RFC4303 (IPsec/ESP) auditing requirements

RFC4303 (IPsec/ESP) auditing requirements

[Paul Moore]

Hello all,

I'm looking at RFC4303 at some of the auditing requirements and one of the 
gaps between what the specification requires and what we currently provide 
involves the SA's sequence number and the IPv6 flow ID.  According the list 
of existing audit fields[1] there doesn't appear to any fields which are a 
good match.  With that in mind I'd like to propose two new fields:

 * seqno - sequence number
 * flowid - flow id

Any comments, objections, suggestions?

[1] http://people.redhat.com/sgrubb/audit/audit-parse.txt
-- 
paul moore
linux security @ hp

Re: RFC4303 (IPsec/ESP) auditing requirements

[Paul Moore]

On Wednesday 05 December 2007 2:45:12 pm Paul Moore wrote:
> Hello all,
>
> I'm looking at RFC4303 at some of the auditing requirements and one of the
> gaps between what the specification requires and what we currently provide
> involves the SA's sequence number and the IPv6 flow ID.  According the list
> of existing audit fields[1] there doesn't appear to any fields which are a
> good match.  With that in mind I'd like to propose two new fields:
>
>  * seqno - sequence number
>  * flowid - flow id

Scratch the 'flowid' name, the more I look at things we should probably go 
with 'flowlbl'.

> Any comments, objections, suggestions?
>
> [1] http://people.redhat.com/sgrubb/audit/audit-parse.txt

-- 
paul moore
linux security @ hp

Re: RFC4303 (IPsec/ESP) auditing requirements

[Valdis.Kletnieks]

[-- Attachment #1.1: Type: text/plain, Size: 1153 bytes --]

On Wed, 05 Dec 2007 14:45:12 EST, Paul Moore said:
> Hello all,
> 
> I'm looking at RFC4303 at some of the auditing requirements and one of the 
> gaps between what the specification requires and what we currently provide 
> involves the SA's sequence number and the IPv6 flow ID.  According the list 
> of existing audit fields[1] there doesn't appear to any fields which are a 
> good match.  With that in mind I'd like to propose two new fields:
> 
>  * seqno - sequence number
>  * flowid - flow id
> 
> Any comments, objections, suggestions?

I see a note from Sep 12 or so from Joy Latten that was talking about
adding support for rfcs430[1-3] - are you two collaborating or working at
cross purposes?  Are any other fields/calls needed to complete the set?
(Feel free to just handwave a "Somebody should add XYZ in 2.6.N+3" if warranted)

Other than that, the RFC looks sane, and has a rfc2119-SHOULD for those fields,
so it certainly sounds like a good idea.  Besides, I *know* that if we don't,
at some point I'm going to be doing forensics or debugging, and cursing the
fact that not all my sensors reported flowid to cross-correlate on :)




[-- Attachment #1.2: Type: application/pgp-signature, Size: 226 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: RFC4303 (IPsec/ESP) auditing requirements

[Paul Moore]

On Thursday 06 December 2007 1:25:50 pm Valdis.Kletnieks@vt.edu wrote:
> On Wed, 05 Dec 2007 14:45:12 EST, Paul Moore said:
> > Hello all,
> >
> > I'm looking at RFC4303 at some of the auditing requirements and one of
> > the gaps between what the specification requires and what we currently
> > provide involves the SA's sequence number and the IPv6 flow ID. 
> > According the list of existing audit fields[1] there doesn't appear to
> > any fields which are a good match.  With that in mind I'd like to propose
> > two new fields:
> >
> >  * seqno - sequence number
> >  * flowid - flow id
> >
> > Any comments, objections, suggestions?
>
> I see a note from Sep 12 or so from Joy Latten that was talking about
> adding support for rfcs430[1-3] - are you two collaborating or working at
> cross purposes?  

Joy who?

 ;)

The Linux Foundation, of which both HP (my employer) and IBM (Joy's employer) 
are members, is currently going through an IPv6 "gap analysis" trying to 
bring the Linux IPv6 implementation more in line with the various IPv6 
specifications.  IPsec, including RFC4303, is part of this effort.

Needless to say there are several people involved (I only know a small 
handful) and I'm just trying to help out by taking care of the auditing 
requirements in RFC4303.

> Are any other fields/calls needed to complete the set? 
> (Feel free to just handwave a "Somebody should add XYZ in 2.6.N+3" if
> warranted)

Not according to RFC4303, but let's do some vague handwaving anyway :)

> Other than that, the RFC looks sane, and has a rfc2119-SHOULD for those
> fields, so it certainly sounds like a good idea.  Besides, I *know* that if
> we don't, at some point I'm going to be doing forensics or debugging, and
> cursing the fact that not all my sensors reported flowid to cross-correlate
> on :)

:)

-- 
paul moore
linux security @ hp