Archived TD0021: Update to Limits on SA Lifetimes for IKE v1 and IKE v2
PP_WLAN_AS_V1.0, requirement FCS_IPSEC_EXT.1.4
The WLAN PP mandates that IKEv1 SA lifetimes be limited by the number of packets and time. Once the limit, is reached, the SA must be closed or re-negotiated. However, newer PPs such as NDPPv1.1 Errata #2, VPN GW EP 1.1 and IPsec VPN client, stipulate that the TOE can limit IKE v1 SA lifetime based on either number packets/number of bytes OR length of time. Can the same approach be taken for WLAN?
FCS_IPSEC_EXT.1.4 can be updated to allow the TOE to limit both IKE v1 and IKE v2 SA lifetimes based on either number packets/number of bytes OR length of time. The modified requirement will read as follows:
The newer PPs such as the IPsec VPN client allow SA lifetime limits based on either number packets/number bytes or time for both IKE v1 and IKE v2. The WLAN AS PP is one of the older PPs and needs updating to reflect more current practice.