> On Nov 29, 2015, at 3:56 PM, Michael Richardson <[email protected]> wrote:
>
>
> It is my belief/memory that IKEv2 implementations should NOT limit SA
> (PARENT or CHILD) lifetimes based upon certificate lifetime or CRL lifetime.
>
> Neither rfc4945 (pki4ipsec) nor rfc7296 seems to confirm or deny this.
> Yet, I'm sure that this was consensus at some point. Maybe I've
> mis-remembered?
> What document did I miss?
I don't remember one way or the other. It seems perfectly logical to limit SA
lifetime. This certainly seems to be what customers expect (based on some
feedback I've seen). It's definitely a nuisance and I would be happy to have
it optional ("MAY"), but prohibiting it doesn't make sense to me.
paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
