Re: [IPsec] WG Last Call: draft-ietf-ipsecme-ikev2-redirect-04

Thu, 05 Mar 2009 23:41:16 -0800 

Hi,

I have a slight preference to keeping the protocol symmetric. But even if we 
choose not to do that, I think Tero's text (quoted below) leaves too much room 
for interpretation.

---
7.  Use of the Redirect Mechanism between IKEv2 Peers

   The Re-direct mechanism described in this document is mainly intended
   for use in client-gateway scenarios.  However, the mechanism can also
   be used between any two IKEv2 peers, but this protocol is
   asymmetric, meaning that only the responder can redirect initiator
   to some other server.
---

The protocol supports using an Informational exchange for redirect at any time 
during the SA lifetime, and this is inherently symmetric. And of course, 
following an IKE SA rekey, the initiator/responder roles might change. If we go 
for the restricted option, the new text should cover both of these issues.

Thanks,
        Yaron

> -----Original Message-----
> From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of
> Vijay Devarapalli
> Sent: Friday, March 06, 2009 3:26
> To: pasi.ero...@nokia.com
> Cc: ipsec@ietf.org; rfgrave...@gmail.com
> Subject: Re: [IPsec] WG Last Call: draft-ietf-ipsecme-ikev2-redirect-04
> 
> Hi Pasi,
> 
[snip]
> 
> > - Section 7: I'm a bit skeptical if this actually works. The rest of
> > the document certainly does not describe how it would work, and in
> > many places, assumes the client-gateway case (e.g. Section 6.1 says
> > REDIRECT_SUPPORTED is only sent in initial IKE_SA_INIT request, so the
> > responder can't actually tell the initiator it supports this feature,
> > etc.)
> 
> I am fine with restricting the scope as Tero suggested. My interest
> has always been in client-gateway scenarios anyway. I am cc'ing Rich
> Graveman who wanted this feature. Rich?
> 
> Vijay
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
> 
> Scanned by Check Point Total Security Gateway.
> 
> Scanned by Check Point Total Security Gateway.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to