In today's session there was an disagreement between Yaron and Tero about how
likely it is that messages are missing.
Let's assume our cluster has tunnels with 10,000 peers, and that we do Liveness
Check (DPD) every 20 seconds (StrongSwan default)
Also, let's assume that we synch every 0.1 seco
Greetings,
This draft was mentioned in the IPSECME session today. It describes a
strategy for safely sharing an IPsec SA between multiple senders when
the SA includes a block cipher counter mode. It has been suggested
that strategy may be useful for cluster members sharing this kind of
SA
Yoav Nir writes:
> I agree that the draft in its current form glosses over the fact
> that the missing IKE exchanges did something, like setting up a
> child SA, or tearing one down. I don't believe there is any way you
> can set up a cluster so that this never ever happens. You can make
> it rare,
