> From: IPsec [mailto:[email protected]] On Behalf Of Michael
> Richardson
>
> It is my belief/memory that IKEv2 implementations should NOT limit SA
> (PARENT or CHILD) lifetimes based upon certificate lifetime or CRL lifetime.
>
> Neither rfc4945 (pki4ipsec) nor rfc7296 seems to confirm or deny this.
> Yet, I'm sure that this was consensus at some point. Maybe I've mis-
> remembered?
> What document did I miss?
It's listed as a requirement in 4301; section 4.4.2.1, Data Items in the SAD,
which is the obvious place one should look for requirements on how IPSec/IKE
interacts with PKI.
See the bullet point 'Lifetime of this SA':
"If time is employed [as a limit on the lifetime of theSA], and if
IKE employs X.509 certificates for SA establishment, the SA
lifetime must be constrained by the validity intervals of the
certificates, and the NextIssueDate of the Certificate Revocation
Lists (CRLs) used in the IKE exchange for the SA."
Hmmm, the above implies that if the SA has a negotiated lifetime of a million
years, then it is limited to the expiration of the certificate (if one was
used), but if it has a technically unlimited lifetime (as far as time is
concerned), then it is not. I'm not sure what's the reasoning behind that.
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
