IETF Logo Mail Archive

Re: auditing

Dan.McDonald@Eng.sun.com (Dan McDonald) Wed, 02 April 1997 22:20 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id RAA17055 for ipsec-outgoing; Wed, 2 Apr 1997 17:20:20 -0500 (EST)
From: Dan.McDonald@Eng.sun.com
Message-Id: <199704022225.OAA00456@kebe.eng.sun.com>
Subject: Re: auditing
To: sommerfeld@apollo.hp.com
Date: Wed, 02 Apr 1997 14:25:35 -0800
Cc: ipsec@tis.com
In-Reply-To: <199704022147.QAA00458@thunk.ch.apollo.hp.com> from "Bill Sommerfeld" at Apr 2, 97 04:47:55 pm
X-Mailer: ELM [version 2.4 PL25]
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

I have to say that after some further thought, if you HAVE logging
facilities, you MUST audit.  This, I guess, puts me in violent agreement with
Bill.

I keep having this sinking feeling that there might be some class of attack
that can only get caught by auditing/logging.  Anyone care to comment on
this?

And speaking of Bill, he mentions...

> Of course, this means that outbound (and inbound) logging traffic
> needs to be treated the same way as key management traffic, bypassing
> any ipsec policy engine which might trigger the creation or use of a
> security association...

I'll insert a plug for draft-mcdonald-simple-ipsec-api-01.txt, which includes
such a BYPASS setting for privileged applications.

Dan

v2.23.0 | Report a Bug | By Email