[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Question about mis-match SA lifetimes
>>>>> "Mason," == Mason, David <David_Mason@nai.com> writes:
Mason,> If the peer has an IKE SA lifetime configuration of 2 hours,
Mason,> and locally you have an IKE SA lifetime configuration of 1
Mason,> hour, then wouldn't it be more advantageous to allow the
Mason,> phase 1 negotiation to proceed and then just send a delete
Mason,> notification for the IKE SA cookie after 1 hour, right before
Mason,> you expire your IKE SA, then to just always fail the
Mason,> negotiation?
I would have thought the same. In fact, it's not clear to me why the
lifetime value needs to be mentioned in the protocol at all. If I
think the SA has lived long enough, I can rekey. Whether the other
side is more tolerant seems irrelevant.
To put it differently: consider a hypothetical protocol that was just
like IKE except that it doesn't exchange this information. What bad
properties, if any, would such a protocol have?
paul
Follow-Ups:
References: