headers
Gerhard Muenz | 28 May 2009 21:53
Picon
Favicon

[IPFIX] IPFIX configuration: (D)TLS authentication


Hi all,

Regarding the configuration of (D)TLS, one of my students pointed out
that RFC 5101 specifies to authenticate Exporting and Collecting
Processes by FQDNs:

11.3. Authentication

   IPFIX Exporting Processes and IPFIX Collecting Processes are
   identified by the fully qualified domain name of the interface on
   which IPFIX Messages are sent or received, for purposes of X.509
   client and server certificates as in [RFC3280].

The FQDN can be stored in a subjectAltName extension or the Common Name
field of the X.509 certificate. subjectAltName seems to be the preferred
solution.

RFC 5101 says:

   Each of the IPFIX Exporting and
   Collecting Processes MUST verify the identity of its peer against its
   authorized certificates, and MUST verify that the peer's certificate
   matches its fully qualified domain name, or, in the case of SCTP, the
   fully qualified domain name of one of its endpoints.

I assume that the configuration data model should enable the
configuration of which certificates are "authorized".
In general, I see three cases:

1) any valid certificate is authorized
2) only a valid certificate issued by one out of a given list of CAs is
authorized
3) only a valid certificate for one out of a given list of FQDNs issued
by one out of a given list of CAs is accepted

So, I would add the following parameters at appropriate places to the
Exporting Process and Collecting Process parameter sets:

- certificateAuthority: Common Name of the accepted CA
- [collectingProcess|exportingProcess]DomainName: FQDN of accepted CP|EP
  (without specifying if the FQDN is expected to appear in the CN field
   of the Subject or in the subjectAltName extension)

I hope that the Common Name is enough to identify the CA unambiguously.

How about endpoints that have multiple certificates available (e.g.,
issued by different CAs)? In this case, it might be interesting to
configure which certificate(s) the endpoint should offer the other
endpoint for identification.

So, we would be able to specify both certificates _used_ and
certificates _accepted_ by an Exporting Process or Collection Process.

Opinions?

BTW, the second part of the above quote from RFC5101 ("MUST verify that
the peer's certificate matches its fully qualified domain name") seems
to require a DNS lookup, or how is it supposed to work?

Regards,
Gerhard

--

-- 
Dipl.-Ing. Gerhard Münz
Chair for Network Architectures and Services (I8)
Department of Informatics
Technische Universität München
Boltzmannstr. 3, 85748 Garching bei München, Germany
Phone:  +49 89 289-18008       Fax: +49 89 289-18033
E-mail: muenz <at> net.in.tum.de    WWW: http://www.net.in.tum.de/~muenz
Attachment (smime.p7s): application/x-pkcs7-signature, 3467 bytes
_______________________________________________
IPFIX mailing list
IPFIX <at> ietf.org
https://www.ietf.org/mailman/listinfo/ipfix
Permalink | Reply |

Gmane