Re: MUST vs. SHOULD audit

[Daniel Harkins <dharkins@cisco.com>]

  Hilarie,

  My feeling is that auditing is a local matter and not part of the
protocol.

> An implementation that is not capable of auditing these events
> wouldn't conform to the expectations of the community.  What I'd think
> would be reasonable would be to say that if the platform has an audit
> facility, these events must be logged.  This leaves open the
> possibility of tailoring the logging rate for this event type to the
> system administrator.  After all, IPSEC is unlikely to be the only way
> to introduce denial of service through excessive logging, so the audit
> system must already be capable of dealing with such things.

I think the market will decide what the expectations of the community are.

> If there is no audit facility, should one say that IPSEC cannot be
> implemented on that platform?  Seems drastic, but less drastic than
> requiring that IPSEC implementations carry a full audit log capability
> along with them.

That's really drastic. If an implementation does all the mandatory transforms
and the mandatory key management and interoperates with every other implement-
ation are you saying that it's not IPsec because it doesn't audit?

It's a wise thing to audit (and an even wiser thing to be able to tailor a
logging rate) and there should be mention of it as a security recommendation 
in the drafts, but I don't feel such a local matter which does not affect 
the bits-on-the-wire should be part of the definition of what makes you 
IPsec-compliant.

  Dan.

---

Follow-Ups:

• Re: MUST vs. SHOULD audit
• From: Uri Blumenthal <uri@watson.ibm.com>

References:

• Re: MUST vs. SHOULD audit
• From: ho@earth.hpc.org (Hilarie Orman)

---

• Prev by Date: Re: MUST vs. SHOULD audit
• Next by Date: Re: MUST vs. SHOULD audit
• Prev by thread: Re: MUST vs. SHOULD audit
• Next by thread: Re: MUST vs. SHOULD audit
• Index(es):
  • Main
  • Thread