[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Responder Lifetime
Looking closely at the IPSEC DOI, I found the following paragraph regarding
Responder Lifetime:
"if the initiator offers an SA lifetime longer than the responder is
willing to accept, the responder SHOULD include an ISAKMP
Notification
Payload in the exchange that includes the responder's
IPSEC SA payload.
Section 4.6.3.1 defines the payload layout for the
RESPONDER-LIFETIME
Notification Message type which MUST be used for
this purpose."
Later on it states:
"Notification Status Messages MUST be sent under the protection of an
ISAKMP SA: either as a payload in the last Main Mode exchange; in a
separate Informational Exchange after Main Mode or Aggressive Mode
processing is complete; or as a payload in any Quick Mode exchange.
These messages MUST NOT be sent in Aggressive Mode exchange, since
Aggressive Mode does not provide the necessary protection to bind the
Notify Status Message to the exchange."
1. What is the meaning of "the exchange that includes the responder's
IPSEC SA payload" in the case that the RESPONDER-LIFETIME refers to
an ISAKMP SA?
2. If I send a RESPONDER-LIFETIME notification payload that refers to an IKE
SA within a QM exchange, what should be in the DOI field of the
notification payload? Should it be 1 for IPSEC or should it be 0 for
ISAKMP?
Regards,
Tamir.
========================================================================
Zegman Tamir
Encryption group, R&D Tel: +972-3-7534606
Check Point Software Tech. Ltd. Fax: +972-3-5759256
3A Jabotinsky St., Diamond Tower
Ramat-Gan 52520, ISRAEL
e-mail: zegman@checkpoint.com http://www.checkpoint.com
========================================================================