Re: RFC4303 (IPsec/ESP) auditing requirements
On Wed, 05 Dec 2007 14:45:12 EST, Paul Moore said:
Hello all,
I'm looking at RFC4303 at some of the auditing requirements and one of the
gaps between what the specification requires and what we currently provide
involves the SA's sequence number and the IPv6 flow ID. According the list
of existing audit fields[1] there doesn't appear to any fields which are a
good match. With that in mind I'd like to propose two new fields:
* seqno - sequence number
* flowid - flow id
Any comments, objections, suggestions?
I see a note from Sep 12 or so from Joy Latten that was talking about
adding support for rfcs430[1-3] - are you two collaborating or working at
cross purposes? Are any other fields/calls needed to complete the set?
(Feel free to just handwave a "Somebody should add XYZ in 2.6.N+3" if
warranted)
Other than that, the RFC looks sane, and has a rfc2119-SHOULD for those fields,
so it certainly sounds like a good idea. Besides, I *know* that if we don't,
at some point I'm going to be doing forensics or debugging, and cursing the
fact that not all my sensors reported flowid to cross-correlate on :)
Attachments:
- attachment.sig (application/pgp-signature — 226 bytes)