>> I propose removing the sentence, or greatly clarifying it. > > For me the current text is very clear, and I do not see how we can > clarify greatly. This issue usually only affects implementations where > there are multiple subsystems which can fail independently from each > other. If the only failure model is that the whole device > crashed/rebooted etc then this text does not apply, as all IPsec SAs > (and IKE SAs) disappear at the same time.
I disagree with the Tero's comment statement that the text is very clear, I've never understood exactly what the statement meant until I read the example that Tero provided. Based on that I would at least recommend changing the text as follows: If sets of Child SAs can fail independently from one another without the associated IKE SA being able to send a delete message, then each set of Child SAs MUST be negotiated by separate IKE SAs. It might even be approbate to add Tero's example: For example if sets of IPsec SAs are associated with different crypto chips, and each chip can fail independently causing all IPsec SAs associated with the chip to disappear then each set of IPsec SAs should be negotiated with a different IKE SA. Dave Wierbowski _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
