Updates to the Cipher Suites in Secure Syslog
lonvick.ietf@gmail.com
sn3rd
sean@sn3rd.com
Salesforce
joe@salowey.net
General
Internet Engineering Task Force
syslog
secure syslog
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
DTLS
TLS
cipher suite
This document updates the cipher suites in RFC 5425, Transport Layer Security
(TLS) Transport Mapping for Syslog, and RFC 6012, Datagram Transport Layer
Security (DTLS) Transport Mapping for Syslog. It also updates the transport
protocol in RFC 6012.
Introduction
The Syslog Working Group produced
Transport Layer Security (TLS) Transport Mapping for Syslog
and
Datagram Transport Layer Security (DTLS) Transport Mapping for Syslog.
Both and
MUST support certificates as defined in
.
requires that implementations "MUST"
support TLS 1.2 and are "REQUIRED"
to support the mandatory to implement cipher suite
TLS_RSA_WITH_AES_128_CBC_SHA (Section 4.2).
requires that implementations "MUST"
support DTLS 1.0 and are also
"REQUIRED" to support the mandatory to implement cipher suite
TLS_RSA_WITH_AES_128_CBC_SHA (Section 5.2).
The TLS_RSA_WITH_AES_128_CBC_SHA cipher suite has been found to be weak and
the community is moving away from it and towards more robust suites.
The DTLS 1.0 transport has been deprecated by
and the community is moving to DTLS 1.2
and DTLS 1.3 .
This document updates and
to deprecate the use of TLS_RSA_WITH_AES_128_CBC_SHA and to make new
recommendations to a mandatory to implement cipher suite to be used for
implementations.
This document also updates to make a recommendation
of a mandatory to implement secure datagram transport.
The key words "MUST", "MUST NOT",
"REQUIRED", "SHALL",
"SHALL NOT", "SHOULD",
"SHOULD NOT", "RECOMMENDED",
"NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as
described in BCP 14
[]
[]
when, and only when, they appear in all capitals, as shown here.
generally reminds us that
cryptographic algorithms and parameters will be broken or weakened over time.
Blindly implementing the cryptographic algorithms listed in any specification
is not advised. Implementers and users need to check that the cryptographic
algorithms specified continue to provide the expected level of security.
As the Syslog Working Group determined, Syslog clients and servers
MUST use certificates as defined in .
Since both and
REQUIRE the use of TLS_RSA_WITH_AES_128_CBC_SHA, it is very
likely that RSA certificates have been implemented in devices adhering to
those specifications. notes that ECDHE cipher suites
exist for both RSA and ECDSA certificates, so moving to an ECDHE cipher suite
will not require replacing or moving away from any currently installed
RSA-based certificates.
documents that the
cipher suite TLS_RSA_WITH_AES_128_CBC_SHA has been found to be weak. As
such, the community is moving away from that and other weak suites and
towards more robust suites such as TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
which is also listed as a currently Recommended algorithm in
.
Along those lines, notes that
TLS_RSA_WITH_AES_128_CBC_SHA does not provide forward secrecy, a feature
that is highly desirable in securing event messages. That document also goes
on to recommend TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 as a cipher suite that
does provide forward secrecy.
Therefore, the mandatory to implement cipher suites listed in
and must be updated so
that implementations of secure syslog are still considered to provide an
acceptable and expected level of security.
Additionally,
[] deprecates the use
of DTLS 1.0 , which is the mandatory to implement
transport protocol for . Therefore, the transport
protocol for must be updated.
Implementations of MUST NOT offer
TLS_RSA_WITH_AES_128_CBC_SHA. The mandatory to implement cipher suite is
REQUIRED to be TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.
Implementations of MUST continue to
use TLS 1.2 as the mandatory to implement
transport protocol.
Implementations of MAY use
TLS 1.3 as a transport as long as they support
the currently recommended cipher suites.
EDITOR's NOTE: Need to address 0-RTT considerations.
Implementations of MUST NOT offer
TLS_RSA_WITH_AES_128_CBC_SHA. The mandatory to implement cipher suite is
REQUIRED to be TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.
As specified in , implementations of
must not use DTLS 1.0 .
Implementations MUST use DTLS 1.2 .
DTLS 1.2 implementations are
REQUIRED to support the mandatory to implement
cipher suite, which is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.
Implementations of MAY use
DTLS 1.3 as a transport as long
as they support the currently recommended cipher suites.
EDITOR's NOTE: Need to address 0-RTT considerations.
This section will be removed prior to publication.
This is version -01. Comments were received regarding the -00 version that
this document should not imply that the use of DTLS1.0 is being deprecated by
this I-D since that was done by RFC 8996. Edits have been made to clarify
that. Also, the authors want this document to update RFC 6012 because it says
more about cipher suites than RFC 8996 and, since there will be 1.3, we’re
saying ya' gotta use 1.2 (for now).
Members of IEC 62351 TC 57 WG15, who prompted this work, have proposed the
following text to be inserted into their documents.
The selection of TLS connection parameters such as cipher suites, session
resumption and renegotiation shall be reused from IEC 62351-3 specification.
Note that port TCP/6514 is assigned by IANA to RFC 5425 (syslog-tls). The RFC
requires the support of TLS1.2 and a SHA-1 based cipher suite, but does not
mandate its use. The cipher does not align with IEC 62351-3 Ed.2 for
profiling TLS. Nevertheless, RFC 5425 does not rule out to use stronger cipher
suites. With this, clients and server supporting the selection of cipher
suites stated in IEC 62351-3 Ed2 will not experience interoperability
problems. Caution has to be taken in environments in which interworking with
existing services utilizing syslog over TLS is intended. For these, the
syslog server needs to be enabled to support the required cipher suites. This
ensures connectivity with clients complying to this document and others
complying to RFC 5425. Note that meanwhile the work on an update of RFC 5425
and RFC 6012 has started. It targets the adoption of stronger cipher suites
for TLS and DTLS to protect syslog communication.
Comments on this text are welcome.
Acknowledgments
The authors would like to thank Arijit Kumar Bose, Steffen Fries and the
members of IEC TC57 WG15 for their review, comments, and suggestions. The
authors would also like to thank Tom Petch and Juergen Schoenwaelder for
their comments and constructive feedback.
IANA Considerations
This document makes no requests to IANA.
Security Considerations
deprecates an insecure DTLS transport protocol
from and deprecates insecure cipher suits from
and . This document
specifies mandatory to implement cipher suites to those RFCs and the latest
version of the DTLS protocol to .
References
Normative References
Key words for use in RFCs to Indicate Requirement Levels
In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.
Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words
RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.
Transport Layer Security (TLS) Transport Mapping for Syslog
This document describes the use of Transport Layer Security (TLS) to provide a secure connection for the transport of syslog messages. This document describes the security threats to syslog and how TLS can be used to counter such threats. [STANDARDS-TRACK]
The Transport Layer Security (TLS) Protocol Version 1.2
This document specifies Version 1.2 of the Transport Layer Security (TLS) protocol. The TLS protocol provides communications security over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. [STANDARDS-TRACK]
The Transport Layer Security (TLS) Protocol Version 1.3
This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.
Datagram Transport Layer Security Version 1.2
This document specifies version 1.2 of the Datagram Transport Layer Security (DTLS) protocol. The DTLS protocol provides communications privacy for datagram protocols. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the Transport Layer Security (TLS) protocol and provides equivalent security guarantees. Datagram semantics of the underlying transport are preserved by the DTLS protocol. This document updates DTLS 1.0 to work with TLS version 1.2. [STANDARDS-TRACK]
Datagram Transport Layer Security
This document specifies Version 1.0 of the Datagram Transport Layer Security (DTLS) protocol. The DTLS protocol provides communications privacy for datagram protocols. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the Transport Layer Security (TLS) protocol and provides equivalent security guarantees. Datagram semantics of the underlying transport are preserved by the DTLS protocol.
Datagram Transport Layer Security (DTLS) Transport Mapping for Syslog
This document describes the transport of syslog messages over the Datagram Transport Layer Security (DTLS) protocol. It provides a secure transport for syslog messages in cases where a connectionless transport is desired. [STANDARDS-TRACK]
Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]
Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) are widely used to protect data exchanged over application protocols such as HTTP, SMTP, IMAP, POP, SIP, and XMPP. Over the last few years, several serious attacks on TLS have emerged, including attacks on its most commonly used cipher suites and their modes of operation. This document provides recommendations for improving the security of deployed services that use TLS and DTLS. The recommendations are applicable to the majority of use cases.
Deprecating TLS 1.0 and TLS 1.1
This document formally deprecates Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346). Accordingly, those documents have been moved to Historic status. These versions lack support for current and recommended cryptographic algorithms and mechanisms, and various government and industry profiles of applications using TLS now mandate avoiding these old TLS versions. TLS version 1.2 became the recommended version for IETF protocols in 2008 (subsequently being obsoleted by TLS version 1.3 in 2018), providing sufficient time to transition away from older versions. Removing support for older versions from implementations reduces the attack surface, reduces opportunity for misconfiguration, and streamlines library and product maintenance. This document also deprecates Datagram TLS (DTLS) version 1.0 (RFC 4347) but not DTLS version 1.2, and there is no DTLS version 1.1.This document updates many RFCs that normatively refer to TLS version 1.0 or TLS version 1.1, as described herein. This document also updates the best practices for TLS usage in RFC 7525; hence, it is part of BCP 195.
Informative References
IANA Registry Updates for TLS and DTLS
This document describes a number of changes to TLS and DTLS IANA
registries that range from adding notes to the registry all the way
to changing the registration policy. These changes were mostly
motivated by WG review of the TLS- and DTLS-related registries
undertaken as part of the TLS 1.3 development process.
This document obsoletes RFC8447 and updates the following RFCs: 3749,
5077, 4680, 5246, 5705, 5878, 6520, 7301.
Deprecating Obsolete Key Exchange Methods in TLS
This document deprecates the use of RSA key exchange in TLS, and
limits the use of Diffie Hellman key exchange over a finite field
such as to avoid known vulnerabilities or improper security
properties.
Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
Transport Layer Security (TLS) and Datagram Transport Layer Security
(DTLS) are widely used to protect data exchanged over application
protocols such as HTTP, SMTP, IMAP, POP, SIP, and XMPP. Over the
last few years, several serious attacks on TLS have emerged,
including attacks on its most commonly used cipher suites and their
modes of operation. This document provides recommendations for
improving the security of deployed services that use TLS and DTLS.
The recommendations are applicable to the majority of use cases.
This document was published as RFC 7525 when the industry was in the
midst of its transition to TLS 1.2. Years later this transition is
largely complete and TLS 1.3 is widely available. Given the new
environment, we believe new guidance is needed.
The Datagram Transport Layer Security (DTLS) Protocol Version 1.3
This document specifies Version 1.3 of the Datagram Transport Layer
Security (DTLS) protocol. DTLS 1.3 allows client/server applications
to communicate over the Internet in a way that is designed to prevent
eavesdropping, tampering, and message forgery.
The DTLS 1.3 protocol is intentionally based on the Transport Layer
Security (TLS) 1.3 protocol and provides equivalent security
guarantees with the exception of order protection/non-replayability.
Datagram semantics of the underlying transport are preserved by the
DTLS protocol.
This document obsoletes RFC 6347.