WARNING: This server is unstable and will be retired in the next days.
If you want to keep this forum available, please request immediately a migration
on the Nabble Support forum.
Forums that don't receive any migration request will be deleted forever.
>> But the key
>> question is what the other implementions do, and what the standard says.
> I've just tried OpenBSD's isakmpd (the oldish version in pkgsrc).
> It initiates a Phase 2 exchange if the soft timeout on its
> side expires, even if it was responder initially. (It randomizes
> the soft timeouts to minimize the chance that both sides start
> the exchange simultanously.)
> PFC2409 says that both sides can initiate rekeying. "Can" --
> this is not much of a guideline for implementors.
True, but it seems the original responder initiating a renegotiation is
the only reasonable behavior.
>> I can see the argument that especially with a 24h or less
>> lifetime, AES doesn't need volume-based rekeying.
> OK, I was more concerned about interoperability. What if
> the other side insists in some volume limit?
Then I think it's in the proposal, and agreed to or not. But if the
other side just asks to renew the phase 2 sa, I think that works,
standards wise, and might actually work.