[Openswan Users] Regarding the life time for IKE SA and IPsecSA

Shi Lang shilang at greenpacket.com
Tue Jan 17 09:09:56 CET 2006


Hi all,

I found that:
Nowadays, the following have set the IKE SA lifetime = 8 hours and IPsec SA
1 hour by default.

1.        Microsoft:   Key management and protection (Updated: January 21,
2005)
2.        novell:
http://www.novell.com/coolsolutions/appnote/8027.html
3.        Dell:
http://www.vpnc.org/InteropProfiles/D-Link-NetDefend-client.pdf
4.        Netcomm:
http://www.netcomm.com.au/Support/Emulators/VPN100/HIPsec.htm
5.        Cisco Pix v6.3.1

It seems like the default values are as of Industrial Standard

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IKE SA = 1 hour by default:

1.      freeswan
2.      openswan
3.      strongswan

Regards,
 
Shi Lang
Quality Assurance Engineer
GreenPacket Bhd
www.greenpacket.com 
Tel: 006-03-89966022 ext: 105
E-mail: shilang at greenpacket.com


-----Original Message-----
From: John A. Sullivan III [mailto:jsullivan at opensourcedevel.com] 
Sent: Tuesday, January 17, 2006 2:21 AM
To: Paul Wouters
Cc: Shi Lang; users at openswan.org
Subject: Re: [Openswan Users] Regarding the life time for IKE SA and IPsecSA

On Mon, 2006-01-16 at 19:09 +0100, Paul Wouters wrote:
> On Mon, 16 Jan 2006, Shi Lang wrote:
> 
> > Subject: [Openswan Users] Regarding the life time for IKE SA and IPsec
SA
> >
> > Hi all,
> >
> > Regarding the life time for IKE SA and IPsec SA, openswan seems that the
> > default values are:
> >
> > IKE sa: 1 hour
> > IPsec sa: 8 hour
> >
> > But when I refer to other document, even like Microsoft ipsec, the
default
> > values are:
> >
> > IKE sa: 8 hour
> > IPsec sa: 1 hour
> >
> > Wonderring who is right?
> 
> I think either is allowed by the RFC. Perhaps Michael or Hugh remember why
these
> choices were made?
> 
> Paul
<snip>
I recall pointing this out to the FreeS/WAN development team years ago
and I believe they replied that their choice of defaults was purely
random, i.e., they needed to put in some values so those were the ones
they chose without much thought.

I would think an IKE SA shorter than the IPSec SA is a waste of CPU,
isn't it? The IKE SA is only used to communicate the new IPSec key, I
thought.  Thus, renegotiating it several times over the life of the
IPSec key would seem to be generating completely unused IKE SAs.  Of
course, I am really only an end user and have never read the RFCs but
that's how I thought it worked - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net



More information about the Users mailing list