> On Dec 1, 2015, at 5:14 AM, Tero Kivinen <[email protected]> wrote:
>
> [email protected] writes:
>>
>>> On Nov 29, 2015, at 3:56 PM, Michael Richardson <[email protected]>
>>> wrote:
>>>
>>>
>>> It is my belief/memory that IKEv2 implementations should NOT limit SA
>>> (PARENT or CHILD) lifetimes based upon certificate lifetime or CRL lifetime.
>>>
>>> Neither rfc4945 (pki4ipsec) nor rfc7296 seems to confirm or deny this.
>>> Yet, I'm sure that this was consensus at some point. Maybe I've
>>> mis-remembered?
>>> What document did I miss?
>>
>> I don't remember one way or the other. It seems perfectly logical
>> to limit SA lifetime. This certainly seems to be what customers
>> expect (based on some feedback I've seen).
>
> We have discussed about this, but I think we never really reached
> concensus on one thing. There are reasons to limit SA lifetimes, and
> there are reasons not to.
>
> Certificate lifetime is usually ok, as they are long lived, but CRL
> lifetimes are not something that should be used for limiting SA
> lifetimes. If you have for example hourly CRLs, that would mean that
> every connection will do reauthentication hourly and everybody does
> that reauthnetication at the same time, as they all use same CA, thus
> same CRL.
It might mean that, but if you recognize this issue, you can adjust the timers
by a random fraction. This is a classic answer to the problem of "everyone
doing stuff at the same time" problem. It's not as well known as it should be,
unfortunately.
paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
