenticated format using its own credential (T-[TA]-A)? Perhaps the
>> Reliable relay must do the same (T-[TAR]-R)?
>
>Explicitly state what is to be done with received messages is, IMHO,
>convenient only if message integrity is granted to the node that receive
>the message and the message source is authenticated.
In a very "security purist" way, I agree with you. ..but it that were
the case, then no one would be using syslog to begin with. ;-)
Let's take this situation: A network manager starts rolling out the
new R and A devices in the network but can't immediately replace or
upgrade everything at once. Some older (T) devices must be left in
place. In that case, the network manager would be able to configure
the older T devices to send their syslog messages to the nearest R or
A device. That "nearest" device would see that it is a traditional
message and it could be configured to forward it to a Collector. Once
it reaches the Collector, the network manager would be able to look at
the message and see that it had been generated from one of the older
T devices (the authentication wrap would have been done by the first
relay). Since it was not generated in the A-format, it would be viewed
suspiciously, however, it would be logged and it may be a vital piece
of information needed by the network administrator.
>`Reliable' nodes not necessarily protect message integrity since message
>integrity is only a reccomended practice.
>This do not prevent an attacker from maliciously alter also the ID where
>`what to be done' has been stated. Scenarios prone to this kind of problem
>are, for example, R-R-R or T-[TR]-R.
>In fact TCP, used by BEEP framework, do not prevent packet forging per se.
I agree. That's why I'm asking if we need to have the A-format used
on all relays. Having this discussion now may help in forming that
format.
>Other mechanisms could be used for reliable delivery (eg. redundancy).
>
>If we know that a message has not been altered in transit and the source
>is authenticated we can trust `what to be done' information.
>Otherwise some nodes/relays should be configured to use ACLs where
>policies for senders and relays event messages are stated.
>
>alfonso
Thanks,
Chris
