RE: ISAKMP_RESPONDER_LIFETIME (Could it be removed?)

[antonio.barrera@nokia.com]

	I noticed that some implementations actually allow a reply with an
SA with different lifetimes so if the reply contains a smaller lifetime
means that 
the other peer is using a smaller lifetime. In these cases
RESPONDER_LIFETIME is actually useless.
	Is it mandatory that the SA in the reply has exactly the same
lifetime or it can be smaller?
I think taht would be a good solution for a further version of IKE to get
rid of the RESPONDER_LIFETIME. Anyway it doesn't appear to be used too much.
Any coments?

Toni

-----Original Message-----
From: EXT Tero Kivinen [mailto:kivinen@ssh.fi]
Sent: 16. November 2000 22:12
To: antonio.barrera@nokia.com
Cc: ipsec@lists.tislabs.com
Subject: ISAKMP_RESPONDER_LIFETIME


antonio.barrera@nokia.com writes:
> IPSEC DOI question:
> 
> 	Is the ISAKMP_RESPONDER_LIFETIME notification payload supposed to
> send only the lifetime (seconds) or also the lifesize (KBytes)?

Yes, I think both are allowed. 

> And if both can be send, should they both be send together in the same
> ISAKMP Notification payload (Of course same SA) or in 2 different ones?

I would say that they must be only one notification, containing both. 
-- 
kivinen@ssh.fi                               Work : +358 303 9870
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

---

Follow-Ups:

• Re: ISAKMP_RESPONDER_LIFETIME (Could it be removed?)
• From: "Stephane Beaulieu" <stephane@cisco.com>
• Re: ISAKMP_RESPONDER_LIFETIME (Could it be removed?)
• From: Dan Harkins <dharkins@cips.nokia.com>

---

• Prev by Date: ISAKMP_RESPONDER_LIFETIME
• Next by Date: Re: ISAKMP_RESPONDER_LIFETIME (Could it be removed?)
• Prev by thread: ISAKMP_RESPONDER_LIFETIME
• Next by thread: Re: ISAKMP_RESPONDER_LIFETIME (Could it be removed?)
• Index(es):
  • Main
  • Thread