[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Question about mis-match SA lifetimes
Is it me, or do you guys just make this up as you go? ;-)
"Mason, David" wrote:
> If the peer has an IKE SA lifetime configuration of 2 hours, and locally you
> have an IKE SA lifetime configuration of 1 hour, then wouldn't it be more
> advantageous to allow the phase 1 negotiation to proceed and then just send
> a delete notification for the IKE SA cookie after 1 hour, right before you
> expire your IKE SA, then to just always fail the negotiation?
>
> -dave
>
> > -----Original Message-----
> > From: Daniel Harkins [SMTP:dharkins@cisco.com]
> > Sent: Wednesday, February 03, 1999 1:03 PM
> > To: Mason, David
> > Cc: 'ipsec@tis.com'
> > Subject: Re: Question about mis-match SA lifetimes
> >
> > You're right, there's no guarantees on anything. The other side could
> > encrypt the key, SPI and destination address in Louis Freeh's public key
> > and send it off to him. But the lack of guarantees shouldn't mean that no
> > policy enforcement should be done. I figure that the operator set the
> > lifetime for a reason (and since a key from the IKE SA can be the "root
> > key"
> > for lots of IPSec SAs that may be a very good reason) and not just on a
> > whim. To ignore that setting is wrong.
> >
> > To answer your question: no, I don't fail if the other side offers a
> > time that's less than mine. I accept it and I respect it. If my lifetime
> > is 2 hours and the peer offers 1 hour I delete the SA after 1 hour.
> >
> > Dan.
--
Andrew Sweeney
andy@assured-digital.com
9 Goldsmith Street,
Littleton, MA 01460
http://www.assured-digital.com/
References: