GroupStudy.com - CCIE, CCNA, CCNP and other Cisco Certifications

Home

BookStore

StudyNotes

Links

[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

Subject: RE: SA Timeouts
From: Justin Menga <Justin.Menga@xxxxxxxxxxxxxx>
Date: Mon, 9 Dec 2002 09:43:17 +1300

Hi

The default for IPSec Sas is one hour - you should set your IPSec SA
timeouts to shorter than your IKE SA timeouts, as must more information is
exchanged over an IPSec SA.   If you are using DES encryption, I'd
recommended setting these quite low as DES is easily cracked these days.
You can leave the timeouts as the defaults if you choose high strength
encryption (e.g. 3DES or AES-256) as well as strong DH groups (e.g. Group 5
or Group 7).  Also use PFS to ensure IKE and IPSec session keys are
separate.  I generally tune down the IKE SA timeout to 4 hours (from the
default of 1 day) and leave the IPSec SA to 1 hour - however I live in New
Zealand and don't really deal with the huge VPNs you can get elsewhere in
the world.

The only real load will be if keys are renegotiated at the same time - this
would only happen if lots of users connected at the same time, which your
box must be designed to cope with any time.  Obviously if you are using
high-strength DH groups (e.g. Group 7), and PFS, the load is significantly
increased when generating new session keys, so ensure you don't set timeouts
too low when using these high security features.

Regards,
Justin


-----Original Message-----
From: Ciaron Gogarty [mailto:cgogarty@xxxxxxxxxxx] 
Sent: Saturday, December 07, 2002 1:06 PM
To: security@xxxxxxxxxxxxxx
Subject: SA Timeouts


Anybody have any real world experience on setting timeouts for IPSEC and
ISAKMP sa's??   The default is kind of large, so I was going to reduce it to
an hour or so, and then started thinking that an hour is to short.. so the
trade off is performance for security.  Specifically it's with a 3005 and
about 37 remote sites, 3des.  Given that the 3005 doesn't do encryption in
hardware am I going to overburden the box???



**********************************************************************
 This email and any files transmitted with it are confidential and  intended
solely for the use of the individual or entity to whom they  are addressed.
If you have received this email in error please notify  the system manager.
 
 This footnote also confirms that this email message has been swept for  the
presence of computer viruses.
 
 For more information contact postmaster@xxxxxxxxxxx
 
 phone + 353 1 4093000
 
 fax + 353 1 4093001
**********************************************************************

Prev by Date: Re: Hello
Next by Date: RE: ISDN Call back with Dialstring problem
Previous by thread: Looking for Lab Date in Jan 2003
Next by thread: RE: SA Timeouts
Index(es):
- Date
- Thread