[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Expiry based on traffic (kilobytes)
>
> I think that the wording surounding how to expire an SA based on traffic
> should be clearified. While one can use common sense to figure out this
> issue for an Oakley SA, the IPSec SA is trickier.
>
> The problem is how does the traffic get counted.
>
> [1] Do we add all of the IP packet, or just the section that the SA
> secured (since an IP packet might have more than one SA transform it).
I just count the section that the SA secured.
> [2] Do we also add up the byte count from incoming packets?
I do, to get a general indication of the volume for a pipe where
traffic is greater in one direction than the other ("I'm using this
key this much") . But because of potential packet loss on the net,
your figure may not be "accurate" w.r.t. the sender.
> [3] If so, do we count all of the packet, or just the section that was
> protected by the SA?
>
Just the section that the SA secured.
- C
References: