[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
MUST vs. SHOULD audit
Steve,
This is taken from draft-ietf-ipsec-auth-04.txt but there is similar
wording in the esp draft as well so my comments apply there too.
From section 3.3.2 Security Association Lookup:
> If no valid Security Association exists for this session (e.g., the
> receiver has no key), the receiver MUST discard the packet and the
> failure MUST be recorded in an audit log.
I don't want to discount the wisdom of auditing (and am, in fact, all
in favor of it) but I don't want to see an otherwise conforming
implementation be rendered non-conforming simply because it didn't audit.
Some devices which provide IPsec have no harddisk and a limited amount
of memory (e.g. a router) and auditing of packets that arrive for which
no valid SA exists opens one up to a denial-of-service attack.
I propose that "the failure MUST be recorded" be changed to "the failure
SHOULD be recorded".
Also, section 3.3.3 Sequence Number Verification states:
> If the received packet falls within the window, then the receiver
> proceeds to ICV verification. If the ICV validation fails, the
> receiver MUST discard the received IP datagram as invalid and MUST
> record the authentication failure in an audit log.
I believe the 2nd sentence should begin, "If the sequence number check
fails...." since the next section, 3.3.4 Integrity Check Value Verification
states:
> If the computed and received ICV's match, then the datagram is valid,
> and it is accepted. If the test fails, then the receiver MUST
> discard the received IP datagram as invalid and MUST record the
> authentication failure in an audit log.
Of course, I would also like those two references to "MUST audit" be changed
to "SHOULD audit".
regards,
Dan.
Follow-Ups: