Scott,
I agree that there is relationship between sections 9.2 and 9.4. The
statement that "all members MUST be able to tell whether a particular IKE
SA is active anywhere in the cluster" which is found in 9.2 is consistent
with my comment that " the algorithms in 5.1 and 5.2 should not be used in
Combining the two sections could also make it clearer that 5.2/9.4 may not
be a "complete" solution for any given environment. The approach of
5.2/9.4 solves the problem of an independent attacker using a different
source IP address, but not a proximate/MitM attacker as is currently
addressed in