[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: simultaneous lifetime type support required?
>>>>> "Scott" == Scott G Kelly <skelly@redcreek.com> writes:
>> Roy Pereira wrote:
>>
>> Yes. Both expiry types should be supported at the same time.
>> Expiry would happen when either of the expiry values et triggered.
>>
>> Scott wrote: I recognize the need to support both types, but the
>> question is, am I required to support both types simultaneously?
>> That is, if you send me 2 lifetime payloads together, one in
>> kbytes and one in seconds, does this mean you want both values
>> used, with the actual expiration based upon whichever occurs
>> first?
Scott> The question has not been answered satisfactorily by any of
Scott> the responses to date. Let me rephrase: where in the document
Scott> set does it state that a system MUST/should/may support
Scott> simultaneous specification of seconds/kbytes for SA lifetimes,
Scott> terminating the SA depending upon which limit is reached
Scott> first? I see a reference to multiple lifetimes in DOI (section
Scott> 4.5.2), but this is just parsing info, and does not contain
Scott> any language indicating the implementation status
Scott> (must/may/should). I see no other references.
Ipsec-arch discusses lifetime but doesn't explicitly discuss the case
of both limits being active at the same time either.
Then again, I must admit being somewhat puzzled why this is such an
issue. If you implement each feature, it's hard to see how it could
cost you ANYTHING to have them both active for the same SA.
paul
References: