Re: [Syslog] Use Of RFC 5425 In IEC 62351

[tom petch]

Arijit

My message got a bounce from WG15 which is not unexpected.


Tom Petch

________________________________________
From: Syslog <syslog-boun...@ietf.org> on behalf of tom petch 
<ie...@btconnect.com>
Sent: 06 December 2021 17:31

From: Syslog <syslog-boun...@ietf.org> on behalf of Chris Lonvick 
<lonvick.i...@gmail.com>
Sent: 28 November 2021 21:22

Hello Arijit and All,

Speaking as an individual (not representing the IETF or any Working Group), the 
work we did for the syslog protocol was never intended to be insecure. I would 
make two suggestions:

- create a new Internet Draft that will deprecate the insecure cypher suite 
from the RFC; and

- specify the implementation and deployment of the cypher suites in your IEC 
documents as you suggest below and cite the Internet Draft as updating the RFC.

I'm cc'ing the current IETF Security ADs and adding Joe's contact email.

<tp>

Also as an individual active in the IETF.
Trimming the cc: since the mailer has limits and especially ietf-action which 
is for admin problems with the website.

I think that there are many more problems.  The current security protocol is 
TLS1.3 which is very different to TLS1.2 in how the security options are 
structured.  I have seen some WG seeking to update their RFC for how to make 
protocol XXXX secure; AFAIK none have succeeded in producing an RFC yet 
(excepting, perhaps, the TLS WG).

RFC5425 assumes that life will go on as before with new ciphersuites but IMHO 
TLS1.3 tore up the rule book and rendered that approach impossible requiring a 
much greater consideration of the options (e.g. PSK).  (Indeed I see some 
sectors saying that TLS1.3 cannot me made suitable).

There is also the question of what is a match for a certificate.  At the time 
of this RFC, every WG was RYO.  Later an IETF-wide RFC6125 was produced  but 
this is now regarded as inadequate and there is a draft 6125bis which would 
need to be considered.

And then the IETF in general might regard NETCONF/YANG was where it wants to 
put its efforts rather than such as Syslog (or SMI).

You mention getting no reply from the first two authors of the RFC; I cannot 
recall seeing anything of them in the past decade or so.

Tom Petch

Best regards,

Chris

On 11/22/21 10:30 AM, Arijit Bose wrote:
Dear all,


I am also looping the email address 
ietf-act...@ietf.org<mailto:ietf-act...@ietf.org> for this same query.


With best regards
Arijit



From: Arijit Bose
Sent: Monday, November 22, 2021 2:40 PM
To: jsalo...@cisco.com<mailto:jsalo...@cisco.com>; 
clonv...@cisco.com<mailto:clonv...@cisco.com>; 
lonvick.i...@gmail.com<mailto:lonvick.i...@gmail.com>; 
ietf...@comcast.net<mailto:ietf...@comcast.net>; 
turn...@ieca.com<mailto:turn...@ieca.com>; 
sean+i...@sn3rd.com<mailto:sean+i...@sn3rd.com>; 
s...@sn3rd.com<mailto:s...@sn3rd.com>; syslog@ietf.org<mailto:syslog@ietf.org>
Cc: IEC 62351 WG15 (w...@iectc57.org<mailto:w...@iectc57.org>) 
<w...@iectc57.org><mailto:w...@iectc57.org>
Subject: RE: Use Of RFC 5425 In IEC 62351
Importance: High

Dear all,

My name is Arijit Kumar Bose and I am a member of IEC 62351 TC 57 WG15 : IEC 
62351 - 
Wikipedia<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FIEC_62351&data=04%7C01%7Csteffen.fries%40siemens.com%7Cb9ba5117eb5a41c4194f08d9a2b9df82%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637719741475788053%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=w0fRscX0Ba72P%2FKnsrH7GamIBeFWww7DFa76h6pqhso%3D&reserved=0>.

