[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec SA DELETE in "dangling" implementation



On Thu, 02 Dec 1999 12:07:23 EST you wrote
> However, the SA lifetime is not negotiated in the same way, even though it
> is a legitimate aspect of that policy. If I set my SA lifetime to 5
> minutes/100 kb and you set yours to forever (or some other large value) then
> you are violating my security policy, even if you are not doing it
> maliciously. As I said, I trust you not to be malicious, which is why I
> don't think you would ignore the delete if you were able to understand it.

Aside from programmer laziness why would someone not respect the negotiated 
lifetime (if the offer is less than the configured lifetime) and use the 
responder-lifetime notify (if the offer was more)? Is this the reason for the 
rekeying problems that people have? Granted support for the responder-lifetime
notify is optional but it's much easier to implement that The Rekeying Draft!

If people are worried about being nice net citizens then use the responder-
lifetime notify. It's very nice.

  Dan.