Hi Vijay. "default" is usually associated with a particular implementation or product. I think it would be better to say "suggested value" rather than "default value". Also, I don't see a point in mandating that all products should have an extra knob for setting this value. For example, for an IKEv2 client you usually try to have as little local configuration as possible, so this value may very well be hard coded.
The suggested value for MAX_REDIRECTS configuration variable is 5. The suggested value for REDIRECT_LOOP_DETECT_PERIOD configuration variable is 300 seconds. These values MAY be configurable on the client. -----Original Message----- From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of Vijay Devarapalli Sent: Thursday, July 30, 2009 1:33 AM To: ipsec@ietf.org Subject: [IPsec] Handling Redirect Loops Hello, During the IESG review of draft-ietf-ipsecme-ikev2-redirect, it was brought up that the text about handling redirect loops should be in the main body of the draft instead of the security considerations section. One of the ADs also wanted some default values to detect a loop. Here is the modified text. The changes to the original text are minor, basically adding the default values and using "SHOULD" and "MUST" (RFC 2119 language). 7. Handling Redirect Loops The client could end up getting redirected multiple times in a sequence, either because of wrong configuration or a DoS attack. The client could even end up in a loop with two or more gateways redirecting the client to each other. This could deny service to the client. To prevent this, the client SHOULD be configured not to accept more than a certain number of redirects (MAX_REDIRECTS) within a short time period (REDIRECT_LOOP_DETECT_PERIOD) for a particular IKEv2 SA setup. The default value for MAX_REDIRECTS configuration variable is 5. The default value for REDIRECT_LOOP_DETECT_PERIOD configuration variable is 300 seconds. These values MUST be configurable on the client. Please let me know if any one has comments on this. Vijay Email secured by Check Point _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec