tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: why is SA lifetime kilobyte limit disabled in racoon?

Matthias Drochner <> writes:

>> But the key
>> question is what the other implementions do, and what the standard says.
> I've just tried OpenBSD's isakmpd (the oldish version in pkgsrc).
> It initiates a Phase 2 exchange if the soft timeout on its
> side expires, even if it was responder initially. (It randomizes
> the soft timeouts to minimize the chance that both sides start
> the exchange simultanously.)
> PFC2409 says that both sides can initiate rekeying. "Can" --
> this is not much of a guideline for implementors.

True, but it seems the original responder initiating a renegotiation is
the only reasonable behavior.

>> I can see the argument that especially with a 24h or less
>> lifetime, AES doesn't need volume-based rekeying.
> OK, I was more concerned about interoperability. What if
> the other side insists in some volume limit?

Then I think it's in the proposal, and agreed to or not.  But if the
other side just asks to renew the phase 2 sa, I think that works,
standards wise, and might actually work.

Attachment: pgpMSv2AjnTSw.pgp
Description: PGP signature

Home | Main Index | Thread Index | Old Index