Scott Fluhrer (sfluhrer) <[email protected]> wrote: >> From: IPsec [mailto:[email protected]] On Behalf Of Michael >> Richardson >> >> It is my belief/memory that IKEv2 implementations should NOT limit SA >> (PARENT or CHILD) lifetimes based upon certificate lifetime or CRL lifetime. >> >> Neither rfc4945 (pki4ipsec) nor rfc7296 seems to confirm or deny this. >> Yet, I'm sure that this was consensus at some point. Maybe I've mis- >> remembered? >> What document did I miss?
> It's listed as a requirement in 4301; section 4.4.2.1, Data Items in
> the SAD, which is the obvious place one should look for requirements on
> how IPSec/IKE interacts with PKI.
Yes, that would be an obvious place to look for CHILD SA lifetimes.
I didn't think to look in 4301 for requirements on IKEv2.
What about PARENT SA lifetimes? :-)
> See the bullet point 'Lifetime of this SA':
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
