Hello everybody: During the discussion of the HA solution draft, we realized there may be still some issues we have to carefully consider in the design of the synchronization solution for IPsec replay counters.
1. whether a cluster member needs to send the delta increment of the *outgoing* SAs or just unilaterally increments its counters. 2. How the user can calculate the the delta increment of its *outgoing* SAs? To find out a proper delta increment value, the user may have to know when the last synchronization between cluster memebers was undertaken so so to reason how many packets it has sent out using every SA. However, there is no such disucssion in the draft. So, what do you think of it? BR Dacheng On 11/09/2010 09:51 PM, Yoav Nir wrote: > I think so, but I also think that this deserves an issue. > > On Nov 9, 2010, at 6:42 PM, Yaron Sheffer wrote: > > > Hi Dacheng, Yoav, > > > > Now I'm confused myself. It seems to me that instead of sending the > > delta value of the outgoing replay counter, we should have sent the > > requested delta increment of the *incoming* SAs. The cluster doesn't > > need any signaling for its outgoing ESP traffic, it can just > > unilaterally increment its counters. What do you think? > > > > Thanks, > > Yaron > > > > > > On 11/09/2010 05:07 PM, zhangdacheng 00133208 wrote: > >> Hi, Yaron: > >> > >> I feel a little confused on a problem and hope to get your help. My > question is how a user know the deta of the outgoing counter value. I > can understand that a new active member know the time period between > the last synchorizaiton and the occurance of the failure so that it > can estimate how many packets the previous member has sent during the > period and how big a delta value shoudl be. However, a user does not > hav such knowledge. Howe can i > >> t find out how much the incoming counter of the cluster member > should increase? > >> > >> Cheers > >> > >> Dacheng > > > > Scanned by Check Point Total Security Gateway. > _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
