[prev in list] [next in list] [prev in thread] [next in thread]
List: ipsec
Subject: Re: Lifetime & rekeying
From: Michael Richardson <mcr () sandelman ! ottawa ! on ! ca>
Date: 2002-02-22 0:08:44
[Download RAW message or body]
>>>>> "Paul" == Paul Koning <pkoning@equallogic.com> writes:
>>>>> "Ramana" == Ramana Yarlagadda <ramana@chiplogic.com> writes:
Ramana> Yes, the RFC doesn't talk about , how to derive the softlife
Ramana> time value . but section 4.4.3 , talks about the guide lines
Ramana> and it is clear from the RFC that it is implementation
Ramana> specific.
Paul> That's sensible. If you want to rekey before the hard expiration of
Paul> the SA, that's fine, and you can do so at any time. There are no
Paul> interoperability issues (it doesn't matter what rules you use) so it
Paul> is proper for protocol standards to be silent about this.
Ramana> Long time back there was a draft from Tim Jenkins about IPSec
Ramana> re-keying issues. And if i remember even that doesn't talk
Ramana> about the , specific values (to derive softlife time values)
Paul> Tim's draft was addressing a different issue, which is how to
Paul> coordinate the changeover from the old SA pair to the new SA pair so
Paul> you would (a) delete the right SAs after rekeying, (b) not lose
Paul> packets by sending to an SA the other side had already deleted.
draft-spencer-ipsec-ike-implementation-01.txt proposes a clear method to
do this transition.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic