[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Lifetime & rekeying
>>>>> "Paul" == Paul Koning <pkoning@equallogic.com> writes:
>>>>> "Ramana" == Ramana Yarlagadda <ramana@chiplogic.com> writes:
Ramana> Yes, the RFC doesn't talk about , how to derive the softlife
Ramana> time value . but section 4.4.3 , talks about the guide lines
Ramana> and it is clear from the RFC that it is implementation
Ramana> specific.
Paul> That's sensible. If you want to rekey before the hard expiration of
Paul> the SA, that's fine, and you can do so at any time. There are no
Paul> interoperability issues (it doesn't matter what rules you use) so it
Paul> is proper for protocol standards to be silent about this.
Ramana> Long time back there was a draft from Tim Jenkins about IPSec
Ramana> re-keying issues. And if i remember even that doesn't talk
Ramana> about the , specific values (to derive softlife time values)
Paul> Tim's draft was addressing a different issue, which is how to
Paul> coordinate the changeover from the old SA pair to the new SA pair so
Paul> you would (a) delete the right SAs after rekeying, (b) not lose
Paul> packets by sending to an SA the other side had already deleted.
draft-spencer-ipsec-ike-implementation-01.txt proposes a clear method to
do this transition.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [