|Main Archive Page > Month Archives > ipsec archives|
At 11:36 AM +0300 5/27/10, Yoav Nir wrote:
>How about the following text?
>3.8 Allocation of SPIs
> SPIs for child and IKE SAs MUST be unique with the same peer. However, in
> a cluster, both members may create SAs and assign SPIs to them, so a
> collision is possible. We believe that peers should not be required to
> accept duplicate SPIs for different SAs, and that this needs to be
> prevented by the cluster members by some out-of-scope method.
The text above seems rather indirect. How about:
3.8 Allocation of SPIs
The SPI associated with each child SA, and with each IKE SA, MUST be
unique relative to the peer of the SA. Thus, in the context of a
cluster, each cluster member MUST generate SPIs in a fashion that
avoids collisions (with other cluster members) for these SPI values.
The means by which cluster members achieve this requirement is a local
matter, outside the scope of this document.
IPsec mailing list