On Mar 5, 2014, at 11:07 PM, Tero Kivinen <[email protected]> wrote: > In section 2 it says: > > Note that IKEv2 and IPsec session do not need to be on the same node > as IKEv2 and IPsec context are different. > > This is not so easy. The RFC5996 says: > > ---------------------------------------------------------------------- > 2.4. State Synchronization and Connection Timeouts > ... > An implementation needs to stop sending over any SA if > some failure prevents it from receiving on all of the associated SAs. > If a system creates Child SAs that can fail independently from one > another without the associated IKE SA being able to send a delete > message, then the system MUST negotiate such Child SAs using separate > IKE SAs. > ---------------------------------------------------------------------- > > I.e. if any of the IPsec SAs fail, then all of IPsec SAs created using > same IKE SA, and the IKE SA must also fail. If IPsec SAs and IKE SA > are on separate nodes, that do set up new kind of requirements for > those nodes. I.e. if one node having IPsec SAs fails, the node having > IKE SA needs to detect this, and send delete notification for each > IPsec SA that were in that node. Also if the node having the IKE SA > will fail, then all the IPsec SAs associated with that IKE SA, must > stop sending, i.e. they needs to be destroyed.
Tero's comment nails the concern I had when reading the document. IKEv2 ties Child SAs to their parent SA, and using the context of one without the other seems dangerous. --Paul Hoffman _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
