[Openswan dev]

Michael Richardson mcr at sandelman.ottawa.on.ca
Thu Jan 19 12:02:44 CET 2006

Hash: SHA1

First, let me say that the decision for a 1 hour IKE lifetime was made
for convenience more than anything else.  

The 8 hour IPsec lifetime came from the specification, true.
KLIPS supports byte and packet based expiry, but pluto never actually
uses those.  (We have KLIPS test cases for it even...) 

In general, you want to rekey your IPsec SAs when they get
"chewed" up. (1Gb is considered enough data for a ~128bit key. I don't
know the math behind that)

Second, *swan doesn't care about lifetimes. IKEv2 acknowledges what
Henry and DHR observed --- a peer that wants a shorter lifetime than the
peer can just rekey earlier. In IKEv2, lifetimes are just notifications.

pluto will accept any lifetime the other end proposes.
Other vendors aren't so clueful.  You should file bugs with the vendors
on this topic. It's a serious interoperability issue, and you can point
out that RFC4306 makes it clear that IKEv1 got this wrong.

>>>>> "Tuomo" == Tuomo Soini <tis at foobar.fi> writes:
    Tuomo> Another issue is short IKE SA lifetime. It seems to be common
    Tuomo> interoperability issue that responder has shorter IKE
    Tuomo> lifetime than initiator.

  Many systems do this so that the initiator will remain the initiator.

    Tuomo> I attach patch to address that for known windows
    Tuomo> connections. Same patch removes things for type=transport and
    Tuomo> rightsubnet which should be fixed for 2.4.5 so it can be
    Tuomo> defined.

  Your patches to the examples seem sane.
  Are you using git yet? (git-format-patch output against our #public
would be great)

- -- 
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Finger me for keys


More information about the Dev mailing list