[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: RFC4303 (IPsec/ESP) auditing requirements

On Wed, 05 Dec 2007 14:45:12 EST, Paul Moore said:
> Hello all,
> I'm looking at RFC4303 at some of the auditing requirements and one of the 
> gaps between what the specification requires and what we currently provide 
> involves the SA's sequence number and the IPv6 flow ID.  According the list 
> of existing audit fields[1] there doesn't appear to any fields which are a 
> good match.  With that in mind I'd like to propose two new fields:
>  * seqno - sequence number
>  * flowid - flow id
> Any comments, objections, suggestions?

I see a note from Sep 12 or so from Joy Latten that was talking about
adding support for rfcs430[1-3] - are you two collaborating or working at
cross purposes?  Are any other fields/calls needed to complete the set?
(Feel free to just handwave a "Somebody should add XYZ in 2.6.N+3" if warranted)

Other than that, the RFC looks sane, and has a rfc2119-SHOULD for those fields,
so it certainly sounds like a good idea.  Besides, I *know* that if we don't,
at some point I'm going to be doing forensics or debugging, and cursing the
fact that not all my sensors reported flowid to cross-correlate on :)

Attachment: pgpmnZGrDh2Yd.pgp
Description: PGP signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]