Re: [IPsec] Handling Redirect Loops
Yoav Nir <ynir@checkpoint.com> Thu, 30 July 2009 04:14 UTC
Return-Path: <ynir@checkpoint.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 42BA63A6BDB for <ipsec@core3.amsl.com>; Wed, 29 Jul 2009 21:14:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZHU4pebJRECk for <ipsec@core3.amsl.com>; Wed, 29 Jul 2009 21:14:35 -0700 (PDT)
Received: from dlpdemo.checkpoint.com (dlpdemo.checkpoint.com [194.29.32.54]) by core3.amsl.com (Postfix) with ESMTP id 2A5C128C121 for <ipsec@ietf.org>; Wed, 29 Jul 2009 21:13:59 -0700 (PDT)
Received: by dlpdemo.checkpoint.com (Postfix, from userid 105) id 6E9F829C005; Thu, 30 Jul 2009 07:14:17 +0300 (IDT)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by dlpdemo.checkpoint.com (Postfix) with ESMTP id 2DC8F29C002; Thu, 30 Jul 2009 07:14:17 +0300 (IDT)
X-CheckPoint: {4A711C9E-0-14201DC2-1FFFF}
Received: from il-ex01.ad.checkpoint.com (localhost [127.0.0.1]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id n6U4Dw3d024550; Thu, 30 Jul 2009 07:13:59 +0300 (IDT)
Received: from il-ex01.ad.checkpoint.com ([194.29.32.26]) by il-ex01.ad.checkpoint.com ([194.29.32.26]) with mapi; Thu, 30 Jul 2009 07:13:58 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: 'Vijay Devarapalli' <vijay@wichorus.com>, "ipsec@ietf.org" <ipsec@ietf.org>
Date: Thu, 30 Jul 2009 07:13:57 +0300
Thread-Topic: Handling Redirect Loops
Thread-Index: AcoQnIN2/iNBfSAISU+b1O5XZOe5xQALzvBQ
Message-ID: <006FEB08D9C6444AB014105C9AEB133F855207C896@il-ex01.ad.checkpoint.com>
References: <C6961C26.96B9%vijay@wichorus.com>
In-Reply-To: <C6961C26.96B9%vijay@wichorus.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [IPsec] Handling Redirect Loops
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2009 04:14:36 -0000
Hi Vijay.
"default" is usually associated with a particular implementation or product. I think it would be better to say "suggested value" rather than "default value". Also, I don't see a point in mandating that all products should have an extra knob for setting this value. For example, for an IKEv2 client you usually try to have as little local configuration as possible, so this value may very well be hard coded.
The suggested value for MAX_REDIRECTS configuration
variable is 5. The suggested value for REDIRECT_LOOP_DETECT_PERIOD
configuration variable is 300 seconds. These values MAY be
configurable on the client.
-----Original Message-----
From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf Of Vijay Devarapalli
Sent: Thursday, July 30, 2009 1:33 AM
To: ipsec@ietf.org
Subject: [IPsec] Handling Redirect Loops
Hello,
During the IESG review of draft-ietf-ipsecme-ikev2-redirect, it was brought
up that the text about handling redirect loops should be in the main body of
the draft instead of the security considerations section. One of the ADs
also wanted some default values to detect a loop. Here is the modified text.
The changes to the original text are minor, basically adding the default
values and using "SHOULD" and "MUST" (RFC 2119 language).
7. Handling Redirect Loops
The client could end up getting redirected multiple times in a
sequence, either because of wrong configuration or a DoS attack. The
client could even end up in a loop with two or more gateways
redirecting the client to each other. This could deny service to the
client. To prevent this, the client SHOULD be configured not to
accept more than a certain number of redirects (MAX_REDIRECTS) within
a short time period (REDIRECT_LOOP_DETECT_PERIOD) for a particular
IKEv2 SA setup. The default value for MAX_REDIRECTS configuration
variable is 5. The default value for REDIRECT_LOOP_DETECT_PERIOD
configuration variable is 300 seconds. These values MUST be
configurable on the client.
Please let me know if any one has comments on this.
Vijay
Email secured by Check Point
- [IPsec] Handling Redirect Loops Vijay Devarapalli
- Re: [IPsec] Handling Redirect Loops Yoav Nir
- Re: [IPsec] Handling Redirect Loops Vijay Devarapalli
- [IPsec] Handling Redirect Loops Tero Kivinen
- Re: [IPsec] Handling Redirect Loops Yoav Nir
- Re: [IPsec] Handling Redirect Loops Vijay Devarapalli
- [IPsec] Preshared key authentication in IKEv2 Valery Smyslov