[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MUST vs. SHOULD audit

To: uri@watson.ibm.com
Subject: Re: MUST vs. SHOULD audit
From: Stephen Kent <kent@bbn.com>
Date: Sat, 5 Apr 1997 07:54:54 -0500
Cc: ipsec@tis.com
In-Reply-To: <9704012220.AA31931@hawpub.watson.ibm.com>
References: <199704012145.NAA28713@dharkins-ss20> from "Daniel Harkins" atApr 1, 97 01:45:42 pm
Sender: owner-ipsec@ex.tis.com

Uri,

	IPsec defines a protocol, and a protocol definition inlcludes the
processing that takes place at the sender and receiver in response to the
transmission and reception of packets, not just the format of the packet
bits on the wire.  On that basis, I'd argue that auditing is within the
scope of the IPsec specs, especially since auditing is a security function
and IPsec defines security protocols.

	I do agree with later contributors to this discussion, that we need
to distinguish between "audited" and "auditable."  Certainly we do not want
to require that events be audited; that is a local policy matter.  Thus, at
a minimum, we need to chnage the wording to indicate that what is required
(or recommended) is that an implementation allow a local security
administrator to elect auditing for the specified events.  I suspect that
was Ran's intent when he first wrote this text (but which escaped noticed
untile this round of revisions!).

	I like the general tone of Bill's and Andrew's proposed text; both
are consistent with the notion of expressing what is to be audited if an
event occurs and if auditing is turned on.  I am a bit concerned about
leaving the extent of what is logged be so general.  A counter of events is
not very helpful in identifying the source of a problem, characterizing an
attack, etc.  I'd be hapy with the notion that a certain set of data MUST
be available for an audit log, but that the local security manager gets to
select which of these data items is actually logged.

	I also believe that the IPsec architecture document is a good place
to discuss when to audit, and what systems MUST/SHOULD provide an audit
capability and what is meant by "secure audit."  That audit records can be
maintained locally, or transmitted to a remote location, is an appropriate
elaboartion of the audit concept and I'm happy to include that as well.
Auditing is a common concern for both AH and ESP, so I'd prefer not
duplicating the text in each document, although I could be persuaded
otherwise.

Steve

Follow-Ups:

Re: MUST vs. SHOULD audit

From: Uri Blumenthal <uri@watson.ibm.com>

References:

Re: MUST vs. SHOULD audit

From: Daniel Harkins <dharkins@cisco.com>

Re: MUST vs. SHOULD audit

From: Uri Blumenthal <uri@watson.ibm.com>

Prev by Date: Re: Manual keying and replay prevention
Next by Date: Re: comments on draft-ietf-new-auth-00
Prev by thread: Re: MUST vs. SHOULD audit
Next by thread: Re: MUST vs. SHOULD audit
Index(es):
- Main
- Thread