On Mar 7, 2011, at 6:08 AM, RJ Atkinson wrote: > > Again, it is only audit, not full blown accounting or access control > or what not. Perfection is not a requirement here. > > On Fri, 04 Mar 2011 15:03:09 -0800, james woodyatt <[email protected]> wrote: >> is probably better achieved by enhancing routers with the capability >> to journal their neighbor discovery cache insertions to a secure >> repository for offline review. > > That is tremendously complicated, and there is no requirement for > a "secure" anything. We're only talking about audit and confidence > intervals, not malicious users or malicious hosts.
Then it's much simpler. Just deploy the routers that have the capability I propose, but forget about SAVI and/or EAPOL and don't sweat the security of the journal logs so much. There is no need to rev the specs to support the network audit you're talking about. Just buy routers that support journaling. Done. Later, when the security of your audits are something you have to take more seriously, then you add the EAPOL and you secure the journal repository better. It's incremental. The "DisablePrivacy" flag adds nothing but additional complexity and transition friction. -- james woodyatt <[email protected]> member of technical staff, core os networking -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
