SA Lifetime (Soft and Hard)

["Amol Deshmukh" <adeshmukh@pace.stpp.soft.net>]

Hi,
Following is my Interpretation of the Lifetimes (Soft and Hard) for
automatic keying as specified in RFC 2401. Could you please correct me
incase of any errors.

Soft Lifetime: When the soft lifetime of a SA expires, a warning is given to
the implementation to initiate an action such as setting up a replacement
SA. The SA is still used for further processing. Here setting up replacement
SA means refreshing of the Encryption and/or Authentication keys. As soon as
the keys are refreshed, this new SA will be used for further processing.

I am trying to illustrate this with the help of an example:

e.g. SPD1-------āSADB1 (Consider Policy1 points to SADB entry1 in the
database).

Soft Lifetime: 100 hrs from the created time

Hard Lifetime: 1000 hrs from the created time

Consider Soft Lifetime of SADB1 expires. A warning is given, an action for
key refreshing is initiated. The current processing is done with the old
keys. As soon as the keys are refreshed, SADB1 with the refreshed keys is
used for packet processing.

New Soft Lifetime: 100 hrs from the refreshed time?

New Hard Lifetime: 1000 hrs from the refreshed/created time??



Hard Lifetime: Expiration of hard lifetime means the SA currently used
should be deleted. Since, the Policies accessing those SAs still exist, they
will not point to any SA.

e.g. SPD1-------āSADB1

Soft Lifetime: 100 hrs from the created time

Hard Lifetime: 1000 hrs from the created time

Consider Hard Lifetime of SADB1 expires. The SADB1 entry is deleted. Thus,

SPD1--------āNULL

Now, how will the new SA be created?



Regards,

-Amol.