SA Refresh: When Lifetime in Bytes ??

[ranjeet barve <ranjeet_barve@yahoo.co.in>]

Hi,

I had a doubt in the implementation of IPsec SA
Lifetime(Hard and Soft) when specified in bytes.

Consider following scenario:

Current_Bytes  /*Number of bytes processed by IPsec*/

Soft_Lifetime_Byte /*holds relative value e.g.
1000bytes. So to check if this is expired you take the
current value, if it is greater than or equal to
Soft_Lifetime_Byte you say that the Soft Lifetime
has expired.*/

Hard_Lifetime_Byte/*holds relative value e.g.
 100000 bytes. So to check if this is expired you take
the current value, if it is greater than or equal to
Hard_Lifetime_Byte you say that the Hard Lifetime has
expired.*/

 I suppose the major problem with bytes could arise
due to the faulty nature of the link which carries
IPseced packets. Due to this,(loss of packets on the
link) the CURRENT BYTES COUNT(the number of bytes
processed by IPsec) at transmitter and responder could
differ.
 This may not lead to a problem with Soft Life Bytes
as the one whose CURRENT BYTES COUNT matches the Soft
byte count early, would trigger a SA Refresh. 
Please correct me if I am wrong.

But with Hard Life Time the problem would arise when
there is a discrepancy of the CURRENT BYTES COUNT at
the Responder and Initiator. 
Suppose at the Initiator, the CURRENT BYTES COUNT
reaches the Hard Life (bytes) earlier and deletes it's
SAs. But at the Responder the SAs remain active
forever as their CURRENT BYTES COUNT would freeze and
never reach the Hard Life Bytes value.

How do we solve this problem?

I appreciate your help in this regard.

Thanks and Regards,
Ranjeet Barve.
M.Tech, IIT Bombay


________________________________________________________________________
For live cricket scores download  Yahoo! Score Tracker
 at: http://in.sports.yahoo.com/cricket/tracker.html