RFC4303 (IPsec/ESP) auditing requirements
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Thu Dec 6 18:25:50 UTC 2007
On Wed, 05 Dec 2007 14:45:12 EST, Paul Moore said:
> Hello all,
>
> I'm looking at RFC4303 at some of the auditing requirements and one of the
> gaps between what the specification requires and what we currently provide
> involves the SA's sequence number and the IPv6 flow ID. According the list
> of existing audit fields[1] there doesn't appear to any fields which are a
> good match. With that in mind I'd like to propose two new fields:
>
> * seqno - sequence number
> * flowid - flow id
>
> Any comments, objections, suggestions?
I see a note from Sep 12 or so from Joy Latten that was talking about
adding support for rfcs430[1-3] - are you two collaborating or working at
cross purposes? Are any other fields/calls needed to complete the set?
(Feel free to just handwave a "Somebody should add XYZ in 2.6.N+3" if warranted)
Other than that, the RFC looks sane, and has a rfc2119-SHOULD for those fields,
so it certainly sounds like a good idea. Besides, I *know* that if we don't,
at some point I'm going to be doing forensics or debugging, and cursing the
fact that not all my sensors reported flowid to cross-correlate on :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20071206/aeb1be10/attachment.sig>
More information about the Linux-audit
mailing list