[Openswan Users] Key lifetimes (fwd)
Paul Wouters
paul at xelerance.com
Mon Oct 23 12:00:26 EDT 2006
On Mon, 23 Oct 2006, Michael Richardson wrote:
> Mike> One quick follow up question, you stated "BTW: there are no
> Mike> "maximums", just recommendations." The man page for
> Mike> ipsec.conf states that the max for IPsec SA lifetimes is 24
> Mike> hours and the max IKE lifetime is 8 hours, are these values
> Mike> incorrect?
>
> Those are recommendations based upon good crypto-hygiene. There is
> nothing that I recall that that prevents a longer number from being
> used.
ietf_constants.h defines it as:
#define OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT 3600 /* one hour */
#define OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM 86400 /* 1 day */
those are defined again in pluto_constants.h:
#define OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT 3600 /* one hour */
#define OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM 86400 /* 1 day */
I guess those defines need to get moved to a proper single place.
/spdb_struct.c uses:
case OAKLEY_LIFE_SECONDS:
if (val > OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM)
ugh = builddiag("peer requested %lu seconds"
" which exceeds our limit %d seconds"
, (long) val
, OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM);
ta.life_seconds = val;
Pluto also has some checks when reading in the configuration file.
check_life_time (msg.sa_ike_life_seconds, OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM
, "ikelifetime", &msg);
check_life_time(msg.sa_ipsec_life_seconds, SA_LIFE_DURATION_MAXIMUM
, "ipseclifetime", &msg);
So it does seem that the man page is right, and that Openswan defines these
maximums for crypto-hygiene, though the protocol itself does not. If the local
policy is outside the range, the connection will fail to load with an error.
If the remote;s policy is outsize the range, we set it to the maximum we allow.
Paul
More information about the Users
mailing list