Re: SA byte lifetime

[Joern Sierwald <joern.sierwald@F-Secure.com>]

At 20:20 20.9.2000 +0530, you wrote:
 >Hi,
 >  I am having some doubts regarding the use of SA byte lifetime. 
 >Specifically for the case in which an SA bundle has been negotiated, say AH 
 >and ESP, the number of bytes processed by the AH SA will be different from 
 >the number of bytes processed by the ESP SA. Normally, for SA bundle case, 
 >ESP packet is encapsulated by AH, so the number of bytes processed by the 
 >AH SA will always be more than the ESP SA. So, in that case, the AH SA will 
 >expire before the AH SA. Now the problem is :
 >1) Once the AH SA soft byte lifetime expires, should we :
 >	a) negotiate for the bundle again.- In this we are assuming that the ESP 
 >SA has also 			expired.
 >	b) negotiate for AH SA only - In this case, how ?
 >
 >2) Once the AH SA hard byte lifetime has expired, should we delete the ESP 
 >SA also.
 >
 >Thanks in Advance.
 >
 >Awan Kumar Sharma
 >Software Engg.,
 >Future Software Ltd.,
 >Chennai - India
 >
 >
 >


1) the answer is a)
2) of course.

Please link SAs together and treat them as a unit. Somehow.

Image a case where you have IPCOMP+ESP+AH.
That's 6 SAs in total.
Now you receive _one_ single delete notification for
the, say, incoming ESP.
What do you do? Delete just that SA? No, you delete all 6 SAs.

Jörn

---

Follow-Ups:

• Re: SA byte lifetime
• From: "Shoichi 'Ne' Sakane" <sakane@ydc.co.jp>

References:

• SA byte lifetime
• From: Awan Kumar Sharma <awank@future.futsoft.com>

---

• Prev by Date: Re: TOS copying considered harmful
• Next by Date: Re: ISAKMP Delete Payload
• Prev by thread: SA byte lifetime
• Next by thread: Re: SA byte lifetime
• Index(es):
  • Main
  • Thread