|Main Archive Page > Month Archives > ipsec archives|
How about the following text?
3.8 Allocation of SPIs
SPIs for child and IKE SAs MUST be unique with the same peer. However, in
a cluster, both members may create SAs and assign SPIs to them, so a
collision is possible. We believe that peers should not be required to
accept duplicate SPIs for different SAs, and that this needs to be
prevented by the cluster members by some out-of-scope method.
3. The Problem Statement
I didn't see anything about potential collisions (e.g. SPI for a
specific SA on a member of the cluster is already used on another
member) during a failover: is such an issue out of scope?
IPsec mailing list