From mboxrd@z Thu Jan 1 00:00:00 1970 From: Valdis.Kletnieks@vt.edu Subject: Re: RFC4303 (IPsec/ESP) auditing requirements Date: Thu, 06 Dec 2007 13:25:50 -0500 Message-ID: <9124.1196965550@turing-police.cc.vt.edu> References: <200712051445.13051.paul.moore@hp.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0056907498==" Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id lB6IQLii014632 for ; Thu, 6 Dec 2007 13:26:21 -0500 Received: from turing-police.cc.vt.edu (turing-police.cc.vt.edu [128.173.14.107]) by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id lB6IPsWo026240 for ; Thu, 6 Dec 2007 13:25:56 -0500 In-Reply-To: Your message of "Wed, 05 Dec 2007 14:45:12 EST." <200712051445.13051.paul.moore@hp.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Paul Moore Cc: Joy Latten , linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============0056907498== Content-Type: multipart/signed; boundary="==_Exmh_1196965550_2785P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit --==_Exmh_1196965550_2785P Content-Type: text/plain; charset=us-ascii On Wed, 05 Dec 2007 14:45:12 EST, Paul Moore said: > Hello all, > > I'm looking at RFC4303 at some of the auditing requirements and one of the > gaps between what the specification requires and what we currently provide > involves the SA's sequence number and the IPv6 flow ID. According the list > of existing audit fields[1] there doesn't appear to any fields which are a > good match. With that in mind I'd like to propose two new fields: > > * seqno - sequence number > * flowid - flow id > > Any comments, objections, suggestions? I see a note from Sep 12 or so from Joy Latten that was talking about adding support for rfcs430[1-3] - are you two collaborating or working at cross purposes? Are any other fields/calls needed to complete the set? (Feel free to just handwave a "Somebody should add XYZ in 2.6.N+3" if warranted) Other than that, the RFC looks sane, and has a rfc2119-SHOULD for those fields, so it certainly sounds like a good idea. Besides, I *know* that if we don't, at some point I'm going to be doing forensics or debugging, and cursing the fact that not all my sensors reported flowid to cross-correlate on :) --==_Exmh_1196965550_2785P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Exmh version 2.5 07/13/2001 iD8DBQFHWD6ucC3lWbTT17ARAiQgAKD7ncu7PXZpD48SPKaCZfVe8tBBWgCg9NUT lVdTs+Wjl+rgvyaArGczqXs= =5R7Q -----END PGP SIGNATURE----- --==_Exmh_1196965550_2785P-- --===============0056907498== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============0056907498==--