Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
570
Views
5
Helpful
3
Replies

Regarding SA Lifetime

palsukh2002
Level 1
Level 1

‎01-04-2009 07:46 PM - edited ‎03-11-2019 07:32 AM

Dear Team,

1.Why there is a need for setting SA lifetime.

2.Whether SA will reset earlier if we have set an idle timeout for VPN tunnel.I mean if the VPN tunnel is idle for some amount of Time and if I have set the idletime out to be less than SA reset time..then will it wait for SA to reset OR the tunnel will get disconnected once the Idletime is reached.

Labels:
0 Helpful
3 Replies 3

andrew.prince
Level 10
Level 10

‎01-05-2009 08:17 AM

1) The concept of a security association (SA) is fundamental to IPSec. An SA is a relationship between two or more entities that describes how the entities will use security services to communicate securely. IPSec provides many options for performing network encryption and authentication. Each IPSec connection can provide encryption, integrity, authenticity, or all three. When the security service is determined, the two IPSec peers must determine exactly which algorithms to use (for example, DES or 3DES for encryption, MD5 or SHA for integrity). After deciding on the algorithms, the two devices must share session keys. As you can see, there is quite a bit of information to manage. The security association is the method that IPSec uses to track all the particulars concerning a given IPSec communication session.

2) Lifetime of a Security Association: a time interval after

which an SA must be replaced with a new SA (and new SPI) or

should occur. This may be expressed as a time or byte count,

or a simultaneous use of both, the first lifetime to expire

taking precedence. Both initiator and responder are responsible for

constraining SA lifetime in this fashion.

HTH>

palsukh2002
Level 1
Level 1
In response to andrew.prince

‎01-05-2009 04:47 PM

Dear Andrew,

Thanks a Lot.

1. But my question is why we set SA lifetime and what exactly we do in Reseting SA Lifetime(May be changing some keys).If we will not reset SA Lifetime periodically waht will happen.

0 Helpful

andrew.prince
Level 10
Level 10
In response to palsukh2002

‎01-06-2009 01:40 AM

OK - in my original post there is a line that says "After deciding on the algorithms, the two devices must share session keys." So the SA keep a record of the session keys. The session keys are the ENCRYPTION KEYS, the encryption keys are used by both ends to encrypt and decrypt the VPN over the insuecure medium, the internet.

Just imagine if your SA never timed out - and the sessions keys stayed the same for ever. What if you used a weak encryption method or a hacked hash method to neogtiate the keys. To add to that just say that a man in the middle attack on your VPN connection at start up was performed and the encrypte keys were captured in transit.

This now means that a hacker has all the time in the world to crack the session encryption keys and get access to your network.

So apart from keeping track of all the keys, settings and timers etc. The SA offers an extra layer of security ensuring the encryption keys are renegotiated in a time period to make sure the VPN stays secure.

HTH>

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card