Hello, During the IESG review of draft-ietf-ipsecme-ikev2-redirect, it was brought up that the text about handling redirect loops should be in the main body of the draft instead of the security considerations section. One of the ADs also wanted some default values to detect a loop. Here is the modified text. The changes to the original text are minor, basically adding the default values and using "SHOULD" and "MUST" (RFC 2119 language).
7. Handling Redirect Loops The client could end up getting redirected multiple times in a sequence, either because of wrong configuration or a DoS attack. The client could even end up in a loop with two or more gateways redirecting the client to each other. This could deny service to the client. To prevent this, the client SHOULD be configured not to accept more than a certain number of redirects (MAX_REDIRECTS) within a short time period (REDIRECT_LOOP_DETECT_PERIOD) for a particular IKEv2 SA setup. The default value for MAX_REDIRECTS configuration variable is 5. The default value for REDIRECT_LOOP_DETECT_PERIOD configuration variable is 300 seconds. These values MUST be configurable on the client. Please let me know if any one has comments on this. Vijay _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
