Hi, I have a slight preference to keeping the protocol symmetric. But even if we choose not to do that, I think Tero's text (quoted below) leaves too much room for interpretation.
--- 7. Use of the Redirect Mechanism between IKEv2 Peers The Re-direct mechanism described in this document is mainly intended for use in client-gateway scenarios. However, the mechanism can also be used between any two IKEv2 peers, but this protocol is asymmetric, meaning that only the responder can redirect initiator to some other server. --- The protocol supports using an Informational exchange for redirect at any time during the SA lifetime, and this is inherently symmetric. And of course, following an IKE SA rekey, the initiator/responder roles might change. If we go for the restricted option, the new text should cover both of these issues. Thanks, Yaron > -----Original Message----- > From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of > Vijay Devarapalli > Sent: Friday, March 06, 2009 3:26 > To: pasi.ero...@nokia.com > Cc: ipsec@ietf.org; rfgrave...@gmail.com > Subject: Re: [IPsec] WG Last Call: draft-ietf-ipsecme-ikev2-redirect-04 > > Hi Pasi, > [snip] > > > - Section 7: I'm a bit skeptical if this actually works. The rest of > > the document certainly does not describe how it would work, and in > > many places, assumes the client-gateway case (e.g. Section 6.1 says > > REDIRECT_SUPPORTED is only sent in initial IKE_SA_INIT request, so the > > responder can't actually tell the initiator it supports this feature, > > etc.) > > I am fine with restricting the scope as Tero suggested. My interest > has always been in client-gateway scenarios anyway. I am cc'ing Rich > Graveman who wanted this feature. Rich? > > Vijay > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > > Scanned by Check Point Total Security Gateway. > > Scanned by Check Point Total Security Gateway. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec