At 11:36 AM +0300 5/27/10, Yoav Nir wrote:
How about the following text?
3.8 Allocation of SPIs
SPIs for child and IKE SAs MUST be unique with the same peer. However, in
a cluster, both members may create SAs and assign SPIs to them, so a
collision is possible. We believe that peers should not be required to
accept duplicate SPIs for different SAs, and that this needs to be
prevented by the cluster members by some out-of-scope method.
Yoav
The text above seems rather indirect. How about:
3.8 Allocation of SPIs
The SPI associated with each child SA, and with each IKE SA, MUST be
unique relative to the peer of the SA. Thus, in the context of a
cluster, each cluster member MUST generate SPIs in a fashion that
avoids collisions (with other cluster members) for these SPI values.
The means by which cluster members achieve this requirement is a local
matter, outside the scope of this document.
Steve
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
