[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: MUST vs. SHOULD audit
[co-chair hat off; IPsec implementer and former cisco coder hat on :-]
Dan,
Ciscos do have the ability to record events to logging hosts that are
outside the router which do have non-volatile storage (an SNMP trap
is an example of such a mechanism[1], though cisco IOS has other
possibilities in addition). This would fully meet the requirement of
"MUST audit" as currently written in the draft. Note also that,
this is not a new requirement as it exists also in the current RFCs
which were previously agreed to by this WG.
Past experience in security-related IETF documents is that
anything not made "MUST implement" is generally not implemented.
As you note, auditing is an important property of an IPsec implementation
because it is a good way of detecting important security-relevant
events (e.g. a denial of service attack on the cisco that causes
the router to spend cycles computing MD5 over forgeries
instead of forwarding packets).
If the language is changed at all (which I don't believe is best),
I'd propose changing it to something like "IPsec implementations having
access to non-volatile storage MUST audit... and all other implementations
SHOULD audit...".
Ran
rja@inet.org
[1] In the absence of SNMP security, an SNMP trap is not the best choice
for security-related logging, IMHO.
Follow-Ups:
References: