[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Expiry based on traffic (kilobytes)



> 
> Angelos,
> 
> There is a further complication in IPSEC SA's established by ISAKMP: the
> SA's are unidirectional but ISAKMP only negotiates one bi-directional set
> of values.  We can presume I suppose this means the same lifetime byte
> limit goes on both unidirectional SA's, but it seems to me it should be
> made explicit in ISAKMP, or rather in the IP DOI.
> 
> John B.
> 

I've always treated it where the SAs which are created together are
siblings, they will share the same lifetime, and they will die
together, regardless of what causes one SA to terminate (aging,
clearing of part of the SADB, or any unnatural causes). 

To me, this belongs in the security architecture document...  

- C



Follow-Ups: References: