Re: [IPsec] Handling Redirect Loops

Wed, 29 Jul 2009 21:14:46 -0700 

Hi Vijay.

"default" is usually associated with a particular implementation or product. I 
think it would be better to say "suggested value" rather than "default value". 
Also, I don't see a point in mandating that all products should have an extra 
knob for setting this value. For example, for an IKEv2 client you usually try 
to have as little local configuration as possible, so this value may very well 
be hard coded.

                    The suggested value for MAX_REDIRECTS configuration
   variable is 5.  The suggested value for REDIRECT_LOOP_DETECT_PERIOD
   configuration variable is 300 seconds.  These values MAY be
   configurable on the client.


-----Original Message-----
From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of Vijay 
Devarapalli
Sent: Thursday, July 30, 2009 1:33 AM
To: ipsec@ietf.org
Subject: [IPsec] Handling Redirect Loops

Hello,

During the IESG review of draft-ietf-ipsecme-ikev2-redirect, it was brought
up that the text about handling redirect loops should be in the main body of
the draft instead of the security considerations section. One of the ADs
also wanted some default values to detect a loop. Here is the modified text.
The changes to the original text are minor, basically adding the default
values and using "SHOULD" and "MUST" (RFC 2119 language).

7.  Handling Redirect Loops

   The client could end up getting redirected multiple times in a
   sequence, either because of wrong configuration or a DoS attack.  The
   client could even end up in a loop with two or more gateways
   redirecting the client to each other.  This could deny service to the
   client.  To prevent this, the client SHOULD be configured not to
   accept more than a certain number of redirects (MAX_REDIRECTS) within
   a short time period (REDIRECT_LOOP_DETECT_PERIOD) for a particular
   IKEv2 SA setup.  The default value for MAX_REDIRECTS configuration
   variable is 5.  The default value for REDIRECT_LOOP_DETECT_PERIOD
   configuration variable is 300 seconds.  These values MUST be
   configurable on the client.

Please let me know if any one has comments on this.

Vijay


Email secured by Check Point
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to