Tero Kivinen <[email protected]> wrote: > We have discussed about this, but I think we never really reached > concensus on one thing. There are reasons to limit SA lifetimes, and > there are reasons not to.
> Certificate lifetime is usually ok, as they are long lived, but CRL
> lifetimes are not something that should be used for limiting SA
> lifetimes. If you have for example hourly CRLs, that would mean that
> every connection will do reauthentication hourly and everybody does
> that reauthnetication at the same time, as they all use same CA, thus
> same CRL.
> It would be much better to implement it so that you store the
> certificate used for authentication and then put verification timers
> in the future when something happens, i.e. CRL expires etc. When the
> CRL expires, you download new CRL, and go through that and if you have
> any connections using any certificates on the CRL, you delete those
> connections.
I think that this is the right approach to CRLs, and I'd like to see this
concept written down so that it can be referenced. Knowing this helps the
security review for protocols that live on top of IPsec.
> On the other hand if someones certificate gets compromized, or
> employee leaves the company, you do not want to wait until next CRL
> lifetime. You remove his account from the user database, and push that
> change out to the VPN gateways, and if there are any connections open
> using that account that got deleted, you remove those connections
> (i.e. re-evaluate your policy for existing connections after policy
> update). This will allow you to disable access in timely fashion and
> you can still use more usable times for CRLs and Certificates.
In context of how IPsec has been used for remote access to date, this is
feasible.
In situations where IPsec might be used as part of an autonomic system, this
won't work with some protocol to do this. OCSP can't help here because we
don't know when to do another OCSP, so I think the recommendation is going to
be to set the CRL lifetime shorter.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
