[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: ISAKMP_RESPONDER_LIFETIME (Could it be removed?)
I noticed that some implementations actually allow a reply with an
SA with different lifetimes so if the reply contains a smaller lifetime
means that
the other peer is using a smaller lifetime. In these cases
RESPONDER_LIFETIME is actually useless.
Is it mandatory that the SA in the reply has exactly the same
lifetime or it can be smaller?
I think taht would be a good solution for a further version of IKE to get
rid of the RESPONDER_LIFETIME. Anyway it doesn't appear to be used too much.
Any coments?
Toni
-----Original Message-----
From: EXT Tero Kivinen [mailto:kivinen@ssh.fi]
Sent: 16. November 2000 22:12
To: antonio.barrera@nokia.com
Cc: ipsec@lists.tislabs.com
Subject: ISAKMP_RESPONDER_LIFETIME
antonio.barrera@nokia.com writes:
> IPSEC DOI question:
>
> Is the ISAKMP_RESPONDER_LIFETIME notification payload supposed to
> send only the lifetime (seconds) or also the lifesize (KBytes)?
Yes, I think both are allowed.
> And if both can be send, should they both be send together in the same
> ISAKMP Notification payload (Of course same SA) or in 2 different ones?
I would say that they must be only one notification, containing both.
--
kivinen@ssh.fi Work : +358 303 9870
SSH Communications Security http://www.ssh.fi/
SSH IPSEC Toolkit http://www.ssh.fi/ipsec/
Follow-Ups: