Hi,
we have had a good deal of discussion of the HA solution at the
Maastricht meeting and during the following weeks. Now, with my co-chair
hat on, I'd like to suggest a way forward that I believe is in sync (bad
pun intended) with the WG consensus.
I propose that version -01 of the draft should resolve the following 3
issues (and if possible, no others):
* Separate negotiation of synchronization of the IKE SA counters vs.
the IPsec SA counters. IPsec counter sync should work even when
used with a "normal" IKE exchange (non-zero Message ID).
* A scalable solution for the IPsec counter sync: send a delta
value that applies to all (incoming) child SAs, instead of sending
one value per child SA.
* The replay issue that Tero identified at the meeting.
If this is NOT in line with the group's consensus, or if I missed
something big, let me know.
Thanks,
Yaron
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
