Paul Hoffman writes: > >I think the REDIRECT mechanism is of limited use if you can only > >redirect to another gateway for which the mobile node already has a > >PAD entry. > > Hmm. That was not clear to me from the document, but I could have > missed it. What do others think about this statement?
I didn't get that from the draft. The current draft does not mention anything about PAD, and doing dynamic updates to PAD (or SPD) is something that must be explicitly mentioned if such things are supposed to happen, as they have lots of security implications (overwriting existing rules, to which location dynamic rules are added in the ordered PAD/SPD, what information is exactly put there). On the other hand I do not think the REDIRECT mechanism will be that much in limited use, even if the PAD entries must be configured. The mobile node requires PAD entry for the first gateway anyways, and if that PAD entry identifies the group of peers instead that one peer, and provides authentication data for each peer (for example say that they are authenticated using certificates signed by CA X). Depending on the configuration this can still be done quite easily. Example could be that PAD define ID must be *.sgw.example.com. and the peer must authenticate itself using certificate signed by CA X. Then first gateway can provide ID sgw1.sgw.example.com and it can redirect client to server, which then will use ID sgw2.sgw.example.com, and that will still match the same PAD entry. Both gateways will use certificates provided by the same CA so their authentication information is same. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
