On 2021/08/03 17:02, Vitaliy Makkoveev wrote: > > - a 50% lower limit feels too low to me > > > > Why? The 95% limit is too close to lifetime expiration and as it was > exposed we don't have enough time to perform rekeying. I also had this > problem while tested iked(8) over WIFI connection and this is one of > real-world usage cases.
Rekeying with 9-18 minutes spare out of a 180 minute lifetime seems pretty good to me. Rekeying with 72-90 minutes left of a 180 minute lifetime seems way too early. For bytes, if 10% of the byte lifetime isn't long enough to complete a rekey, that really suggests to me the lifetime is set too low, not that the jitter amount is too low.
