RE: Question about mis-match SA lifetimes

["Mason, David" <David_Mason@nai.com>]

If the peer has an IKE SA lifetime configuration of 2 hours, and locally you
have an IKE SA lifetime configuration of 1 hour, then wouldn't it be more
advantageous to allow the phase 1 negotiation to proceed and then just send
a delete notification for the IKE SA cookie after 1 hour, right before you
expire your IKE SA, then to just always fail the negotiation?

-dave



> -----Original Message-----
> From:	Daniel Harkins [SMTP:dharkins@cisco.com]
> Sent:	Wednesday, February 03, 1999 1:03 PM
> To:	Mason, David
> Cc:	'ipsec@tis.com'
> Subject:	Re: Question about mis-match SA lifetimes 
> 
>   You're right, there's no guarantees on anything. The other side could
> encrypt the key, SPI and destination address in Louis Freeh's public key
> and send it off to him. But the lack of guarantees shouldn't mean that no 
> policy enforcement should be done. I figure that the operator set the 
> lifetime for a reason (and since a key from the IKE SA can be the "root
> key"
> for lots of IPSec SAs that may be a very good reason) and not just on a 
> whim. To ignore that setting is wrong. 
> 
>   To answer your question: no, I don't fail if the other side offers a
> time that's less than mine. I accept it and I respect it. If my lifetime
> is 2 hours and the peer offers 1 hour I delete the SA after 1 hour.
> 
>   Dan.

---

Follow-Ups:

• RE: Question about mis-match SA lifetimes
• From: Paul Koning <pkoning@xedia.com>
• Re: Question about mis-match SA lifetimes
• From: Andrew Sweeney <andy@assured-digital.com>

---

• Prev by Date: Re: Question about mis-match SA lifetimes
• Next by Date: Quick Mode HASH(3) and optional payloads
• Prev by thread: Re: Question about mis-match SA lifetimes
• Next by thread: RE: Question about mis-match SA lifetimes
• Index(es):
  • Main
  • Thread