[Openswan Users] Key lifetimes (fwd)

Paul Wouters paul at xelerance.com
Mon Oct 23 12:00:26 EDT 2006


On Mon, 23 Oct 2006, Michael Richardson wrote:

>     Mike> One quick follow up question, you stated "BTW: there are no
>     Mike> "maximums", just recommendations."  The man page for
>     Mike> ipsec.conf states that the max for IPsec SA lifetimes is 24
>     Mike> hours and the max IKE lifetime is 8 hours, are these values
>     Mike> incorrect?
>
>   Those are recommendations based upon good crypto-hygiene. There is
> nothing that I recall that that prevents a longer number from being
> used.

ietf_constants.h defines it as:

#define OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT 3600    /* one hour */
#define OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM 86400   /* 1 day */

those are defined again in pluto_constants.h:

#define OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT 3600    /* one hour */
#define OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM 86400   /* 1 day */

I guess those defines need to get moved to a proper single place.

/spdb_struct.c uses:

                        case OAKLEY_LIFE_SECONDS:
                            if (val > OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM)
                                ugh = builddiag("peer requested %lu seconds"
                                    " which exceeds our limit %d seconds"
                                    , (long) val
                                    , OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM);
                            ta.life_seconds = val;

Pluto also has some checks when reading in the configuration file.

    check_life_time (msg.sa_ike_life_seconds, OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM
        , "ikelifetime", &msg);

    check_life_time(msg.sa_ipsec_life_seconds, SA_LIFE_DURATION_MAXIMUM
        , "ipseclifetime", &msg);

So it does seem that the man page is right, and that Openswan defines these
maximums for crypto-hygiene, though the protocol itself does not. If the local
policy is outside the range, the connection will fail to load with an error.
If the remote;s policy is outsize the range, we set it to the maximum we allow.

Paul


More information about the Users mailing list