best practice for ipsec outbound SA selection?

[Matthias Drochner <M.Drochner%fz-juelich.de@localhost>]

Hi -
the KAME based IPSEC code uses always the oldest non-expired
SA (security association, basically the crypto key) for outgoing
packets.
FAST_IPSEC has the option to use the newest one (by sysctl).
Both strategies can cause interopability problems. (There
are eg some related PRs in NetBSD's bug database.)

There is an old paper "draft-jenkins-ipsec-rekeying-06.txt"
which discusses the problems, but according to comments
in the ipsec IETF mailing list not everyone is happy with the
conclusions drawn in that paper.

Did anyone of you follow the discussions and can tell what
can be considered best practice these days?
Is there any information how popular commercial implementations
behave?

best regards
Matthias



------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDirig Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------

Besuchen Sie uns auf unserem neuen Webauftritt unter www.fz-juelich.de