[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISAKMP_RESPONDER_LIFETIME (Could it be removed?)



  I don't understand why that behavior makes RESPONDER_LIFETIME useless?
On the contrary. It is saying, "the lifetime I'm enforcing is actually 
foo". If A is configured with a lifetime less than B and A initiates to 
B it kind of makes sense for B to accept the smaller lifetime (smaller 
lifetime means less chance for key exposure). But when B initiates to A, 
A will not want to increase the lifetime as her config says something 
like: "...a lifetime of not more than foo", so all other attributes being
acceptable she accepts the offer but says, "actually, the lifetime I'm
enforcing is foo." B should honor this for the same reason B should've
honored the smaller lifetime if A had been initiating.

  This allows each side to have a reasonable expectation of when the
other side is no longer using the SA and lessen the chance of one side
assuming the other has SAs and continuing to send packets using them
only to have them silently dropped on the floor by the other side.

  RESPONDER_LIFETIME is quite useful.

  Dan.

On Fri, 17 Nov 2000 16:15:58 +0200 you wrote
> 	I noticed that some implementations actually allow a reply with an
> SA with different lifetimes so if the reply contains a smaller lifetime
> means that 
> the other peer is using a smaller lifetime. In these cases
> RESPONDER_LIFETIME is actually useless.
> 	Is it mandatory that the SA in the reply has exactly the same
> lifetime or it can be smaller?
> I think taht would be a good solution for a further version of IKE to get
> rid of the RESPONDER_LIFETIME. Anyway it doesn't appear to be used too much.
> Any coments?
> 
> Toni
> 
> -----Original Message-----
> From: EXT Tero Kivinen [mailto:kivinen@ssh.fi]
> Sent: 16. November 2000 22:12
> To: antonio.barrera@nokia.com
> Cc: ipsec@lists.tislabs.com
> Subject: ISAKMP_RESPONDER_LIFETIME
> 
> 
> antonio.barrera@nokia.com writes:
> > IPSEC DOI question:
> > 
> > 	Is the ISAKMP_RESPONDER_LIFETIME notification payload supposed to
> > send only the lifetime (seconds) or also the lifesize (KBytes)?
> 
> Yes, I think both are allowed. 
> 
> > And if both can be send, should they both be send together in the same
> > ISAKMP Notification payload (Of course same SA) or in 2 different ones?
> 
> I would say that they must be only one notification, containing both. 
> -- 
> kivinen@ssh.fi                               Work : +358 303 9870
> SSH Communications Security                  http://www.ssh.fi/
> SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/


References: