Re: Expiry based on traffic (kilobytes)

[Dan McDonald <danmcd@Eng.Sun.Com>]

> > There is a further complication in IPSEC SA's established by ISAKMP: the
> > SA's are unidirectional but ISAKMP only negotiates one bi-directional set
> > of values.  We can presume I suppose this means the same lifetime byte
> > limit goes on both unidirectional SA's, but it seems to me it should be
> > made explicit in ISAKMP, or rather in the IP DOI.
> > 
> > John B.
> > 
> 
> I've always treated it where the SAs which are created together are
> siblings, they will share the same lifetime, and they will die
> together, regardless of what causes one SA to terminate (aging,
> clearing of part of the SADB, or any unnatural causes). 

Hmmm, I dunno about linking SA pairs so close at the hip.  Consider the
bulk-transfer case where one SA gets its bytes lifetime depleted considerably
faster than the other SA.  Sure, the subsequent renegotiation may create
additional pairs, but that's no reason to kill the one that hasn't expired
yet.

If there's an issue of time, slap a time limit along with the bytes.
Whichever one (too much time or too many bytes) hits first kills the SA.

BTW, I have to say that one should count bytes "treated" by an SA, not
"untreated" bytes.  For AH, this includes whole packets.  For ESP, this
includes only the ESP header and ESP data.  Just my $0.02 on this.

Dan

---

References:

• Re: Expiry based on traffic (kilobytes)
• From: Cheryl Madson <cmadson@cisco.com>

---

• Prev by Date: Re: Expiry based on traffic (kilobytes)
• Next by Date: IPsec Architecture -- proposed changes
• Prev by thread: Re: Expiry based on traffic (kilobytes)
• Next by thread: A little document editing nit....
• Index(es):
  • Main
  • Thread