[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: IKE lifetime seconds
Some
implementations will automatically rekey the IKE SA and some won't. This issue
was never resolved in the RFCs, and it became known as the "continuous
channel mode" vs. "dangling sa" debate. The failure to standardize this issue
has led to a myriad of interopability bugs.
There is some indication that the issue will be resolved in favour of
continuous channel mode. This is the recommendation of draft-spencer and it was
also proposed in draft-jenkins (an expired draft on rekeying). Also, IKEv2
mandates continuous channel mode.
Andrew
-------------------------------------------
There are no rules, only
regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a
technocrat.
When the ike protection suite lifetime is reached
(either in time or kb),
the IKE sa is deleted.
I've seen nothing
that suggests that it should be automatically renegotiated
like an ipsec
SA. I'm assuming that the IKE sa must be negotiated again
via the
receipt of a packet which requires ipsec protection.
Is this correct, that
there should be no automatic renegotiation of the IKE sa?
Thanks
Jim --
Jim Comen jcomen@torrentnet.com
Ericsson IP Infrastructure Voice (919) 472 - 9932
920 Main Campus Drive, Suite 544 Fax (919) 472 - 9999
Raleigh, NC 27606