Re: MUST vs. SHOULD audit

[Ran Atkinson <rja@inet.org>]

[co-chair hat off; IPsec implementer and former cisco coder hat on :-]

Dan,

  Ciscos do have the ability to record events to logging hosts that are
outside the router which do have non-volatile storage (an SNMP trap
is an example of such a mechanism[1], though cisco IOS has other 
possibilities in addition). This would fully meet the requirement of 
"MUST audit" as currently written in the draft.  Note also that, 
this is not a new requirement as it exists also in the current RFCs
which were previously agreed to by this WG.  

  Past experience in security-related IETF documents is that
anything not made "MUST implement" is generally not implemented.

  As you note, auditing is an important property of an IPsec implementation
because it is a good way of detecting important security-relevant
events (e.g. a denial of service attack on the cisco that causes
the router to spend cycles computing MD5 over forgeries
instead of forwarding packets).

  If the language is changed at all (which I don't believe is best), 
I'd propose changing it to something like "IPsec implementations having 
access to non-volatile storage MUST audit... and all other implementations 
SHOULD audit...".

  Ran
  rja@inet.org

[1] In the absence of SNMP security, an SNMP trap is not the best choice
    for security-related logging, IMHO.

---

Follow-Ups:

• Re: MUST vs. SHOULD audit
• From: Daniel Harkins <dharkins@cisco.com>
• Re: MUST vs. SHOULD audit
• From: Uri Blumenthal <uri@watson.ibm.com>

References:

• MUST vs. SHOULD audit
• From: Daniel Harkins <dharkins@cisco.com>

---

• Prev by Date: Re: MUST vs. SHOULD audit
• Next by Date: Re: MUST vs. SHOULD audit
• Prev by thread: Re: MUST vs. SHOULD audit
• Next by thread: Re: MUST vs. SHOULD audit
• Index(es):
  • Main
  • Thread