<inline> Tom Petch ----- Original Message ----- From: "Joseph Salowey (jsalowey)" <[EMAIL PROTECTED]> To: "tom.petch" <[EMAIL PROTECTED]>; "Rainer Gerhards" <[EMAIL PROTECTED]>; <[email protected]> Sent: Monday, May 12, 2008 6:15 AM Subject: RE: [Syslog] -transport-tls-12, IP addresses
Hi Tom, How would you think this would be deployed? In order for an IP address match to be secure in most environments the IP address in the configuration of the transport sender would have to match against an IP address in a subject field within the certificate. Would it be reasonable for a syslog receiver to have a certificate issued to it that has its IP address in a subject field? <tp> yes, I do think that it would be reasonable:-) It comes back to the environment in which I see syslog, of large numbers of low function devices with little infrastructure. Gold standard security needs PKI, CRLs, (secure) DNS etc which is great for full function devices. Entry level security operates with IP addresses - which must already be known to the syslog originator - and shared certs, self-signed certs, +/- fingerprints etc so I think that IP address as an identity should be allowed. Tom Petch </tp> Joe > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of tom.petch > Sent: Friday, May 09, 2008 4:54 AM > To: Rainer Gerhards; [email protected] > Subject: Re: [Syslog] -transport-tls-12, IP addresses > > I think that we should allow IP addresses. At the entry > level network box, I think that they are widely used. > > Tom Petch > > > ----- Original Message ----- > From: "Rainer Gerhards" <[EMAIL PROTECTED]> > To: <[email protected]> > Sent: Wednesday, May 07, 2008 10:39 PM > Subject: [Syslog] -transport-tls-12, IP addresses > > > > Joe, > > > > [Editor's Note: How useful is it to match against IP > address? Do we > > expect deployments to issue certificates with IP > addresses in them? > > Are IP addresses typically used in configuration? ] > > > > I find this a tough question. In my experience, it is not > uncommon to > > configure forwarding via IP addresses instead of hostnames. > One reason > > for this is because of reliability of the logging system > when DNS is > > not (yet --> system startup) available. On the other hand, > I find it > > even a bit disturbing to have a certificate issued for an > IP address. > > But it may make sense. I personally would expect that > operators tend > > to use hostnames inside the certificate. The problem, of > course, would > > be that the configuration then needs both the name and IP address... > > > > I hope this is useful information, even though I am undecided. > > > > Rainer > > _______________________________________________ > > Syslog mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/syslog > > _______________________________________________ > Syslog mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/syslog > _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
