I think requiring stronger ciphersuites is not really an issue. The mandatory to implement ciphersuite chosen 10+ years ago likely does not meeet today's requirements anymore and that was kind of expected.
Whether it is possible to use RFC 5425 with TLS 1.3 without any additional specification is likely a bit more controversial. Your initial statement did not say whether IEC will require the use of TLS 1.3 *or I might have missed that). My gut feeling is that the IETF will only create a new document if that is deemed necessary to get Syslog over TLS 1.3 specified. We have a larger collection of network management protocols that can run over TLS where the same question is being raised. Someone (Tom?) has to put the arguments, ideally paired with a solution proposal) into an I-D and then the IETF can discuss which kind of maintenance actions are needed. /js On Mon, Dec 06, 2021 at 05:31:11PM +0000, tom petch wrote: > From: Syslog <[email protected]> on behalf of Chris Lonvick > <[email protected]> > Sent: 28 November 2021 21:22 > > Hello Arijit and All, > > Speaking as an individual (not representing the IETF or any Working Group), > the work we did for the syslog protocol was never intended to be insecure. I > would make two suggestions: > > - create a new Internet Draft that will deprecate the insecure cypher suite > from the RFC; and > > - specify the implementation and deployment of the cypher suites in your IEC > documents as you suggest below and cite the Internet Draft as updating the > RFC. > > I'm cc'ing the current IETF Security ADs and adding Joe's contact email. > > <tp> > > Also as an individual active in the IETF. > Trimming the cc: since the mailer has limits and especially ietf-action which > is for admin problems with the website. > > I think that there are many more problems. The current security protocol is > TLS1.3 which is very different to TLS1.2 in how the security options are > structured. I have seen some WG seeking to update their RFC for how to make > protocol XXXX secure; AFAIK none have succeeded in producing an RFC yet > (excepting, perhaps, the TLS WG). > > RFC5425 assumes that life will go on as before with new ciphersuites but IMHO > TLS1.3 tore up the rule book and rendered that approach impossible requiring > a much greater consideration of the options (e.g. PSK). (Indeed I see some > sectors saying that TLS1.3 cannot me made suitable). > > There is also the question of what is a match for a certificate. At the time > of this RFC, every WG was RYO. Later an IETF-wide RFC6125 was produced but > this is now regarded as inadequate and there is a draft 6125bis which would > need to be considered. > > And then the IETF in general might regard NETCONF/YANG was where it wants to > put its efforts rather than such as Syslog (or SMI). > > You mention getting no reply from the first two authors of the RFC; I cannot > recall seeing anything of them in the past decade or so. > > Tom Petch > > Best regards, > > Chris > > On 11/22/21 10:30 AM, Arijit Bose wrote: > Dear all, > > > I am also looping the email address > [email protected]<mailto:[email protected]> for this same query. > > > With best regards > Arijit > > > > From: Arijit Bose > Sent: Monday, November 22, 2021 2:40 PM > To: [email protected]<mailto:[email protected]>; > [email protected]<mailto:[email protected]>; > [email protected]<mailto:[email protected]>; > [email protected]<mailto:[email protected]>; > [email protected]<mailto:[email protected]>; > [email protected]<mailto:[email protected]>; > [email protected]<mailto:[email protected]>; [email protected]<mailto:[email protected]> > Cc: IEC 62351 WG15 ([email protected]<mailto:[email protected]>) > <[email protected]><mailto:[email protected]> > Subject: RE: Use Of RFC 5425 In IEC 62351 > Importance: High > > Dear all, > > My name is Arijit Kumar Bose and I am a member of IEC 62351 TC 57 WG15 : IEC > 62351 - > Wikipedia<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FIEC_62351&data=04%7C01%7Csteffen.fries%40siemens.com%7Cb9ba5117eb5a41c4194f08d9a2b9df82%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637719741475788053%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=w0fRscX0Ba72P%2FKnsrH7GamIBeFWww7DFa76h6pqhso%3D&reserved=0>. > > For the development of an IEC cybersecurity standard for electrical power > system, we (WG15) are trying to reference RFC 5425 and adopt its > specifications. However, since RFC 5425 specifies > TLS_RSA_WITH_AES_128_CBC_SHA, which is currently insecure and depreciated > cipher suite Ciphersuite > Info<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fciphersuite.info%2Fcs%2FTLS_RSA_WITH_AES_128_CBC_SHA%2F&data=04%7C01%7Csteffen.fries%40siemens.com%7Cb9ba5117eb5a41c4194f08d9a2b9df82%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637719741475798016%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=OrCx6A6rOiRfVzYOqg%2B%2FC9bAt1BA8wSaPQIZQ2jv7x4%3D&reserved=0>. > Therefore, we are trying to adopt stronger cipher suites in accordance with > IEC 62351-3 : IEC 62351-3:2014+AMD1:2018+AMD2:2020 CSV | IEC > Webstore<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwebstore.iec.ch%2Fpublication%2F66624&data=04%7C01%7Csteffen.fries%40siemens.com%7Cb9ba5117eb5a41c4194f08d9a2b9df82%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637719741475798016%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=blKdNi3GMd58RUChw3eZ3Y0FfaPq4i98Z6uO8VumGP8%3D&reserved=0>. > IEC 62351-3 specifies a set of stronger state of the art cipher suites and > thus defines a profile on how to apply TLS, addressing authentication, cipher > suite requirements, renegotiation, etc. Therefore, we would like to use the > state of the art cipher suites as specified in IEC 62351-3 and also > mandatorily refer RFC 5425 including the usage of its port number 6514 for > transporting secure syslog traffic. Our understanding would be that it does > not violate RFC 5425, as it allows in section 4.2 of RFC 5425 that also > stronger cipher suites may be used. > Would these be allowed that if we normatively (mandatorily) refer RFC 5425 to > secure SYSLOG traffic including the use of the TCP port number 6514 but adopt > the stronger cipher suites that are specified in IEC 62351-3 instead of the > weak cipher suite as indicated above ? By adopting this, will it make our > IEC standard incompliant with RFC 5425 ? > I and WG15 are looking forward to your answer on this topic. Appreciate your > any input on the same. > Thanks in advance! > With best regards > Arijit > > > [cid:[email protected]] > Arijit Kumar Bose > Global Cyber Security Architect - Power Grids High Voltage | Software > Development Independent Expert > > ul. Pawia 7 > malopolskie > 31-154 Krakow, Poland > Mobile: +48 666 881 680 > E-mail: [email protected]<mailto:[email protected]> > www.hitachienergy.com<https://www.hitachienergy.com/> > [cid:[email protected]]<http://www.facebook.com/hitachienergy.global> > [cid:[email protected]] > <http://www.instagram.com/hitachienergy> > [cid:[email protected]] > <http://www.twitter.com/hitachienergy> > [cid:[email protected]] > <https://www.youtube.com/c/hitachienergy> > [cid:[email protected]] > <http://www.linkedin.com/company/hitachienergy> > > [cid:[email protected]]<www.hitachienergy.com> > > From: Arijit Bose > Sent: Monday, November 22, 2021 11:49 AM > To: [email protected]<mailto:[email protected]> > Cc: IEC 62351 WG15 ([email protected]<mailto:[email protected]>) > <[email protected]<mailto:[email protected]>> > Subject: RE: Use Of RFC 5425 In IEC 62351 > > Dear Joseph, > > A second friendly reminder for this below aspect. We(WG15) are looking > forward to your reply on this. > > With best regards > Arijit > > > > From: Arijit Bose > Sent: Wednesday, November 17, 2021 12:49 PM > To: '[email protected]<mailto:[email protected]>' > <[email protected]<mailto:[email protected]>> > Cc: IEC 62351 WG15 ([email protected]<mailto:[email protected]>) > <[email protected]<mailto:[email protected]>> > Subject: RE: Use Of RFC 5425 In IEC 62351 > > Dear Joseph, > > A friendly reminder for your input/suggestion on this topic as expressed > below. > > With best regards > Arijit > > > > From: Arijit Bose > Sent: Friday, November 12, 2021 11:17 AM > To: [email protected]<mailto:[email protected]> > Cc: IEC 62351 WG15 ([email protected]<mailto:[email protected]>) > <[email protected]<mailto:[email protected]>> > Subject: RE: Use Of RFC 5425 In IEC 62351 > > Dear Joseph, > > Since I got a computerized automatic generated reply stating an undelivered > message to [email protected]<mailto:[email protected]> and > [email protected]<mailto:[email protected]> indicating that most probably their > email address is no longer valid and thus could not be found, it would be > very helpful, if you can please help us (WG15) with your valuable input / > suggestion on this below topic. > > We are looking forward to your reply on this! > > With best regards > Arijit > > > > From: Arijit Bose > Sent: Wednesday, November 10, 2021 10:48 AM > To: [email protected]<mailto:[email protected]>; > [email protected]<mailto:[email protected]>; > [email protected]<mailto:[email protected]> > Subject: Use Of RFC 5425 In IEC 62351 > > Dear all, > > My name is Arijit Kumar Bose and