[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Phase 1 KB lifetime

To: Paul Koning <pkoning@xedia.com>
Subject: Re: Phase 1 KB lifetime
From: Dan Harkins <dharkins@network-alchemy.com>
Date: Wed, 19 Jan 2000 09:56:08 -0800
cc: akrywaniuk@TimeStep.com, joern@datafellows.com, ipsec@lists.tislabs.com
In-reply-to: Your message of "Wed, 19 Jan 2000 10:14:38 EST." <200001191514.KAA24417@tonga.xedia.com>
Sender: owner-ipsec@lists.tislabs.com

On Wed, 19 Jan 2000 10:14:38 EST you wrote
> 
>  Dan> It is _never_ a good idea to just enforce a lifetime without
>  Dan> telling the peer (assuming, as we all remember from 3rd grade,
>  Dan> makes an ass out of you and me).
> 
> I quite disagree.  The protocol works if someone rekeys at a time of
> their choosing for reasons of their choosing.  Or at least it appears
> to; if it doesn't work for that case then the protocol is defective
> and needs to be repaired.

The protocol may work (or at least appear to-- quite a weak statement) 
but is that a reason to do this? No. You're free to rekey anytime you 
want but if you choose to enforce a lifetime different than that which 
you _expressly agreed to_ why wouldn't you want to notify the peer?

The only reason not to do this I can see is programmer laziness.

> Therefore, it isn't actually necessary to tell the peer about
> lifetimes you enforce.  I still don't understand why that stuff is in
> the protocol at all.

To minimize the problematic windows that Tim Jenkins has documented
in fine detail.

>  Dan> Similarly it is _never_ a good
>  Dan> idea to ignore the lifetime notify a peer gives you.
> 
> Ditto.

Ditto.

  Dan.

References:

Re: Phase 1 KB lifetime

From: Paul Koning <pkoning@xedia.com>

Prev by Date: Re: Bruce Schneier on IPsec
Next by Date: RE: Phase 1 KB lifetime
Prev by thread: Re: Phase 1 KB lifetime
Next by thread: Re: Phase 1 KB lifetime
Index(es):
- Main
- Thread