Archived
TD0021: Update to Limits on SA Lifetimes for IKE v1 and IKE v2
Publication Date
2014.11.07
Protection Profiles
PP_WLAN_AS_V1.0
Other References
PP_WLAN_AS_V1.0, requirement FCS_IPSEC_EXT.1.4
Issue Description
The WLAN PP mandates that IKEv1 SA lifetimes be limited by the number of packets and time. Once the limit, is reached, the SA must be closed or re-negotiated. However, newer PPs such as NDPPv1.1 Errata #2, VPN GW EP 1.1 and IPsec VPN client, stipulate that the TOE can limit IKE v1 SA lifetime based on either number packets/number of bytes OR length of time. Can the same approach be taken for WLAN? Resolution
FCS_IPSEC_EXT.1.4 can be updated to allow the TOE to limit both IKE v1 and IKE v2 SA lifetimes based on either number packets/number of bytes OR length of time. The modified requirement will read as follows: Justification
The newer PPs such as the IPsec VPN client allow SA lifetime limits based on either number packets/number bytes or time for both IKE v1 and IKE v2. The WLAN AS PP is one of the older PPs and needs updating to reflect more current practice. |