I am a member of IEC 62351 TC 57 WG15 : IEC > 62351 - > Wikipedia<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FIEC_62351&data=04%7C01%7Csteffen.fries%40siemens.com%7Cb9ba5117eb5a41c4194f08d9a2b9df82%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637719741475788053%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=w0fRscX0Ba72P%2FKnsrH7GamIBeFWww7DFa76h6pqhso%3D&reserved=0>. > > For the development of an IEC cybersecurity standard for electrical power > system, we (WG15) are trying to reference RFC 5425 and adopt its > specifications. However, since RFC 5425 specifies > TLS_RSA_WITH_AES_128_CBC_SHA, which is currently insecure and depreciated > cipher suite Ciphersuite > Info<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fciphersuite.info%2Fcs%2FTLS_RSA_WITH_AES_128_CBC_SHA%2F&data=04%7C01%7Csteffen.fries%40siemens.com%7Cb9ba5117eb5a41c4194f08d9a2b9df82%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637719741475798016%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=OrCx6A6rOiRfVzYOqg%2B%2FC9bAt1BA8wSaPQIZQ2jv7x4%3D&reserved=0>. > Therefore, we are trying to adopt stronger cipher suites in accordance with > IEC 62351-3 : IEC 62351-3:2014+AMD1:2018+AMD2:2020 CSV | IEC > Webstore<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwebstore.iec.ch%2Fpublication%2F66624&data=04%7C01%7Csteffen.fries%40siemens.com%7Cb9ba5117eb5a41c4194f08d9a2b9df82%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637719741475798016%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=blKdNi3GMd58RUChw3eZ3Y0FfaPq4i98Z6uO8VumGP8%3D&reserved=0>. > IEC 62351-3 specifies a set of stronger state of the art cipher suites and > thus defines a profile on how to apply TLS, addressing authentication, cipher > suite requirements, renegotiation, etc. Therefore, we would like to use the > state of the art cipher suites as specified in IEC 62351-3 and also > mandatorily refer RFC 5425 including the usage of its port number 6514 for > transporting secure syslog traffic. Our understanding would be that it does > not violate RFC 5425, as it allows in section 4.2 of RFC 5425 that also > stronger cipher suites may be used. > Would these be allowed that if we normatively (mandatorily) refer RFC 5425 to > secure SYSLOG traffic including the use of the TCP port number 6514 but adopt > the stronger cipher suites that are specified in IEC 62351-3 instead of the > weak cipher suite as indicated above ? By adopting this, will it make our > IEC standard incompliant with RFC 5425 ? > I and WG15 are looking forward to your answer on this topic. Appreciate your > any input on the same. > Thanks in advance! > With best regards > Arijit > [cid:[email protected]] > Arijit Kumar Bose > Global Cyber Security Architect - Power Grids High Voltage | Software > Development Independent Expert > > ul. Pawia 7 > malopolskie > 31-154 Krakow, Poland > Mobile: +48 666 881 680 > E-mail: [email protected]<mailto:[email protected]> > www.hitachienergy.com<https://www.hitachienergy.com/> > [cid:[email protected]]<http://www.facebook.com/hitachienergy.global> > [cid:[email protected]] > <http://www.instagram.com/hitachienergy> > [cid:[email protected]] > <http://www.twitter.com/hitachienergy> > [cid:[email protected]] > <https://www.youtube.com/c/hitachienergy> > [cid:[email protected]] > <http://www.linkedin.com/company/hitachienergy> > > [cid:[email protected]]<www.hitachienergy.com> > > > > Hitachi Energy Services Sp. z o. o. z siedzibą w Warszawie, adres: Warszawa > 04-713, ul. Żegańska 1, wpisana do Rejestru Przedsiębiorców Krajowego > Rejestru Sądowego prowadzonego w Sądzie Rejonowym dla m. st. Warszawy, XIV > Wydział Gospodarczy Krajowego Rejestru Sądowego pod nr KRS 0000787719, nr > REGON: 383431370, nr NIP: 9522196923, nr BDO: 000147611, kapitał zakładowy 14 > 403 850,00 zł. > ________________________________ > Hitachi Energy Services Sp. z o. o. with registered seat at 1 Żeganska > Street, 04-713 Warsaw, Poland, registered in the Register of Entrepreneurs of > the Polish Court Register maintained by the District Court for the Capital > City of Warsaw, XIV Economic Department, under KRS No. 0000787719, REGON No. > (statistical number): 383431370, NIP No. (taxpayer identification number) > PL9522196923, BDO No. (WEEE registration number) 000147611, share capital: 14 > 403 850,00 PLN. > > _______________________________________________ > Syslog mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/syslog -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany Fax: +49 421 200 3103 <https://www.jacobs-university.de/> _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
