IETF Logo Mail Archive

RE: IKE lifetime seconds

"Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com> Wed, 17 April 2002 22:47 UTC

Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3HMlWm07201; Wed, 17 Apr 2002 15:47:32 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id SAA20306 Wed, 17 Apr 2002 18:01:49 -0400 (EDT)
Date: Wed, 17 Apr 2002 18:04:54 -0400
Message-ID: <000701c1e65b$e896e4a0$1e72788a@ca.alcatel.com>
From: Andrew Krywaniuk <andrew.krywaniuk@alcatel.com>
Reply-To: andrew.krywaniuk@alcatel.com
To: 'James Comen' <jcomen@torrentnet.com>, <ipsec@lists.tislabs.com>
Subject: RE: IKE lifetime seconds
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0008_01C1E63A.618544A0"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0
Importance: Normal
In-Reply-To: <3CBDD917.834B01DE@torrentnet.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

Some implementations will automatically rekey the IKE SA and some won't.
This issue was never resolved in the RFCs, and it became known as the
"continuous channel mode" vs. "dangling sa" debate. The failure to
standardize this issue has led to a myriad of interopability bugs.

There is some indication that the issue will be resolved in favour of
continuous channel mode. This is the recommendation of draft-spencer and it
was also proposed in draft-jenkins (an expired draft on rekeying). Also,
IKEv2 mandates continuous channel mode.

Andrew
-------------------------------------------
There are no rules, only regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a technocrat.

  -----Original Message-----
  From: owner-ipsec@lists.tislabs.com
[mailto:owner-ipsec@lists.tislabs.com]On Behalf Of James Comen
  Sent: Wednesday, April 17, 2002 4:21 PM
  To: ipsec@lists.tislabs.com
  Subject: IKE lifetime seconds


  When the ike protection suite lifetime is reached (either in time or kb),
  the IKE sa is deleted.
  I've seen nothing that suggests that it should be automatically
renegotiated
  like an ipsec SA.  I'm assuming that the IKE sa must be negotiated again
  via the receipt of a packet which requires ipsec protection.
  Is this correct, that there should be no automatic renegotiation of the
IKE sa?
  Thanks
  Jim
--
Jim Comen                           jcomen@torrentnet.com
Ericsson IP Infrastructure          Voice (919) 472 - 9932
920 Main Campus Drive, Suite 544    Fax   (919) 472 - 9999
Raleigh, NC 27606

v2.40.4 | Report a Bug | By Email | System Status