[Openswan Users] Key lifetimes (fwd)

[Michael Richardson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "Mike" == Mike Horn <lists at caddisconsulting.com> writes:
    Mike> Thanks for the explanation, in my experience when an IKE rekey
    Mike> fails you usually also have a problem with IPsec SA's, but
    Mike> since these lifetimes are configurable, users can configure
    Mike> these with values that they think are appropriate.

    Mike> One quick follow up question, you stated "BTW: there are no
    Mike> "maximums", just recommendations."  The man page for
    Mike> ipsec.conf states that the max for IPsec SA lifetimes is 24
    Mike> hours and the max IKE lifetime is 8 hours, are these values
    Mike> incorrect?

  Those are recommendations based upon good crypto-hygiene. There is
nothing that I recall that that prevents a longer number from being
used.

- -- 
]            Bear: "Me, I'm just the shape of a bear."          |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBRTziS4CLcPvd0N1lAQIoDgf/U8MRz2dRMA8CGV0U88Pm5dKz+hljgpej
P1U11lVpQ6iCeMTbs3lNeLb0gN97yqYtY0mXMMrbe/l7Evs87CdObSi2qyEdj7BG
xe2IOWRKsuqMuar6VU47PjD65l/r/TMbu50KDyORXyFEX4G/BR0uYyPhZh77QQAN
ePyNkGQXXjY/knHSxpkmDQgJ58pv3zSksJ9A1TFSHEeyYt8knEdMvtK8GU745mPJ
KANwDCeWBdgOkLu79RVDW85rkVClgVa0TStQ0i3T+LLyBEfHoytIuFgKuxjjOL+L
hkudn657ylhfbtRa7+hEhQP/qoUlY31ysTj1sXMB+6qJlEL7jGB9aw==
=FG+Q
-----END PGP SIGNATURE-----