[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Question about mis-match SA lifetimes

To: Andrew Sweeney <andy@assured-digital.com>
Subject: Re: Question about mis-match SA lifetimes
From: Daniel Harkins <dharkins@cisco.com>
Date: Tue, 02 Feb 1999 18:23:28 -0800
cc: ipsec@tis.com
In-reply-to: Your message of "Tue, 02 Feb 1999 09:13:44 EST." <36B70817.56E726CC@assured-digital.com>
Sender: owner-ipsec@ex.tis.com

  Good question. It's not really possible to negotiate down to the 
lowest value since this is a simple request-response protocol. RFC2407,
in section 4.5.4, defines 3 things you can do if someone offers you a 
lifetime which is greater than the one you have configured: 1) fail the 
negotiation; 2) complete the negotiation but just use the locally 
configured, shorter, time; or, 3) complete the negotiation and notify the 
peer what the real lifetime you're using is.

  But that only works with phase 2 negotiation because RFC2409, sadly,
does not define a notify message analagous to the DOI's RESPONDER-LIFETIME.
So the only options for phase 1 are 1 or 2: fail the negotiation or just
ignore what the operator has configured. One of the action items from 
http://www.lounge.org/ike_doi_errata.html is to rectify that though.

  Keep in mind that if you choose option 1 you may have a difficult time 
going through the "certification" process. One of the presumptions of the 
"certification" testing is that IPSec and IKE policy are commutative. That's 
a flawed premise (enforcement of SA lifetime and Diffie-Hellman group policy 
are examples of how you can configure things such that Alice can successfully 
initiate to Bob but Bob can't successfully initiate to Alice) and I had a 
helluva time explaining that when our box which chooses option 1 for phase 
1 negotiation (it does option 3 for phase 2) was tested against the ACME 
corporation box which choose option 2 for phase 1. When I initiated to ACME
it could care less what the lifetime I offered was and accepted; when ACME 
initiated to me I enforced my locally configured policy (under the assumption 
that it was put that way for a reason by the operator) and failed.

  Dan.

On Tue, 02 Feb 1999 09:13:44 EST you wrote
> Hi,
> 
>     Who wins when there is a mismatch in SA lifetimes. Is the initiators
> value always used, do you negotiate down to the lowest value, or do you
> just reject the proposal?
> 
> Thanks
> Andy

References:

Question about mis-match SA lifetimes

From: Andrew Sweeney <andy@assured-digital.com>

Prev by Date: Question about mis-match SA lifetimes
Next by Date: Question about the situation field of the SA payload.
Prev by thread: Question about mis-match SA lifetimes
Next by thread: RE: Question about mis-match SA lifetimes
Index(es):
- Main
- Thread