IKE, ESP, and
AH security associations use secret keys to encrypt the data traffic
for a limited amount of time and for limited amount of data. This
limits the lifetime of the entire security association.
If the life time of a
security association expires, new security association
needs to be established to replace the expired security association. This
reestablishment of security associations to take the place of ones
that expire is referred to as "rekeying".
The rekeying can be done
for the IKE SA and also for the child (ESP or AH) SA. This feature
triggers rekeying only for the Child SA.
This feature supports
sequence number based rekeying where the lifetime for the child
SA is processed in terms of sequence number of the child SA data
rekeying is applicable only for the 32-bit based sequence
number, so as to protect against the wrapping of sequence
number before it reach its maximum limit of 4,293,918,720. The
soft limit threshold for sequence number-based rekey trigger
is fixed to 90% of the maximum sequence number limit.
This feature is not applicable on
the configuration that supports Extended Sequence Number (ESN).
This feature can be activated
only when the anti-replay functionality is enabled in the configuration. In
StarOS the anti-replay is enabled by default.