RFC4303 (IPsec/ESP) auditing requirements

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Thu Dec 6 18:25:50 UTC 2007


On Wed, 05 Dec 2007 14:45:12 EST, Paul Moore said:
> Hello all,
> 
> I'm looking at RFC4303 at some of the auditing requirements and one of the 
> gaps between what the specification requires and what we currently provide 
> involves the SA's sequence number and the IPv6 flow ID.  According the list 
> of existing audit fields[1] there doesn't appear to any fields which are a 
> good match.  With that in mind I'd like to propose two new fields:
> 
>  * seqno - sequence number
>  * flowid - flow id
> 
> Any comments, objections, suggestions?

I see a note from Sep 12 or so from Joy Latten that was talking about
adding support for rfcs430[1-3] - are you two collaborating or working at
cross purposes?  Are any other fields/calls needed to complete the set?
(Feel free to just handwave a "Somebody should add XYZ in 2.6.N+3" if warranted)

Other than that, the RFC looks sane, and has a rfc2119-SHOULD for those fields,
so it certainly sounds like a good idea.  Besides, I *know* that if we don't,
at some point I'm going to be doing forensics or debugging, and cursing the
fact that not all my sensors reported flowid to cross-correlate on :)



-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20071206/aeb1be10/attachment.sig>


More information about the Linux-audit mailing list