Joerg Sonnenberger <jo...@bec.de> wrote: > On Tue, Aug 03, 2021 at 01:12:54AM +0300, Vitaliy Makkoveev wrote: > > Index: sbin/iked/types.h > > =================================================================== > > RCS file: /cvs/src/sbin/iked/types.h,v > > retrieving revision 1.43 > > diff -u -p -r1.43 types.h > > --- sbin/iked/types.h 13 May 2021 15:20:48 -0000 1.43 > > +++ sbin/iked/types.h 2 Aug 2021 21:41:55 -0000 > > @@ -67,7 +67,7 @@ > > #define IKED_CYCLE_BUFFERS 8 /* # of static buffers for mapping */ > > #define IKED_PASSWORD_SIZE 256 /* limited by most EAP types */ > > > > -#define IKED_LIFETIME_BYTES 536870912 /* 512 Mb */ > > +#define IKED_LIFETIME_BYTES 1073741824 /* 512 Mb */ > > #define IKED_LIFETIME_SECONDS 10800 /* 3 hours */ > > > > #define IKED_E 0x1000 /* Decrypted flag */ > > > > Comment and value don't match? Also, isn't 512MB quite low with modern > crypto algorithms?
I think the low values are exceedingly cynical, and should be increased substantially. ssh_packet_need_rekeying() appears to have some nice decisions. The idea is to rekey based upon time, primarily.
