Issue #2559
Whether support rekey when sequence number overflow?
Description
Hi,
This text is referred in rfc7296 for rekey when sequence number overflow:
Note that Message IDs are cryptographically protected and provide protection against message replays. In the unlikely event that Message IDs grow too large to fit in 32 bits, the IKE SA MUST be closed or rekeyed.
I would like to know that whether strongswan support to rekey when IKE_SA or CHILD_SA sequence number overflow. Please comment more for this feature. Thanks.
Related issues
History
#1 Updated by Tobias Brunner over 7 years ago
- Status changed from New to Closed
- Resolution set to Duplicate
#2 Updated by Tobias Brunner over 7 years ago
- Has duplicate Issue #1157: Message ID overflow RFC 5996 2.2 added
#3 Updated by Xiaoqiang Fu over 7 years ago
The issue is not same.
I would like to know whether CHILD_SA rekey for sequence number overflow.
The RFC only introduces the case for IKE_SA.
#4 Updated by Tobias Brunner over 7 years ago
The issue is not same.
Well, you quoted the exact same part referenced already in #1157.
I would like to know whether CHILD_SA rekey for sequence number overflow.
For the CHILD_SA, configure appropriate lifetime settings, e.g. a soft and hard packet limit, so the SA is rekeyed (see ExpiryRekey).
#5 Updated by Xiaoqiang Fu over 7 years ago
For the CHILD_SA, configure appropriate lifetime settings, e.g. a soft and hard packet limit, so the SA is rekeyed (see ExpiryRekey).
It gives examples of time (lifetime, margintime), and in ipsec.conf, they have default values. But for packet limit, there is no default value.
lifebytes = <number>
If no value is set for lifepackets, how shall I forecast the marginpacket or lifetime?
#6 Updated by Tobias Brunner over 7 years ago
For the CHILD_SA, configure appropriate lifetime settings, e.g. a soft and hard packet limit, so the SA is rekeyed (see ExpiryRekey).
It gives examples of time (lifetime, margintime), and in ipsec.conf, they have default values. But for packet limit, there is no default value.
No there is currently no default set, so set life|marginpackets if you think it could be a problem in your setup. Also consider using ESN.
lifebytes = <number>
If no value is set for lifepackets, how shall I forecast the marginpacket or lifetime?
What do you mean? lifebytes is not related to lifepackets, and marginpacket has no effect if lifepackets is not set. And both are not directly related to lifetime.
#7 Updated by Xiaoqiang Fu over 7 years ago
No there is currently no default set, so set life|marginpackets if you think it could be a problem in your setup. Also consider using ESN.
Do you mean life|marginpackets is set can enable rekey when sequence number rollover? Otherwise, it is disabled. lifetime/margintime is only for time case not for sequence number rollover case, am I right?
what is the priority of lifebytes, lifepackets, lifetime, if they are all set in one conn?
#8 Updated by Tobias Brunner over 7 years ago
Do you mean life|marginpackets is set can enable rekey when sequence number rollover?
Sure, setting a limit on the number of processed packets effectively prevents a sequence number rollover as it caps the sequence numbers to whatever limit is configured.
lifetime/margintime is only for time case not for sequence number rollover case, am I right?
Yes, these options only configure a time based limit.
what is the priority of lifebytes, lifepackets, lifetime, if they are all set in one conn?
Whatever limit is reached first causes the SA to expire.
#9 Updated by Xiaoqiang Fu over 7 years ago
Got it.
Thanks for your comment.
Please close the issue.