Hello,
Yoav Nir wrote:
I see that in section 6 the following:
In such cases, the gateway should send the REDIRECT notification
payload in the final IKE_AUTH response message that carries the AUTH
payload and the traffic selectors. The gateway MUST NOT send and the
client MUST NOT accept a redirect in an earlier IKE_AUTH message.
I like that, and that was my position earlier, but wasn't the conclusion at San
Francisco that the REDIRECT could come in either the first AUTH response (where
we know the ID the client is using, temporary or not) *OR* in the last response?
The text you quote above refers to the case when the gateway decides to
redirect based on the EAP exchange or a as a result of interaction with
the AAA server or some external entity (when multiple auth is used). The
redirect is done in the final IKE_AUTH message.
When did we decide to not allow it in the first resopnse?
We allow it. The first paragraph in section 6 and the message exchange
just below it show this.
Vijay
Other than that, I think the document is fine and ready for publication.
Yaron Sheffer wrote:
This is a 2 week working group last call for
draft-ietf-ipsecme-ikev2-redirect-08. The target status for
this document is Proposed Standard. This is the document's
second last call, following comments by a number of people
and several document revisions.
Please send your comments to the ipsec list by April 30,
2009, as follow-ups to this message.
Please clearly indicate the position of any issue in the
Internet Draft, and if possible provide alternative text.
Please also indicate the nature or severity of the error or
correction, e.g. major technical, minor technical, nit, so
that we can quickly judge the extent of problems with the document.
The document can be accessed here:
http://tools.ietf.org/html/draft-ietf-ipsecme-ikev2-redirect-08.
Thanks,
Yaron
Email secured by Check Point
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec