Auditing is obviously a host-system issue and outside of the scope of the network protocol or IPSEC architecture document(s). However, there's nothing wrong with pointing out where a host should perform auditing, if it's capable of doing so. In this spirit, it would seem more appropriate for the specs to read SHOULD instead of MUST. Derrell