IETF Logo Mail Archive

Re: [IPsec] Working Group LC: draft-ietf-ipsecme-ipsec-ha-03

Yoav Nir <ynir@checkpoint.com> Thu, 27 May 2010 08:36 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 94C713A68A2 for <ipsec@core3.amsl.com>; Thu, 27 May 2010 01:36:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=1.300, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1TAmevLlxjQ8 for <ipsec@core3.amsl.com>; Thu, 27 May 2010 01:36:11 -0700 (PDT)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by core3.amsl.com (Postfix) with ESMTP id E7AE43A67FF for <ipsec@ietf.org>; Thu, 27 May 2010 01:36:10 -0700 (PDT)
X-CheckPoint: {4BFE3B4E-0-1B201DC2-1FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id o4R8Zxpp006268; Thu, 27 May 2010 11:35:59 +0300 (IDT)
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Thu, 27 May 2010 11:36:25 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: 'Jean-Michel Combes' <jeanmichel.combes@gmail.com>, Yaron Sheffer <yaronf.ietf@gmail.com>
Date: Thu, 27 May 2010 11:36:24 +0300
Thread-Topic: [IPsec] Working Group LC: draft-ietf-ipsecme-ipsec-ha-03
Thread-Index: Acr81pTzYVMtNqmLT8WNAvhMJ6gHEwAoLwOQ
Message-ID: <006FEB08D9C6444AB014105C9AEB133FB48F1B5B19@il-ex01.ad.checkpoint.com>
References: <4BEFEAE6.2060700@gmail.com> <4BFC1384.2030905@gmail.com> <AANLkTikiJZgUdIoM7N-34hfX8dxk6SCaJ_Sczsacknq9@mail.gmail.com>
In-Reply-To: <AANLkTikiJZgUdIoM7N-34hfX8dxk6SCaJ_Sczsacknq9@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: IPsecme WG <ipsec@ietf.org>
Subject: Re: [IPsec] Working Group LC: draft-ietf-ipsecme-ipsec-ha-03
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 May 2010 08:36:12 -0000

How about the following text?

3.8  Allocation of SPIs
   SPIs for child and IKE SAs MUST be unique with the same peer. However, in
   a cluster, both members may create SAs and assign SPIs to them, so a 
   collision is possible. We believe that peers should not be required to
   accept duplicate SPIs for different SAs, and that this needs to be 
   prevented by the cluster members by some out-of-scope method.

Yoav

-----Original Message-----
<snip/>

3.  The Problem Statement

<JMC>
I didn't see anything about potential collisions (e.g. SPI for a
specific SA on a member of the cluster is already used on another
member) during a failover: is such an issue out of scope?
<JMC>

<snip/>

v2.23.0 | Report a Bug | By Email