[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Unspecified Lifetime

To: "Derrell D. Piper" <ddp@network-alchemy.com>
Subject: Re: Unspecified Lifetime
From: Slava Kavsan <bkavsan@ire-ma.com>
Date: Fri, 01 Oct 1999 14:55:20 -0400
CC: Kim Edwards <kimed@nortelnetworks.com>, "ipsec@lists.tislabs.com" <ipsec@lists.tislabs.com>
References: <199910011854.LAA16101@gallium.network-alchemy.com>
Sender: owner-ipsec@lists.tislabs.com

I suggest to leave this to the Local Policy matter - if your implementation does not
enforce any time limit when only-KB is specified - let it be, but on the other hand -
it should be allowed for the local policy to enforce some limit (e.g.28800 sec) on
the KB-only lifitemed SAs.

"Derrell D. Piper" wrote:

> >If you set lifetime to kilobytes (say 5KB), but then your session stops short of
> >this limit (say at 4KB) - then without some large time-based lifetime limit it
> >will be alive forever - I am not sure if I want this.
>
> Slava,
>
> That's a good point, however I expect that there might be situations where
> folks really do want their SA's to stay around essentially forever (without
> regard to the security implications thereof).  If we say that there's always
> an overriding time-based expiration, there's now no way to negotiate that.  If
> we leave it as it is (and/or with more clarification along the lines of my
> earlier note), you can still configure the behavior you want by configuring a
> time-based lifetime.  On the third hand, I don't have a lot of religion here.
>
> Anyone else care to weigh in?
>
> Derrell

--
Bronislav Kavsan
IRE Secure Solutions, Inc.
100 Conifer Hill Drive  Suite 513
Danvers, MA  01923
voice: 978-539-4816
http://www.ire.com

References:

Re: Unspecified Lifetime

From: "Derrell D. Piper" <ddp@network-alchemy.com>

Prev by Date: Re: Unspecified Lifetime
Next by Date: Re: New XAUTH draft
Prev by thread: Re: Unspecified Lifetime
Next by thread: Re: Unspecified Lifetime
Index(es):
- Main
- Thread