Re: why is SA lifetime kilobyte limit disabled in racoon?

[Matthias Drochner <M.Drochner%fz-juelich.de@localhost>]

gdt%ir.bbn.com@localhost said:
> > PFC2409 says that both sides can initiate rekeying. "Can" --
> > this is not much of a guideline for implementors.
> True, but it seems the original responder initiating a renegotiation
> is the only reasonable behavior.

Why? With racoon, only the original initiator can initiate a
renegotiation. Your hypothetical IKE implementation wouldn't
interoperate with racoon.
As said, I think for best interoperability there shouldn't
be any assumptions like this. Each side should renegotiate
if it thinks its soft timeout (which is a local assumption
anyway) is expired.

[volume limit]
> > OK, I was more concerned about interoperability. What if
> > the other side insists in some volume limit?
> Then I think it's in the proposal, and agreed to or not.

But If I can't even specify in my local configuration that
I want to put a volume limit into my proposal or accept
one from the other side, it is possible that the negotiation
doesn't succeed - depending on the implementation at the
other side.

best regards
Matthias



------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDirig Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------

Besuchen Sie uns auf unserem neuen Webauftritt unter www.fz-juelich.de