On Mon, Jan 10, 2005 at 12:42:38PM +0900, Jun-ichiro itojun Hagino wrote:
> > >Synopsis:       racoon leaves old SA's in kernel
> 
> 	IPsec/IKE specification does not define how to re-negotiate keys
> 	nor how to use old/new key, and behavior is totally implementation-
> 	dependent.  racoon and netbsd are following guidances in
> 	draft-jenkins-ipsec-rekeying-xx (keep old key and use old key until
> 	old key really expires).

This seems to result in traffic being discarded by the receiver, which
no longer has the old keys used by the sender.

Or am I missing something?

Should the key lifetime just be set to something extremely low to avoid
long-lasting problems?

Regards,
+ Kim
-- 
Kimmo Suominen