>Do you think it is legal to create a system where one Child SA can >fail in such way that IKE SA cannot send delete notification?
I do not think a robust IKE implementation would allow this. > >The current text says it is not legal, but your replacement text >allows it. The current bis text is: If a system creates Child SAs that can fail independently from one another without the associated IKE SA being able to send a delete message, then the system MUST negotiate such Child SAs using separate IKE SAs. This text also does not prevent the above. It just says how the children can be created. It says nothing about what happens when they fail. > >I do not think such setup should be allowed. I.e. if any of the Child >SAs or the associated IKE SA fail, in such way that delete >notification cannot be sent, then all the Child SAs AND the IKE SA >needs to be destroyed. Then say that. Say if a Child SA fails and a delete notification cannot be sent then the IKE SA must be deleted. Personally I think you change how you interpret the sentence each time you respond which just echoes Paul's original point, that the text is not clear. Dave Wierbowski _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
