[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt

To: "'Markus Stenberg'" <mstenber@ssh.com>, ipsec@lists.tislabs.com
Subject: RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
From: "Mason, David" <David_Mason@nai.com>
Date: Thu, 12 Jul 2001 09:56:58 -0700
Sender: owner-ipsec@lists.tislabs.com

> > The inside peer can rekey at any time - it will just cause a new NAT
mapping
> > to be created.  In the tunnel case this shouldn't cause any problems.
> 
> Possibly - but if you do that, you have to do (computationally
considerably
> more expensive) Phase I every time too, because the IKE mapping _may_ have
> reset then also (_even_ if your Phase I lifetime hasn't expired.. I think
> that running IKE over NATs is bad idea to start with :>).

I don't understand why you would have to do a Phase 1 every time.

> It's debatable if 5 minutes is the right way to do it, but _some_ way of
> making sure that (even potentially somewhat delayed) Phase II is 'enough'
> to handle the rekey cases.

The retransmission timer used for IKE NAT SAs should never be
increased above M (20 seconds).  Perhaps allowing for a larger
retransmission counter.

-dave

Prev by Date: RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
Next by Date: RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
Prev by thread: RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
Next by thread: RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
Index(es):
- Main
- Thread