[Openswan dev]

Michael Richardson mcr at sandelman.ottawa.on.ca
Thu Jan 19 12:02:44 CET 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


First, let me say that the decision for a 1 hour IKE lifetime was made
for convenience more than anything else.  

The 8 hour IPsec lifetime came from the specification, true.
KLIPS supports byte and packet based expiry, but pluto never actually
uses those.  (We have KLIPS test cases for it even...) 

In general, you want to rekey your IPsec SAs when they get
"chewed" up. (1Gb is considered enough data for a ~128bit key. I don't
know the math behind that)

Second, *swan doesn't care about lifetimes. IKEv2 acknowledges what
Henry and DHR observed --- a peer that wants a shorter lifetime than the
peer can just rekey earlier. In IKEv2, lifetimes are just notifications.

pluto will accept any lifetime the other end proposes.
Other vendors aren't so clueful.  You should file bugs with the vendors
on this topic. It's a serious interoperability issue, and you can point
out that RFC4306 makes it clear that IKEv1 got this wrong.

>>>>> "Tuomo" == Tuomo Soini <tis at foobar.fi> writes:
    Tuomo> Another issue is short IKE SA lifetime. It seems to be common
    Tuomo> interoperability issue that responder has shorter IKE
    Tuomo> lifetime than initiator.

  Many systems do this so that the initiator will remain the initiator.

    Tuomo> I attach patch to address that for known windows
    Tuomo> connections. Same patch removes things for type=transport and
    Tuomo> rightsubnet which should be fixed for 2.4.5 so it can be
    Tuomo> defined.

  Your patches to the examples seem sane.
  Are you using git yet? (git-format-patch output against our #public
would be great)

- -- 
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBQ8/GMoCLcPvd0N1lAQKYMQf/YYhiTha2IXRgvGUR3VHF0cwE+M1C9yEL
SI5fniHSM0Sw555TNVSw9B7GfLNd5uIOfrGiQfkNeRnypcfIqizTQlHpBAj/cbkB
7ZmnRqp2XJt+o3U2YCRkt0Yvx7Wd5u5cfVn/uPiQR5K+HQ6s1XZguRxlIbMhHyeW
KnihilOxFsi3s3kdNlSNyB9L6jEu/bNhOxN0D+hg58fiCBkiLC793IBQweoc2qZN
4/1IbBewWqsIjhS2H8Dk3OQ1QjH+Gtna3oUBG14BNU9cH7DKR1V7TjYJAaSHZjlh
E2ac813mrgS93KMGxq6Hn/LjU0H0pnuwz9mWuc6BKTfRpmFwOO4HKg==
=Er2A
-----END PGP SIGNATURE-----

More information about the Dev mailing list