Paul Wouters <p...@nohats.ca> wrote:
>> Yes, that would be an obvious place to look for CHILD SA lifetimes.
>> I didn't think to look in 4301 for requirements on IKEv2.
>>
>> What about PARENT SA lifetimes? :-)
> Those are not negotiated, so if any side cares they can re-authenticate
> the parent SA?
The fact that they aren't negotiated, doesn't change the fact that there is a
lifetime. That it isn't negotiated is good: the lifetime of the two
certificates and CRLs could be very different.
Upon PARENT SA re-authentication, one will find out if the certificate is
still valid, and run all of the CRL checks.
So, if one limits the PARENT SA's lifetime to the CRL lifetime (which ought
to be less than the certificate's lifetime), then one will do all the
checking at the right time.
Tero's point, however, is that you don't have actually do all of that
rekeying. You can simply look at the CRL, and if it turns out the key is
bad, you kill the SA, regardless of the PARENT SA lifetime.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
