Subject: Re: bin/28922: racoon leaves old SA's in kernel
To: Jun-ichiro itojun Hagino <email@example.com>
From: Kimmo Suominen <firstname.lastname@example.org>
Date: 01/09/2005 22:56:04
On Mon, Jan 10, 2005 at 12:42:38PM +0900, Jun-ichiro itojun Hagino wrote:
> > >Synopsis: racoon leaves old SA's in kernel
> IPsec/IKE specification does not define how to re-negotiate keys
> nor how to use old/new key, and behavior is totally implementation-
> dependent. racoon and netbsd are following guidances in
> draft-jenkins-ipsec-rekeying-xx (keep old key and use old key until
> old key really expires).
This seems to result in traffic being discarded by the receiver, which
no longer has the old keys used by the sender.
Or am I missing something?
Should the key lifetime just be set to something extremely low to avoid