[Openswan Users] Key lifetimes (fwd)

Mike Horn lists at caddisconsulting.com
Mon Oct 23 15:12:14 EDT 2006


Hi Paul,

I think we might be talking past one another.  You state:  

"So it does seem that the man page is right, and that Openswan defines these
maximums for crypto-hygiene, though the protocol itself does not."

However, the current man page for ipsec.conf defines the max ikelifetime to
be 8hrs which is incorrect.  The man page should be updated stating that the
max ikelifetime is 24hrs.  Thanks!

-mike

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Monday, October 23, 2006 10:00 AM
To: Michael Richardson
Cc: Mike Horn; users at openswan.org
Subject: Re: [Openswan Users] Key lifetimes (fwd)

On Mon, 23 Oct 2006, Michael Richardson wrote:

>     Mike> One quick follow up question, you stated "BTW: there are no
>     Mike> "maximums", just recommendations."  The man page for
>     Mike> ipsec.conf states that the max for IPsec SA lifetimes is 24
>     Mike> hours and the max IKE lifetime is 8 hours, are these values
>     Mike> incorrect?
>
>   Those are recommendations based upon good crypto-hygiene. There is 
> nothing that I recall that that prevents a longer number from being 
> used.

ietf_constants.h defines it as:

#define OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT 3600    /* one hour */
#define OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM 86400   /* 1 day */

those are defined again in pluto_constants.h:

#define OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT 3600    /* one hour */
#define OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM 86400   /* 1 day */

I guess those defines need to get moved to a proper single place.

/spdb_struct.c uses:

                        case OAKLEY_LIFE_SECONDS:
                            if (val > OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM)
                                ugh = builddiag("peer requested %lu seconds"
                                    " which exceeds our limit %d seconds"
                                    , (long) val
                                    , OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM);
                            ta.life_seconds = val;

Pluto also has some checks when reading in the configuration file.

    check_life_time (msg.sa_ike_life_seconds,
OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM
        , "ikelifetime", &msg);

    check_life_time(msg.sa_ipsec_life_seconds, SA_LIFE_DURATION_MAXIMUM
        , "ipseclifetime", &msg);

So it does seem that the man page is right, and that Openswan defines these
maximums for crypto-hygiene, though the protocol itself does not. If the
local policy is outside the range, the connection will fail to load with an
error.
If the remote;s policy is outsize the range, we set it to the maximum we
allow.

Paul





More information about the Users mailing list