Yoav Nir writes: > As a general principle, yes. But the HA extension already assumes > that due to the failover, there is some discrepancy. The easy way > out would be to write a protocol extension that just detects this > discrepancy and kills the IKE SA. But that would mean a lot of IKE > SA setups following a fail-over.
I do not think we need such protocol. > So in the context of the HA extension, we are willing to live with > some unsynchronized state, and try to let it take care of itself. I agree on first step, but I would rather like to see some text explaining how they are taken care of. I do not think we can assume the "problem takes care of itself". > So the question is, if the peer already does not have the IPsec SA, > does it add any information for us to send it a DELETE? In IKEv2 context it is mandatory, but in high availability IKEv2 context we can specify whatever we want, but we need to specify what we want. -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