For the development of an IEC cybersecurity standard for electrical power 
system, we (WG15) are trying to reference RFC 5425 and adopt its 
specifications. However, since RFC 5425 specifies TLS_RSA_WITH_AES_128_CBC_SHA, 
which is currently insecure and depreciated cipher suite Ciphersuite 
Info<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fciphersuite.info%2Fcs%2FTLS_RSA_WITH_AES_128_CBC_SHA%2F&data=04%7C01%7Csteffen.fries%40siemens.com%7Cb9ba5117eb5a41c4194f08d9a2b9df82%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637719741475798016%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=OrCx6A6rOiRfVzYOqg%2B%2FC9bAt1BA8wSaPQIZQ2jv7x4%3D&reserved=0>.
 Therefore, we are trying to adopt stronger cipher suites in accordance with 
IEC 62351-3 : IEC 62351-3:2014+AMD1:2018+AMD2:2020 CSV | IEC 
Webstore<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwebstore.iec.ch%2Fpublication%2F66624&data=04%7C01%7Csteffen.
 
fries%40siemens.com%7Cb9ba5117eb5a41c4194f08d9a2b9df82%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637719741475798016%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=blKdNi3GMd58RUChw3eZ3Y0FfaPq4i98Z6uO8VumGP8%3D&reserved=0>.
 IEC 62351-3 specifies a set of stronger state of the art cipher suites and 
thus defines a profile on how to apply TLS, addressing authentication, cipher 
suite requirements, renegotiation, etc. Therefore, we would like to use the 
state of the art cipher suites as specified in IEC 62351-3 and also mandatorily 
refer RFC 5425 including the usage of its port number 6514 for transporting 
secure syslog traffic. Our understanding would be that it does not violate RFC 
5425, as it allows in section 4.2 of RFC 5425 that also stronger cipher suites 
may be used.
Would these be allowed that if we normatively (mandatorily) refer RFC 5425 to 
secure SYSLOG traffic including the use of the TCP port number 6514 but adopt 
the stronger cipher suites that are specified in IEC 62351-3 instead of the 
weak cipher suite as indicated above ?  By adopting this, will it make our IEC 
standard incompliant with RFC 5425 ?
I and WG15 are looking forward to your answer on this topic. Appreciate your 
any input on the same.
Thanks in advance!
With best regards
Arijit


[cid:part1.FjC0hlKG.WtFXJu1n@gmail.com]
Arijit Kumar Bose
Global Cyber Security Architect - Power Grids High Voltage | Software 
Development Independent Expert

ul. Pawia 7
malopolskie
31-154 Krakow, Poland
Mobile: +48 666 881 680
E-mail: arijit.b...@hitachienergy.com<mailto:arijit.b...@hitachienergy.com>
www.hitachienergy.com<https://www.hitachienergy.com/>
[cid:part2.7v2IZnyi.aiFXTrga@gmail.com]<http://www.facebook.com/hitachienergy.global>
  [cid:part3.V43P5neR.mIFmn3My@gmail.com] 
<http://www.instagram.com/hitachienergy>   
[cid:part4.p6X9CymJ.Y0kVmz3J@gmail.com] <http://www.twitter.com/hitachienergy>  
 [cid:part5.gIa8m7V9.0otv4DbL@gmail.com] 
<https://www.youtube.com/c/hitachienergy>   
[cid:part6.1aGgXLAx.Sc3zNSLu@gmail.com] 
<http://www.linkedin.com/company/hitachienergy>

[cid:part7.MA9YcUcm.2JWpmGWi@gmail.com]<www.hitachienergy.com>

From: Arijit Bose
Sent: Monday, November 22, 2021 11:49 AM
To: jsalo...@cisco.com<mailto:jsalo...@cisco.com>
Cc: IEC 62351 WG15 (w...@iectc57.org<mailto:w...@iectc57.org>) 
<w...@iectc57.org<mailto:w...@iectc57.org>>
Subject: RE: Use Of RFC 5425 In IEC 62351

Dear Joseph,

A second friendly reminder for this below aspect. We(WG15) are looking forward 
to your reply on this.

With best regards
Arijit



From: Arijit Bose
Sent: Wednesday, November 17, 2021 12:49 PM
To: 'jsalo...@cisco.com<mailto:jsalo...@cisco.com>' 
<jsalo...@cisco.com<mailto:jsalo...@cisco.com>>
Cc: IEC 62351 WG15 (w...@iectc57.org<mailto:w...@iectc57.org>) 
<w...@iectc57.org<mailto:w...@iectc57.org>>
Subject: RE: Use Of RFC 5425 In IEC 62351

Dear Joseph,

A friendly reminder for your input/suggestion on this topic as expressed below.

With best regards
Arijit



From: Arijit Bose
Sent: Friday, November 12, 2021 11:17 AM
To: jsalo...@cisco.com<mailto:jsalo...@cisco.com>
Cc: IEC 62351 WG15 (w...@iectc57.org<mailto:w...@iectc57.org>) 
<w...@iectc57.org<mailto:w...@iectc57.org>>
Subject: RE: Use Of RFC 5425 In IEC 62351

Dear Joseph,

Since I got a computerized automatic generated reply stating an undelivered 
message to mia...@huawei.com<mailto:mia...@huawei.com> and 
m...@huawei.com<mailto:m...@huawei.com> indicating that most probably their 
email address is no longer valid and thus could not be found, it would be very 
helpful, if you can please help us (WG15) with your valuable input / suggestion 
on this below topic.

We are looking forward to your reply on this!

With best regards
Arijit



From: Arijit Bose
Sent: Wednesday, November 10, 2021 10:48 AM
To: mia...@huawei.com<mailto:mia...@huawei.com>; 
m...@huawei.com<mailto:m...@huawei.com>; 
jsalo...@cisco.com<mailto:jsalo...@cisco.com>
Subject: Use Of RFC 5425 In IEC 62351

Dear all,

My name is Arijit Kumar Bose and I am a member of IEC 62351 TC 57 WG15 : IEC 
62351 - 
Wikipedia<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FIEC_62351&data=04%7C01%7Csteffen.fries%40siemens.com%7Cb9ba5117eb5a41c4194f08d9a2b9df82%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637719741475788053%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=w0fRscX0Ba72P%2FKnsrH7GamIBeFWww7DFa76h6pqhso%3D&reserved=0>.

For the development of an IEC cybersecurity standard for electrical power 
system, we (WG15) are trying to reference RFC 5425 and adopt its 
specifications. However, since RFC 5425 specifies TLS_RSA_WITH_AES_128_CBC_SHA, 
which is currently insecure and depreciated cipher suite Ciphersuite 
Info<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fciphersuite.info%2Fcs%2FTLS_RSA_WITH_AES_128_CBC_SHA%2F&data=04%7C01%7Csteffen.fries%40siemens.com%7Cb9ba5117eb5a41c4194f08d9a2b9df82%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637719741475798016%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=OrCx6A6rOiRfVzYOqg%2B%2FC9bAt1BA8wSaPQIZQ2jv7x4%3D&reserved=0>.
 Therefore, we are trying to adopt stronger cipher suites in accordance with 
IEC 62351-3 : IEC 62351-3:2014+AMD1:2018+AMD2:2020 CSV | IEC 
Webstore<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwebstore.iec.ch%2Fpublication%2F66624&data=04%7C01%7Csteffen.
 
fries%40siemens.com%7Cb9ba5117eb5a41c4194f08d9a2b9df82%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637719741475798016%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=blKdNi3GMd58RUChw3eZ3Y0FfaPq4i98Z6uO8VumGP8%3D&reserved=0>.
 IEC 62351-3 specifies a set of stronger state of the art cipher suites and 
thus defines a profile on how to apply TLS, addressing authentication, cipher 
suite requirements, renegotiation, etc. Therefore, we would like to use the 
state of the art cipher suites as specified in IEC 62351-3 and also mandatorily 
refer RFC 5425 including the usage of its port number 6514 for transporting 
secure syslog traffic. Our understanding would be that it does not violate RFC 
5425, as it allows in section 4.2 of RFC 5425 that also stronger cipher suites 
may be used.
Would these be allowed that if we normatively (mandatorily) refer RFC 5425 to 
secure SYSLOG traffic including the use of the TCP port number 6514 but adopt 
the stronger cipher suites that are specified in IEC 62351-3 instead of the 
weak cipher suite as indicated above ?  By adopting this, will it make our IEC 
standard incompliant with RFC 5425 ?
I and WG15 are looking forward to your answer on this topic. Appreciate your 
any input on the same.
Thanks in advance!
With best regards
Arijit
[cid:part8.ksIxmLY8.r6hMyuvg@gmail.com]
Arijit Kumar Bose
Global Cyber Security Architect - Power Grids High Voltage | Software 
Development Independent Expert

ul. Pawia 7
malopolskie
31-154 Krakow, Poland
Mobile: +48 666 881 680

_______________________________________________
Syslog mailing list
Syslog@ietf.org
https://www.ietf.org/mailman/listinfo/syslog