[Openswan Users] Regarding the life time for IKE SA and IPsec SA

John A. Sullivan III jsullivan at opensourcedevel.com
Mon Jan 16 13:21:14 CET 2006


On Mon, 2006-01-16 at 19:09 +0100, Paul Wouters wrote:
> On Mon, 16 Jan 2006, Shi Lang wrote:
> 
> > Subject: [Openswan Users] Regarding the life time for IKE SA and IPsec SA
> >
> > Hi all,
> >
> > Regarding the life time for IKE SA and IPsec SA, openswan seems that the
> > default values are:
> >
> > IKE sa: 1 hour
> > IPsec sa: 8 hour
> >
> > But when I refer to other document, even like Microsoft ipsec, the default
> > values are:
> >
> > IKE sa: 8 hour
> > IPsec sa: 1 hour
> >
> > Wonderring who is right?
> 
> I think either is allowed by the RFC. Perhaps Michael or Hugh remember why these
> choices were made?
> 
> Paul
<snip>
I recall pointing this out to the FreeS/WAN development team years ago
and I believe they replied that their choice of defaults was purely
random, i.e., they needed to put in some values so those were the ones
they chose without much thought.

I would think an IKE SA shorter than the IPSec SA is a waste of CPU,
isn't it? The IKE SA is only used to communicate the new IPSec key, I
thought.  Thus, renegotiating it several times over the life of the
IPSec key would seem to be generating completely unused IKE SAs.  Of
course, I am really only an end user and have never read the RFCs but
that's how I thought it worked - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net



More information about the Users mailing list