tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: why is SA lifetime kilobyte limit disabled in racoon?

Hi Matthias,

I've heard about one of the problem of supporting life-bytes is
"when is IPsec-SA marked as used?"

When Node-A sent a 1500 bytes packet to Node-B, Node-A marked
IPsec-SA as used and count used-bytes up. But the packet may
lost. In this case, Node-B can't count used-bytes. Even if
Node-A think IPsec-SA is expired at this time, Node-B doen't
think so. i.e. the states of IPsec-SA is mismatched.

Racoon's strategy of rekeying is "Initiator do it." If Node-B
is responder, Node-A doesn't start rekeying even if IPsec-SA is

The packet may lost in Internet, and also lost in protocol stacks.
Works of protocol stacks are implementation issue. So life-byte
behavior has interoperability problem.

I don't know this is all of the problem or not...
I want to know other reasons if someone know it.

Internet Initiative Japan Inc.

Product Technology Section,
Product Development Division,
SEIL Business Unit

SUENAGA Hiroki <>

On 2011/05/19, at 0:50, Matthias Drochner wrote:

> Hi -
> racoon does not allow to specify a lifetime type of kilobytes.
> A config file containing such a rule is rejected; the message is
> "byte lifetime support is deprecated".
> I haven't found any reference why this is the case, and no
> other IKE implementation which doesn't allow asuch a volume
> limit.
> Someone asked about that on the KAME mailing list but didn't
> get an answer.
> Does anyone here remember of a reason why racoon does
> do this?
> (Not that I need it, but it causes confusion.)
> best regards
> Matthias
> ------------------------------------------------------------------------------------------------
> ------------------------------------------------------------------------------------------------
> Forschungszentrum Juelich GmbH
> 52425 Juelich
> Sitz der Gesellschaft: Juelich
> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
> Vorsitzender des Aufsichtsrats: MinDirig Dr. Karl Eugen Huthmacher
> Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
> Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
> Prof. Dr. Sebastian M. Schmidt
> ------------------------------------------------------------------------------------------------
> ------------------------------------------------------------------------------------------------
> Besuchen Sie uns auf unserem neuen Webauftritt unter

Home | Main Index | Thread Index | Old Index