[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: FW: Negotiation for Ipsec SA
First off, if you have a questions specific to PF_KEY, try the PF_KEY mailing
list: pf_key@inner.net. (This concludes the part of the note relevant to the
IPsec mailing list. Sorry for the additional traffic, boys and girls!)
> I am sorry if this has been discussed earlier. I have some doubt in the
> negotiation of Ipsec SA. When Ipsec decides to establish an Ipsec SA and
> sends an SADB_ACQUIRE (PF_KEY Mesage) to the key management daemon.
>
> 1) For how much time should we wait for the SA to get negotiated. I feel
> this is required.
Actually, it depends a lot on the KM protocol (or worse, what mode of the KM
protocol) that handles the ACQUIRE message. If it's a low-latency thing like
KINK promises, or if it's IKE with an already-established Phase 1, it can be
really short. OTOH, if you need to establish a Phase 1 SA complete with LDAP
lookups certificate (and maybe even policy), then it's going to be a while
before the first results from the UPDATE hit the kernel's SADB.
For example: in Solaris, we make this an ndd(1m) tunable. (See
/dev/ipsecesp, ipsecesp_acquire_timeout. It'll move somewhere else when we
have extended ACQUIREs built.)
> 2) If my first point is relevant, then should the time for the renegotiation
> of the Ipsec SA, after the soft lifetime expires, be less then the
> difference of the soft and hard seconds lifetime.
Absolutely! This depends, of course, on two things:
1.) You can handle soft-lifetime EXPIRE messages as a hint to start a
new negotiation (and possibly knowing what was negotiatied
before).
2.) The other side doesn't decide to beat you to it!
Dan
References: