Security Association Lifetimes in kbytes

[Jackie Wilson <jhwilson@austin.ibm.com>]

In order to get consistency in implementations of various
IP Security products, I wanted to ask about implementing
lifetimes in terms of kbytes.

Is it assumed that we use the length field in the IP header?
If so, won't the effect vary depending on IP V4/ IP V6 and
various options that are selected that determine the number
and size of headers and MTU sizes?  How would an administrator
know how much to increment the size to account for this type
of overhead?

How do we handle overlap to refresh the keys before the
previous SA expires?  Is this usually a user-configurable
option of some percentage of the lifetime? Seems success at
refreshing the keys would vary depending on whether the data is 
bursty or not. 

Can the tunnel expire in the middle of a packet, or do we
implement it on packet boundaries? Do you toss the packet
if the entire packet does not make it in the lifetime?

Would appreciate your feedback.

Jackie

-- 
Jacqueline Wilson          | Phn:  (512) 838-2702
IBM, AIX/6000              | Fax:  (512) 838-3509
11400 Burnet Road ZIP 9551 | Ext:  8-2702   Tie-Line:  678
Austin, TX 78758-3493      | inet: jhwilson@austin.ibm.com

---

Follow-Ups:

• Re: Security Association Lifetimes in kbytes
• From: Dan McDonald <danmcd@Eng.Sun.Com>

---

• Prev by Date: Re: Manual key management issues
• Next by Date: Re: Padding complexities
• Prev by thread: Re: Manual key management issues
• Next by thread: Re: Security Association Lifetimes in kbytes
• Index(es):
  • Main
  • Thread