[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Question about mis-match SA lifetimes
Suppose that both sides negotiate to use the same lifetime. Locally you
will enforce that lifetime but there is no guarantee that the other side
enforces that lifetime properly. This can therefore reduce to being the
same thing as if they offered a longer lifetime than what you enforce
according to your local policy. This being the case, what's the merit in
choosing option 1? Do you expect an exact match on the lifetimes(s) - i.e.,
do you fail the negotiation if the lifetime offered is less than what you
have configured as well?
Along the same line. If their certificate would expire before the
lifetime(s) would expire, do you fail the negotiation or just enforce the
lifetime(s) to not extend past the expiration of their certificate? I would
be curious as to how many implementations reduce the lifetime that they
offer to limit it to the expiration of their own certificate.
-dave
> -----Original Message-----
> From: Daniel Harkins [SMTP:dharkins@cisco.com]
> Sent: Tuesday, February 02, 1999 9:23 PM
> To: Andrew Sweeney
> Cc: ipsec@tis.com
> Subject: Re: Question about mis-match SA lifetimes
>
> Good question. It's not really possible to negotiate down to the
> lowest value since this is a simple request-response protocol. RFC2407,
> in section 4.5.4, defines 3 things you can do if someone offers you a
> lifetime which is greater than the one you have configured: 1) fail the
> negotiation; 2) complete the negotiation but just use the locally
> configured, shorter, time; or, 3) complete the negotiation and notify the
> peer what the real lifetime you're using is.
>
Follow-Ups: