<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE>Key lifetimes</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<P><FONT SIZE=2 FACE="Arial">Hi,</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">I wanted to get a quick clarification on the key lifetimes in Openswan. From man ipsec.conf I see:</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">keylife = IPsec SA lifetime with 8hr default and max 24hr</FONT>
<BR><FONT SIZE=2 FACE="Arial">ikelifetime = IKE SA lifetime with 1hr default and max 8hr</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">My confusion is why the default lifetime for the IKE SA is shorter than the IPsec SA (and why the max is shorter too). Since the IKE SA is just used to encrypt the data for establishing the IPsec SA and not to encrypt the actual user data, with these defaults IKE will unneccesarily rekey multiple times before a new IPsec SA negotiation is set to occur.</FONT></P>
<P><FONT SIZE=2 FACE="Arial">In my experience most people will set a longer IKE lifetime (say 4 hrs) and a shorter ESP lifetime (say 1 hr), but the Openswan defaults seem to be the opposite. The logic behind this is that if someone manages to determine your ESP SA key they will be able to decrypt the data for that time window. Some VPNs I worked on set the ESP lifetime to as short as 10 minutes for this reason. If someone compromises your IKE SA they won't be able to decrypt user data, but they could try to spoof a connection to get a ESP SA.</FONT></P>
<P><FONT SIZE=2 FACE="Arial">Am I missing something? Is there any reason that I shouldn't have a shorter ESP lifetime?</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">-mike</FONT>
</P>
</BODY>
</HTML>