>Rereading the thread it's unclear to me which solution was deemed "correct". >I'm not a big fan of fiddling/forcing SA lifetimes unless we have no other >option; if someone is foolish enough to use manual keying with replay >protection and no mechanism to catch rollover then they most likely have >larger problems. It's the whole "we'll provide you with the gun, but you >have to shoot yourself" argument as applied to SA lifetimes.
Also, the ipsec rfc require auotmated SA management when using anti-replay service and that the option be disabled when SAs are manually setup. It may not stop anyone, but we can always point to rfc. :-) Joy -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
