[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Question about mis-match SA lifetimes
You're right, there's no guarantees on anything. The other side could
encrypt the key, SPI and destination address in Louis Freeh's public key
and send it off to him. But the lack of guarantees shouldn't mean that no
policy enforcement should be done. I figure that the operator set the
lifetime for a reason (and since a key from the IKE SA can be the "root key"
for lots of IPSec SAs that may be a very good reason) and not just on a
whim. To ignore that setting is wrong.
To answer your question: no, I don't fail if the other side offers a
time that's less than mine. I accept it and I respect it. If my lifetime
is 2 hours and the peer offers 1 hour I delete the SA after 1 hour.
Dan.
On Wed, 03 Feb 1999 07:03:16 PST you wrote
> Suppose that both sides negotiate to use the same lifetime. Locally you
> will enforce that lifetime but there is no guarantee that the other side
> enforces that lifetime properly. This can therefore reduce to being the
> same thing as if they offered a longer lifetime than what you enforce
> according to your local policy. This being the case, what's the merit in
> choosing option 1? Do you expect an exact match on the lifetimes(s) - i.e.,
> do you fail the negotiation if the lifetime offered is less than what you
> have configured as well?
>
> Along the same line. If their certificate would expire before the
> lifetime(s) would expire, do you fail the negotiation or just enforce the
> lifetime(s) to not extend past the expiration of their certificate? I would
> be curious as to how many implementations reduce the lifetime that they
> offer to limit it to the expiration of their own certificate.
>
> -dave
References: