Re: Phase 1 KB lifetime

[Dan Harkins <dharkins@network-alchemy.com>]

  I'd like to nip this in the bud. The "just go ahead and enforce a lifetime,
just don't tell me about it" combined with "implementations are not required
to interperet lifetime notifies" is probably the reason that people have
problems with rekeying.

  It is _never_ a good idea to just enforce a lifetime without telling the
peer (assuming, as we all remember from 3rd grade, makes an ass out of you
and me). Similarly it is _never_ a good idea to ignore the lifetime notify
a peer gives you. 

  If it has to be expressly stated in the RFC (I'm a bit surprised by this
line of reasoning though) then so be it.

  Dan.

On Tue, 18 Jan 2000 16:43:29 EST you wrote
>
> There are essentially two opinions concerning the removal of the kb lifetime
> notify -- one pro, one con:
> 
> Pro: Implementations are not required to send lifetime notifies. If you want
> to enforce a kb lifetime, go ahead -- just don't tell me about it.
> 
> Con: Implementations are not required to interpret lifetime notifies.
> Sending the kb lifetime notify does not hinder interoperability. In fact, as
> has been pointed out on this list before, not sending lifetime notifies can
> hinder interoperability with some implementations.

---

Follow-Ups:

• Re: Phase 1 KB lifetime
• From: Paul Koning <pkoning@xedia.com>

References:

• RE: Phase 1 KB lifetime
• From: Andrew Krywaniuk <akrywaniuk@TimeStep.com>

---

• Prev by Date: issues raised at VPN interoperability workshop
• Next by Date: Comment on a VPN PFS issue:
• Prev by thread: RE: Phase 1 KB lifetime
• Next by thread: Re: Phase 1 KB lifetime
• Index(es):
  • Main
  • Thread