[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: draft-ietf-ipsec-ikev2-04.txt
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Bill" == Bill Sommerfeld <sommerfeld@xxxxxxxxxxxx> writes:
>> Strongly agree. Get rid of lifetime info. Just rekey when you feel
>> you should.
Bill> strongly disagree.
Bill> absent an expiration time, it's difficult to know when it's safe to
Bill> nuke inbound security associations from an unreachable and
Bill> unresponsive peer.
Well, if they are unreachable, and unresponsive (i.e. they refuse to
rekey), then, when you have made the decision that they are unresponsive, you
should nuke them. The only problem with doing it too soon is that we have no
recovery mechanism, such as a birth certificate.
This is particularly easy if you can set idle timers on your incoming SAs.
Bill, I have been working on a birth certificate mechanism, such as you
described some time ago. I got about halfway done last summer, and it has
risen to close to the top of my stack again.
Do you think that there is time to get a standard notify for boot count into IKEv2?
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@xxxxxxxxxxxxxxxxxxxxxx http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBPh9EKoqHRg3pndX9AQHZvAQAiGjkayC++zr69KrgmIE/winbRbX/A5Ap
yd9IpWA4xsdl9lkbE1uXcZKT48MzetVGrOGYLiXVAyqTi8tMCXWRLYE6/raoCqso
EmB1JJrjuO9Qlp9ENsKRebESRlNyj2QSG/ac1RZW/nMz5ixnQW7Am+vWVODBpesG
mFMtbGtC7H0=
=Ds58
-----END PGP SIGNATURE-----