4

I am using ip xfrm state and ip xfrm policy commands from iproute2 tool to implement IPSec. I have read documentation of iproute2 (PDF) and ip-xfrm man page. The man page states:

LIMIT-LIST := [ LIMIT-LIST ] limit LIMIT

LIMIT := { time-soft | time-hard | time-use-soft | time-use-hard } SECONDS | { byte-soft | byte-hard } SIZE | { packet-soft | packet-hard } COUNT

LIMIT-LIST sets limits in seconds, bytes, or numbers of packets.

Unfortunately, I couldn't find any documentation which explains the difference between time-soft vs time-hard and time-use-soft vs time-use-hard. Can anyone please explain these LIMIT types or any documentation reference ?

RoraΖ
  • 12,457
  • 4
  • 52
  • 84
Zaksh
  • 109
  • 7

1 Answers1

3

The soft limits can be used to implement rekeying. If either limit is reached the kernel will send expire messages to anyone listening for events on XFRM or PF_KEY sockets. But if a hard limit is reached the kernel also removes the state/policy automatically.

A keying daemon that installs SAs will usually set the limits so that there is enough time between the soft and hard limit to rekey the SA and it will use the expire event for the soft limit as trigger the rekeying. This mechanism is defined in RFC 4301 (Security Architecture for the Internet Protocol).

While a keying daemon could implement its own timer to trigger rekeying after a certain time, this isn't possible for packet/byte limits without relatively expensive polling of the usage counters of each SA.

Community
  • 1
ecdsa
  • 1,419
  • 8
  • 10