RE: I-D ACTION:draft-ietf-ipsec-ike-lifetime-00.txt

["Mason, David" <David_Mason@nai.com>]

> One of my motivations of this draft was to "gently" push for a son-of-ike.
I
> would love to see the ACK'd notify messages in Son-of-ike or maybe
> recognition that this is a stateful protocol that either requires
connection
> based transport, or better defined robustness in the draft. I still think
> that, until that day comes, this is still a useful proposal. Maybe this
> could be in the son-of-ike as well.

Hopefully son-of-ike will incorporate
draft-ietf-ipsec-ike-hash-revised-02.txt
in which case phase 1 responder lifetimes can be protected within the phase
1
exchange.  Although this info would then be exposed in Aggressive Mode (or
the
AM replacement if there is one in son-of-ike), it will at least be protected
from modification under the revised hash.

I have seen many implementations that already send IKE responder lifetimes.
In RFC2407 when it mentioned using the cookies for the SPI that's what I
thought it was referring to (IKE not IPsec responder-lifetime).

In the spirit of be strict in what you send and forgiving in what you'll
accept it should be noted that the receiver of IKE responder lifetimes
SHOULD accept a Notify DOI field of IPSEC (1) as well as IKE (0).

-dave