David Wierbowski writes: > I don't think we need to mandate how a particular situation should be > handled. That is up to the implementer. The implementer just needs to > know that there is a rule that states the it is not for some child SAs > stay up when the IKE_SA disappears. I think the existing text could be > deleted.
But the existing text is the text which gives this rule or at least try to. I.e. it tries to say that if implementation cannot guarantee that all Child SAs and IKE SAs stay up together, then you cannot negotiate all those Child SAs using the same IKE SA. This same can partially be seen from the: Receipt of a fresh cryptographically protected message on an IKE SA or any of its Child SAs ensures liveness of the IKE SA and all of its Child SAs. text, but some people might be missing the point that ALL Child SAs and corresponding IKE SAs must stay up together. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
