WARNING: This server is unstable and will be retired in the next days. If you want to keep this forum available, please request immediately a migration on the Nabble Support forum. Forums that don't receive any migration request will be deleted forever.
NetBSD
 » 
netbsd-tech
 » 
tech-net

 « Return to Thread: why is SA lifetime kilobyte limit disabled in racoon?

Re: why is SA lifetime kilobyte limit disabled in racoon?

by Greg Troxel :: Rate this Message:

| View in Thread


Matthias Drochner <M.Drochner@...> writes:

>> But the key
>> question is what the other implementions do, and what the standard says.
>
> I've just tried OpenBSD's isakmpd (the oldish version in pkgsrc).
> It initiates a Phase 2 exchange if the soft timeout on its
> side expires, even if it was responder initially. (It randomizes
> the soft timeouts to minimize the chance that both sides start
> the exchange simultanously.)
> PFC2409 says that both sides can initiate rekeying. "Can" --
> this is not much of a guideline for implementors.
True, but it seems the original responder initiating a renegotiation is
the only reasonable behavior.

>> I can see the argument that especially with a 24h or less
>> lifetime, AES doesn't need volume-based rekeying.
>
> OK, I was more concerned about interoperability. What if
> the other side insists in some volume limit?

Then I think it's in the proposal, and agreed to or not.  But if the
other side just asks to renew the phase 2 sa, I think that works,
standards wise, and might actually work.
 


attachment0 (200 bytes) Download Attachment

 « Return to Thread: why is SA lifetime kilobyte limit disabled in racoon?

Free embeddable forum powered by Nabble Forum Help