Re: Lifetime & rekeying

[Michael Richardson <mcr@sandelman.ottawa.on.ca>]

>>>>> "Paul" == Paul Koning <pkoning@equallogic.com> writes:
>>>>> "Ramana" == Ramana Yarlagadda <ramana@chiplogic.com> writes:

    Ramana> Yes, the RFC doesn't talk about , how to derive the softlife
    Ramana> time value . but section 4.4.3 , talks about the guide lines
    Ramana> and it is clear from the RFC that it is implementation
    Ramana> specific.

    Paul> That's sensible.  If you want to rekey before the hard expiration of
    Paul> the SA, that's fine, and you can do so at any time.  There are no
    Paul> interoperability issues (it doesn't matter what rules you use) so it
    Paul> is proper for protocol standards to be silent about this.

    Ramana> Long time back there was a draft from Tim Jenkins about IPSec
    Ramana> re-keying issues. And if i remember even that doesn't talk
    Ramana> about the , specific values (to derive softlife time values)

    Paul> Tim's draft was addressing a different issue, which is how to
    Paul> coordinate the changeover from the old SA pair to the new SA pair so
    Paul> you would (a) delete the right SAs after rekeying, (b) not lose
    Paul> packets by sending to an SA the other side had already deleted.

  draft-spencer-ipsec-ike-implementation-01.txt proposes a clear method to
do this transition.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [