Paul Hoffman writes: > Section 2.4 says "If Child SAs can fail independently from one > another without the associated IKE SA being able to send a delete > message, then they MUST be negotiated by separate IKE SAs". It is > not clear what this means. Does it apply to implementations?
Yes. > If so, how can an implementation know whether or not the first > clause is true? The implementor should know that. I.e. if the IPsec SAs are divided to multiple crypto chips, and those chips can fail independently causing all IPsec SAs on that chip to disappear but leaving IPsec SAs on other chips intact, then those groups of IPsec SAs cannot be negotiated with same IKE SA. > I propose removing the sentence, or greatly clarifying it. For me the current text is very clear, and I do not see how we can clarify greatly. This issue usually only affects implementations where there are multiple subsystems which can fail independently from each other. If the only failure model is that the whole device crashed/rebooted etc then this text does not apply, as all IPsec SAs (and IKE SAs) disappear at the same time. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
