RE: Lifetime & rekeying

[Paul Koning <pkoning@equallogic.com>]

>>>>> "Ramana" == Ramana Yarlagadda <ramana@chiplogic.com> writes:

 Ramana> Yes, the RFC doesn't talk about , how to derive the softlife
 Ramana> time value . but section 4.4.3 , talks about the guide lines
 Ramana> and it is clear from the RFC that it is implementation
 Ramana> specific.

That's sensible.  If you want to rekey before the hard expiration of
the SA, that's fine, and you can do so at any time.  There are no
interoperability issues (it doesn't matter what rules you use) so it
is proper for protocol standards to be silent about this.

 Ramana> Long time back there was a draft from Tim Jenkins about IPSec
 Ramana> re-keying issues. And if i remember even that doesn't talk
 Ramana> about the , specific values (to derive softlife time values)

Tim's draft was addressing a different issue, which is how to
coordinate the changeover from the old SA pair to the new SA pair so
you would (a) delete the right SAs after rekeying, (b) not lose
packets by sending to an SA the other side had already deleted.

Strictly speaking that's not a correctness issue (it's legal for
packets to be dropped at times) but this was sometimes causing a black
hole for at least several seconds, which is enough of a performance
hit to be worth fixing.  Unfortunately, I don't think that this draft
was ever carried through to adoption.

    paul