> On Nov 30, 2015, at 10:52 AM, <[email protected]> <[email protected]> > wrote: > > >> On Nov 29, 2015, at 3:56 PM, Michael Richardson <[email protected]> >> wrote: >> >> >> It is my belief/memory that IKEv2 implementations should NOT limit SA >> (PARENT or CHILD) lifetimes based upon certificate lifetime or CRL lifetime. >> >> Neither rfc4945 (pki4ipsec) nor rfc7296 seems to confirm or deny this. >> Yet, I'm sure that this was consensus at some point. Maybe I've >> mis-remembered? >> What document did I miss? > > I don't remember one way or the other. It seems perfectly logical to limit > SA lifetime. This certainly seems to be what customers expect (based on some > feedback I've seen). It's definitely a nuisance and I would be happy to have > it optional ("MAY"), but prohibiting it doesn't make sense to me.
Sorry, I dropped a few words that muddle the meaning. I meant to say "it's definitely a nuisance to implement limiting, ..." _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
