On 2021/08/03 17:02, Vitaliy Makkoveev wrote:
> > - a 50% lower limit feels too low to me
> >
>
> Why? The 95% limit is too close to lifetime expiration and as it was
> exposed we don't have enough time to perform rekeying. I also had this
> problem while tested iked(8) over WIFI connection and t
On Mon, Aug 02, 2021 at 09:09:03PM -0600, Theo de Raadt wrote:
>
> I suspect the first step is to make the rekey decision be based upon the
> strength of the ciphers.
>
Do you mean the special default limits for each cipher?
On Tue, Aug 03, 2021 at 12:17:38PM +0100, Stuart Henderson wrote:
> On 2021/08/03 01:12, Vitaliy Makkoveev wrote:
> > iked(8) uses 3 hours and 512 megabytes of processed data as default
> > lifetime hard limits for Child SA. Also it sets 85-95% of these values as
> > soft limit. iked(8) should perf
On Tue, Aug 03, 2021 at 01:40:51PM +0200, Tobias Heider wrote:
> On Tue, Aug 03, 2021 at 12:17:38PM +0100, Stuart Henderson wrote:
> > On 2021/08/03 01:12, Vitaliy Makkoveev wrote:
> > > iked(8) uses 3 hours and 512 megabytes of processed data as default
> > > lifetime hard limits for Child SA. Als
Am Tue, Aug 03, 2021 at 01:40:51PM +0200 schrieb Tobias Heider:
> On Tue, Aug 03, 2021 at 12:17:38PM +0100, Stuart Henderson wrote:
> > On 2021/08/03 01:12, Vitaliy Makkoveev wrote:
> > > iked(8) uses 3 hours and 512 megabytes of processed data as default
> > > lifetime hard limits for Child SA. Al
On Tue, Aug 03, 2021 at 12:17:38PM +0100, Stuart Henderson wrote:
> On 2021/08/03 01:12, Vitaliy Makkoveev wrote:
> > iked(8) uses 3 hours and 512 megabytes of processed data as default
> > lifetime hard limits for Child SA. Also it sets 85-95% of these values as
> > soft limit. iked(8) should perf
On 2021/08/03 01:12, Vitaliy Makkoveev wrote:
> iked(8) uses 3 hours and 512 megabytes of processed data as default
> lifetime hard limits for Child SA. Also it sets 85-95% of these values as
> soft limit. iked(8) should perform rekeying before we reach hard limit
> otherwise this SA will be killed
Vitaliy Makkoveev wrote:
> > ssh_packet_need_rekeying() appears to have some nice decisions. The
> > idea is to rekey based upon time, primarily.
>
> It does the same: the two limits and rekying starts when you exceeded
> any of them. But in the ssh case we have no massive traffic load, so we
>
> On 3 Aug 2021, at 04:22, Theo de Raadt wrote:
>
> Joerg Sonnenberger wrote:
>
>> On Tue, Aug 03, 2021 at 01:12:54AM +0300, Vitaliy Makkoveev wrote:
>>> Index: sbin/iked/types.h
>>> ===
>>> RCS file: /cvs/src/sbin/iked/types.h,v
>
Joerg Sonnenberger wrote:
> On Tue, Aug 03, 2021 at 01:12:54AM +0300, Vitaliy Makkoveev wrote:
> > Index: sbin/iked/types.h
> > ===
> > RCS file: /cvs/src/sbin/iked/types.h,v
> > retrieving revision 1.43
> > diff -u -p -r1.43 types.h
On Tue, Aug 03, 2021 at 01:12:54AM +0300, Vitaliy Makkoveev wrote:
> Index: sbin/iked/types.h
> ===
> RCS file: /cvs/src/sbin/iked/types.h,v
> retrieving revision 1.43
> diff -u -p -r1.43 types.h
> --- sbin/iked/types.h 13 May 2021 15:
iked(8) uses 3 hours and 512 megabytes of processed data as default
lifetime hard limits for Child SA. Also it sets 85-95% of these values as
soft limit. iked(8) should perform rekeying before we reach hard limit
otherwise this SA will be killed and the tunnel stopped. With default
values the windo
12 matches
Mail list logo
