MKA hello timer

MKA uses a member identifier (MI) to identify each node in the CA domain.

A participant proves liveness to each of its peers by including the MI, together with an acceptably recent message number (MN), in an MKPDU.

To avoid a new participant having to respond to each MKPDU from each partner as it is received, or trying to delay its reply until it is likely that MI MN tuples have been received from all potential partners, each participant maintains and advertises both a live peers list and a potential peers list.

The live peers list includes peers that have included the participant MI and a recent MN in a recent MKPDU. The potential peers list includes all other peers that have transmitted an MKPDU that has been directly received by the participant or that were included in the live peers list of a MKPDU transmitted by a peer that has proved liveness. Peers are removed from each list when an interval of between MKA lifetime and MKA lifetime plus MKA Hello Time has elapsed since the participant's recent MN was transmitted. This time is sufficient to ensure that two or more MKPDUs will have been lost or delayed before the incorrect removal of a live peer.

Note:

The following table lists the MKA participant timer values.

Table: MKA participant timer values

Timer use

Timeout (parameter)

Timeout (parameter)

Per participant periodic transmission, initialized on each transmission on expiry

MKA Hello Time

or

MKA Bounded Hello Time

2.0

0.5

Per peer lifetime, initialized when adding to or refreshing the potential peers list or live peers list, expiry causes removal from the list

MKA Life Time

6.0

Participant lifetime, initialized when participant created or following receipt of an MKPDU, expiry causes participant to be deleted

Delay after last distributing a SAK, before the key server distributes a fresh SAK following a change in the live peers list while the potential peers list is still not empty