Thanks for the extensive review, Tero. I haven't had time to read it through yet, but I would like to respond to one point in this (below)
On Jul 25, 2010, at 4:30 PM, Tero Kivinen wrote: > The big issue is that the draft does not provide solution to case > where the IKEv2 SA messages missed actually did something. It seems to > completely assume that all IKEv2 SA messages are DPD messages meaning > it does not matter if we processed them or not, and because of that > only syncs the message IDs and not what was done using those messages. I agree that the draft in its current form glosses over the fact that the missing IKE exchanges did something, like setting up a child SA, or tearing one down. I don't believe there is any way you can set up a cluster so that this never ever happens. You can make it rare, but not completely eliminate it. When this does happen, we have two things we might prescribe. We can detect this and delete the IKE SA along with all associated child SAs, or we can try to recover. draft-kagarigi-ipsecme-ikev2-windowsync takes the latter way. To get recovery actually working we need some more "stuff". We need to accept this case of mis-matched states between peers, and work towards making them better matched, by allowing an implementation to inform its peer that the SA that is using is unknown - an obvious thing is to send an INVALID_SPI notify in an INFORMATIONAL exchange, or maybe add a DELETE_ALL_CHILDREN notification. The draft will need text that discusses how this actually converges in a matched IKE SA. It should be noted (in the draft!) that this changes some assumptions about IKEv2 state. Yoav _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
