pasi.ero...@nokia.com wrote:
Vijay Devarapalli wrote:
I don't agree with the restriction that the original gateway and the
new gateway should have the same IDr. That is too restrictive. For
example, it should be possible for gw1 to redirect the client to
gw2, with the two gateways having two distinct FQDNs.
Right... but if the client does not have a PAD entry for gw2's IDr,
then the IKE negotiation will fail. (I guess we're not considering
updating the PAD based on REDIRECTs.)
Thats exactly what I am suggesting. :)
This would be similar to a Mobile IPv6 mobile node creating a PAD entry
for the home agent that it discovers using IETF-standardized mechanisms.
I don't think we should require a Mobile IPv6 mobile node or a VPN
client or a 3GPP client that uses I-WLAN and discovers a PDG [*] to have
PAD entries configured for all the home agents/gateways/PDGs that it
might attach to before hand.
(* Apologies for using 3GPP terminology in the above. Pasi knows what I
am talking about. If anyone wants to know more about this, please let me
know. You might regret it later though. :)
(BTW, note that "having same IDr" is not exactly the same thing as
"having same FQDN" -- gw1.example.com and gw2.foobar.example are
clearly distinct FQDNs from DNS-point-of-view, but they might or might
not be distinct "principals" from IPsec PAD point of view.)
If you put the FQDN in the PAD entry, you do have an issue, right?
It is okay with me to recommend similar authentication mechanisms
for the original and new gateways. But I would prefer not use a
'MUST' here.
I think this needs to be phrased in terms of the RFC 4301 PAD
(and possibly the "selecting right peer for SA function").
Ok. Once we agree on a way forward, I can propose some text.
Vijay
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
