tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: why is SA lifetime kilobyte limit disabled in racoon?

  When Node-A sent a 1500 bytes packet to Node-B, Node-A marked
  IPsec-SA as used and count used-bytes up. But the packet may
  lost. In this case, Node-B can't count used-bytes. Even if
  Node-A think IPsec-SA is expired at this time, Node-B doen't
  think so. i.e. the states of IPsec-SA is mismatched.

  Racoon's strategy of rekeying is "Initiator do it." If Node-B
  is responder, Node-A doesn't start rekeying even if IPsec-SA is

That sounds like a bug in racoon.  It seems that if either end is
unsatisfied with the SA, that end should trigger a new one.  But the key
question is what the other implementions do, and what the standard says.

That said, I can see the argument that especially with a 24h or less
lifetime, AES doesn't need volume-based rekeying.

Attachment: pgpHqYnajhzZY.pgp
Description: PGP signature

Home | Main Index | Thread Index | Old Index