[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Question about mis-match SA lifetimes

To: David_Mason@nai.com
Subject: RE: Question about mis-match SA lifetimes
From: Paul Koning <pkoning@xedia.com>
Date: Wed, 3 Feb 1999 15:04:40 -0500
Cc: ipsec@tis.com
References: <447A3F40A07FD211BA2700A0C99D759B05CF12@md-exchange1.nai.com>
Sender: owner-ipsec@ex.tis.com

>>>>> "Mason," == Mason, David <David_Mason@nai.com> writes:

 Mason,> If the peer has an IKE SA lifetime configuration of 2 hours,
 Mason,> and locally you have an IKE SA lifetime configuration of 1
 Mason,> hour, then wouldn't it be more advantageous to allow the
 Mason,> phase 1 negotiation to proceed and then just send a delete
 Mason,> notification for the IKE SA cookie after 1 hour, right before
 Mason,> you expire your IKE SA, then to just always fail the
 Mason,> negotiation?

I would have thought the same.  In fact, it's not clear to me why the
lifetime value needs to be mentioned in the protocol at all.  If I
think the SA has lived long enough, I can rekey.  Whether the other
side is more tolerant seems irrelevant.

To put it differently: consider a hypothetical protocol that was just
like IKE except that it doesn't exchange this information.  What bad
properties, if any, would such a protocol have?

	paul

Follow-Ups:

Re: Question about mis-match SA lifetimes

From: Daniel Harkins <dharkins@cisco.com>

References:

RE: Question about mis-match SA lifetimes

From: "Mason, David" <David_Mason@nai.com>

Prev by Date: Quick Mode HASH(3) and optional payloads
Next by Date: Re: Question about mis-match SA lifetimes
Prev by thread: RE: Question about mis-match SA lifetimes
Next by thread: Re: Question about mis-match SA lifetimes
Index(es):
- Main
- Thread