Re: simultaneous lifetime type support required?

["Scott G. Kelly" <skelly@redcreek.com>]

Michael C. Richardson wrote:
> 
> >>>>> "Scott" == Scott G Kelly <skelly@redcreek.com> writes:
>     Scott> others, it is appropriate to support it. But DOI only refers to phase 2,
>     Scott> so what about phase 1? Is there language anywhere defining this?
> 
>   Frankly, I don't think that the ISAKMP SA will pass enough bytes to
> ever justify expiring it by byte count. Time will always be the critical
> factor for expiring keys for ISAKMP.
>   [If I'm wrong, and that the ISAKMP will pass megabytes of data in
> under a hour or two, then there is probably something very wrong..]

Agreed.


> page 23 or arch-sec-06.txt:
> 
>          o Lifetime of this Security Association: a time interval after
>            which an SA must be replaced with a new SA (and new SPI) or
>            terminated, plus an indication of which of these actions should
> |          occur.  This may be expressed as a time or byte count, or a
> |          combination of both, the first lifetime to expire taking
> |          precedence. A compliant implementation MUST support both
> |          types of lifetimes, and must support their combination.

Excellent - this is what I was looking for. Thanks!

---

Follow-Ups:

• Re: simultaneous lifetime type support required?
• From: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>

References:

• Re: simultaneous lifetime type support required?
• From: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>

---

• Prev by Date: Re: IPsec and Fragmentation
• Next by Date: Re: simultaneous lifetime type support required?
• Prev by thread: Re: simultaneous lifetime type support required?
• Next by thread: Re: simultaneous lifetime type support required?
• Index(es):
  • Main
  • Thread