Re: Phase 1 KB lifetime

[Paul Koning <pkoning@xedia.com>]

>>>>> "Dan" == Dan Harkins <dharkins@network-alchemy.com> writes:

 Dan> I'd like to nip this in the bud. The "just go ahead and enforce
 Dan> a lifetime, just don't tell me about it" combined with
 Dan> "implementations are not required to interperet lifetime
 Dan> notifies" is probably the reason that people have problems with
 Dan> rekeying.

I don't think so.  The reason people are having problems with rekeying 
is that the rekeying process is subject to all sorts of timing windows 
and race conditions, as Tim Jenkins has documented in fine detail.  If 
the case you mention is an issue at all, it's just a small one out of
dozens. 

 Dan> It is _never_ a good idea to just enforce a lifetime without
 Dan> telling the peer (assuming, as we all remember from 3rd grade,
 Dan> makes an ass out of you and me).

I quite disagree.  The protocol works if someone rekeys at a time of
their choosing for reasons of their choosing.  Or at least it appears
to; if it doesn't work for that case then the protocol is defective
and needs to be repaired.

Therefore, it isn't actually necessary to tell the peer about
lifetimes you enforce.  I still don't understand why that stuff is in
the protocol at all.

 Dan> Similarly it is _never_ a good
 Dan> idea to ignore the lifetime notify a peer gives you.

Ditto.

	paul

---

Follow-Ups:

• Re: Phase 1 KB lifetime
• From: Dan Harkins <dharkins@network-alchemy.com>

References:

• RE: Phase 1 KB lifetime
• From: Andrew Krywaniuk <akrywaniuk@TimeStep.com>
• Re: Phase 1 KB lifetime
• From: Dan Harkins <dharkins@network-alchemy.com>

---

• Prev by Date: RE: issues raised at VPN interoperability workshop
• Next by Date: Re: issues raised at VPN interoperability workshop
• Prev by thread: Re: Phase 1 KB lifetime
• Next by thread: Re: Phase 1 KB lifetime
• Index(es):
  • Main
  • Thread