[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: simultaneous lifetime type support required?
Michael C. Richardson wrote:
>
> >>>>> "Scott" == Scott G Kelly <skelly@redcreek.com> writes:
> Scott> others, it is appropriate to support it. But DOI only refers to phase 2,
> Scott> so what about phase 1? Is there language anywhere defining this?
>
> Frankly, I don't think that the ISAKMP SA will pass enough bytes to
> ever justify expiring it by byte count. Time will always be the critical
> factor for expiring keys for ISAKMP.
> [If I'm wrong, and that the ISAKMP will pass megabytes of data in
> under a hour or two, then there is probably something very wrong..]
Agreed.
> page 23 or arch-sec-06.txt:
>
> o Lifetime of this Security Association: a time interval after
> which an SA must be replaced with a new SA (and new SPI) or
> terminated, plus an indication of which of these actions should
> | occur. This may be expressed as a time or byte count, or a
> | combination of both, the first lifetime to expire taking
> | precedence. A compliant implementation MUST support both
> | types of lifetimes, and must support their combination.
Excellent - this is what I was looking for. Thanks!
Follow-Ups:
References: