[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: MUST vs. SHOULD audit
Hilarie,
My feeling is that auditing is a local matter and not part of the
protocol.
> An implementation that is not capable of auditing these events
> wouldn't conform to the expectations of the community. What I'd think
> would be reasonable would be to say that if the platform has an audit
> facility, these events must be logged. This leaves open the
> possibility of tailoring the logging rate for this event type to the
> system administrator. After all, IPSEC is unlikely to be the only way
> to introduce denial of service through excessive logging, so the audit
> system must already be capable of dealing with such things.
I think the market will decide what the expectations of the community are.
> If there is no audit facility, should one say that IPSEC cannot be
> implemented on that platform? Seems drastic, but less drastic than
> requiring that IPSEC implementations carry a full audit log capability
> along with them.
That's really drastic. If an implementation does all the mandatory transforms
and the mandatory key management and interoperates with every other implement-
ation are you saying that it's not IPsec because it doesn't audit?
It's a wise thing to audit (and an even wiser thing to be able to tailor a
logging rate) and there should be mention of it as a security recommendation
in the drafts, but I don't feel such a local matter which does not affect
the bits-on-the-wire should be part of the definition of what makes you
IPsec-compliant.
Dan.
Follow-Ups:
References: