3.1.2 Timers

The following timers are used by the Authenticated Internet Protocol:<12>

  • Negotiation retransmission timer (for each main mode security association): Triggers a message retransmission by the initiator.

  • Notify retransmission timer (for each MM SA): Triggers a Notification payload retransmission.

  • Authentication retry timer (for each MM SA): Triggers the authentication retry.

  • Responder time-out timer (for each MM SA): Controls how long the responder waits for a message from the initiator.

  • MM SA lifetime (for each MM SA): The MM SA lifetime is negotiated between the peers.

  • NAT-T keep-alive timer (for each MM SA): This timer doesn't affect any MM SA state. This timer only controls sending the NAT-T keep alive packet, as specified in [RFC3948] section 4.

  • Quick mode rekey timer (for each MM SA): This timer is used during quick mode rekey.

  • Quick mode security association (QM SA) lifetime (for each QM SA): The lifetime for QM SAs is specified in bytes or seconds. After the lifetime of bytes or seconds expires, the Ipsec implementation MUST start a new quick mode exchange. The Authenticated Internet Protocol then acts as the initiator for the rekey.

  • Per-Connection state entry timer: All entries in the connection state table (except the TCP state entries) each have their own timer. This timer triggers connection entry state deletion.