Last update on Tuesday, January 19, 2010
Lifetime settings determine when a new key is generated. Any time a key lifetime is reached, the associated SA is also renegotiated. The process of generating new keys at intervals is called dynamic rekeying or key regeneration. Lifetimes allow you to force the generation of a new key after a specific interval. For example, if the communication takes 100 minutes and you specify the key lifetime as 10 minutes, 10 keys will be generated (one every 10 minutes) during the exchange. Using multiple keys ensures that if an attacker manages to gain the key to one part of a communication, the entire communication is not compromised. Automatic key regeneration is provided by default. You can override the defaults and either specify a master key lifetime in minutes or by the number of session keys, or enable master key perfect forward secrecy (PFS).
Caution should be taken when setting very different key lifetimes, since they also determine the lifetime of the SA. For example, setting a master key lifetime of 8 hours (480 minutes) and a session key lifetime (set within a filter action) of 2 hours might result in a quick mode SA that is in place for almost 2 hours after the main mode SA has expired. This has the potential to occur if the new quick mode SA is generated just before the main mode SA expires.
- Session key limit
Repeated rekeying off of the same master key might eventually compromise the key. For example, if Alice on Computer A sends a message to Bob on Computer B, and then a few minutes later sends another message to Bob, the same master key material can be reused since an SA was recently established with that computer. If you want to limit the number of times this reuse occurs, you can specify a session key limit.
If you decide to enable master key perfect forward secrecy (PFS), the session key limit will be set to 1. Master key PFS forces key regeneration each time. If you specify both a master key lifetime in minutes, and a session key limit, whichever interval is reached first will start a new key.
- Master key perfect forward secrecy (PFS)
Master key PFS determines how a new session key is generated. Enabling master key PFS ensures that the master key keying material cannot be used to generate more than one session key.
Master key PFS should be used with caution because it requires reauthentication and might impact performance. It is not required to be enabled on both peers.
- Life Time Options
1200 = 20 minutes
3600 = 1 hour
10800 = 3 hours
28800 = 8 hours
86400 = 24 hours
A key lifetime of eight hours ensures that the master key keying material (the Diffie-Hellman key) is regenerated after eight hours. Diffie-Hellman keys remain in memory during their lifetime; therefore, if many clients (several thousand) are connecting to the server for short periods of time, consider reducing their lifetime to reclaim memory. You might also consider reducing the key lifetime in hostile environments where a sophisticated attacker might attempt to intercept the communication. One disadvantage to reducing the key lifetime is that if clients must perform an additional main mode negotiation, this operation can be time-consuming and memory-intensive, and frequent Diffie-Hellman calculations increase the computational load placed on the server.
Here Microsoft specifies an SA Lifetime is 480 minutes by default. Examples of high-security risk installations include reducing the SA Lifetime to 180 minutes, and even as low as 20 minutes.
Ensure that the security association (SA) lifetime settings in the show crypto map domain ipsec command outputs are large enough to avoid excessive re-keys (the default settings ensure this).
Shorter lifetimes can make mounting a successful key recovery attack more difficult because the attacker has less data encrypted under the same key with which to work. However, shorter lifetimes require more CPU processing time for establishing new SAs.
Cisco's default SA Lifetime setting appears to vary by product and document. In one instance Cisco's default is 3600 seconds (1 hour), in another instance it's 86400 seconds (24 hours). For Cisco's IOS the permitted SA Lifetime range is from 120 to 86400 seconds. I'm not sure of this applies to other vendors. Cisco also allows you to specify SA Lifetime in bytes transferred (as well as time).
More from Cisco