Re: why is SA lifetime kilobyte limit disabled in racoon?

To: M.Drochner%fz-juelich.de@localhost
Subject: Re: why is SA lifetime kilobyte limit disabled in racoon?
From: hsuenaga%iij.ad.jp@localhost
Date: Thu, 19 May 2011 11:15:38 +0900

Hi Matthias,

I've heard about one of the problem of supporting life-bytes is
"when is IPsec-SA marked as used?"

When Node-A sent a 1500 bytes packet to Node-B, Node-A marked
IPsec-SA as used and count used-bytes up. But the packet may
lost. In this case, Node-B can't count used-bytes. Even if
Node-A think IPsec-SA is expired at this time, Node-B doen't
think so. i.e. the states of IPsec-SA is mismatched.

Racoon's strategy of rekeying is "Initiator do it." If Node-B
is responder, Node-A doesn't start rekeying even if IPsec-SA is
expired.

The packet may lost in Internet, and also lost in protocol stacks.
Works of protocol stacks are implementation issue. So life-byte
behavior has interoperability problem.

I don't know this is all of the problem or not...
I want to know other reasons if someone know it.

----------
Internet Initiative Japan Inc.

Product Technology Section,
Product Development Division,
SEIL Business Unit

SUENAGA Hiroki <hsuenaga%iij.ad.jp@localhost>

On 2011/05/19, at 0:50, Matthias Drochner wrote:

> 
> Hi -
> racoon does not allow to specify a lifetime type of kilobytes.
> A config file containing such a rule is rejected; the message is
> "byte lifetime support is deprecated".
> 
> I haven't found any reference why this is the case, and no
> other IKE implementation which doesn't allow asuch a volume
> limit.
> Someone asked about that on the KAME mailing list but didn't
> get an answer.
> 
> Does anyone here remember of a reason why racoon does
> do this?
> (Not that I need it, but it causes confusion.)
> 
> best regards
> Matthias
> 
> 
> 
> ------------------------------------------------------------------------------------------------
> ------------------------------------------------------------------------------------------------
> Forschungszentrum Juelich GmbH
> 52425 Juelich
> Sitz der Gesellschaft: Juelich
> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
> Vorsitzender des Aufsichtsrats: MinDirig Dr. Karl Eugen Huthmacher
> Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
> Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
> Prof. Dr. Sebastian M. Schmidt
> ------------------------------------------------------------------------------------------------
> ------------------------------------------------------------------------------------------------
> 
> Besuchen Sie uns auf unserem neuen Webauftritt unter www.fz-juelich.de
>

Follow-Ups:
- Re: why is SA lifetime kilobyte limit disabled in racoon?
  - From: Greg Troxel
- Re: why is SA lifetime kilobyte limit disabled in racoon?
  - From: Steven Bellovin

References:
- why is SA lifetime kilobyte limit disabled in racoon?
  - From: Matthias Drochner

Prev by Date: discard servers?
Next by Date: Re: why is SA lifetime kilobyte limit disabled in racoon?
Previous by Thread: why is SA lifetime kilobyte limit disabled in racoon?
Next by Thread: Re: why is SA lifetime kilobyte limit disabled in racoon?
Indexes:

Home | Main Index | Thread Index | Old Index