[Openswan Users] Key lifetimes

Mike Horn lists at caddisconsulting.com
Fri Oct 20 12:16:16 EDT 2006


Hi,

I wanted to get a quick clarification on the key lifetimes in Openswan.
>From man ipsec.conf I see:

keylife = IPsec SA lifetime with 8hr default and max 24hr
ikelifetime = IKE SA lifetime with 1hr default and max 8hr

My confusion is why the default lifetime for the IKE SA is shorter than the
IPsec SA (and why the max is shorter too).  Since the IKE SA is just used to
encrypt the data for establishing the IPsec SA and not to encrypt the actual
user data, with these defaults IKE will unneccesarily rekey multiple times
before a new IPsec SA negotiation is set to occur.

In my experience most people will set a longer IKE lifetime (say 4 hrs) and
a shorter ESP lifetime (say 1 hr), but the Openswan defaults seem to be the
opposite.  The logic behind this is that if someone manages to determine
your ESP SA key they will be able to decrypt the data for that time window.
Some VPNs I worked on set the ESP lifetime to as short as 10 minutes for
this reason.  If someone compromises your IKE SA they won't be able to
decrypt user data, but they could try to spoof a connection to get a ESP SA.

Am I missing something?  Is there any reason that I shouldn't have a shorter
ESP lifetime?

-mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20061020/46c1ab77/attachment.html 


More information about the Users mailing list