Re: [IPsec] Handling Redirect Loops
Vijay Devarapalli <vijay@wichorus.com> Thu, 30 July 2009 05:00 UTC
Return-Path: <vijay@wichorus.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 95E133A6B32 for <ipsec@core3.amsl.com>; Wed, 29 Jul 2009 22:00:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.633
X-Spam-Level:
X-Spam-Status: No, score=-0.633 tagged_above=-999 required=5 tests=[AWL=-0.101, BAYES_00=-2.599, RCVD_NUMERIC_HELO=2.067]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lcxW3jcSY+e4 for <ipsec@core3.amsl.com>; Wed, 29 Jul 2009 22:00:13 -0700 (PDT)
Received: from outbound.mse15.exchange.ms (outbound.mse15.exchange.ms [216.52.164.185]) by core3.amsl.com (Postfix) with ESMTP id 596073A6A4C for <ipsec@ietf.org>; Wed, 29 Jul 2009 22:00:13 -0700 (PDT)
Received: from 67.161.28.136 ([67.161.28.136]) by mse15be2.mse15.exchange.ms ([172.30.10.130]) via Exchange Front-End Server owa.mse15.exchange.ms ([172.30.10.124]) with Microsoft Exchange Server HTTP-DAV ; Thu, 30 Jul 2009 05:00:14 +0000
User-Agent: Microsoft-Entourage/12.10.0.080409
Date: Wed, 29 Jul 2009 22:00:13 -0700
From: Vijay Devarapalli <vijay@wichorus.com>
To: Yoav Nir <ynir@checkpoint.com>, "ipsec@ietf.org" <ipsec@ietf.org>
Message-ID: <C69676ED.96F5%vijay@wichorus.com>
Thread-Topic: Handling Redirect Loops
Thread-Index: AcoQnIN2/iNBfSAISU+b1O5XZOe5xQALzvBQAAG38YQ=
In-Reply-To: <006FEB08D9C6444AB014105C9AEB133F855207C896@il-ex01.ad.checkpoint.com>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Subject: Re: [IPsec] Handling Redirect Loops
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2009 05:00:15 -0000
Hi Yoav, On 7/29/09 9:13 PM, "Yoav Nir" wrote: > Hi Vijay. > > "default" is usually associated with a particular implementation or product. I > think it would be better to say "suggested value" rather than "default value". "default value" is the right terminology to use here. > Also, I don't see a point in mandating that all products should have an extra > knob for setting this value. For example, for an IKEv2 client you usually try > to have as little local configuration as possible, so this value may very well > be hard coded. > > The suggested value for MAX_REDIRECTS configuration > variable is 5. The suggested value for REDIRECT_LOOP_DETECT_PERIOD > configuration variable is 300 seconds. These values MAY be > configurable on the client. If you want to change it "MAY", you might as well say nothing about it. A sentence that says "These values MAY be configurable on the client" doesn't say much. I would be fine with "SHOULD" instead of "MUST". Vijay > > > -----Original Message----- > From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf Of > Vijay Devarapalli > Sent: Thursday, July 30, 2009 1:33 AM > To: ipsec@ietf.org > Subject: [IPsec] Handling Redirect Loops > > Hello, > > During the IESG review of draft-ietf-ipsecme-ikev2-redirect, it was brought > up that the text about handling redirect loops should be in the main body of > the draft instead of the security considerations section. One of the ADs > also wanted some default values to detect a loop. Here is the modified text. > The changes to the original text are minor, basically adding the default > values and using "SHOULD" and "MUST" (RFC 2119 language). > > 7. Handling Redirect Loops > > The client could end up getting redirected multiple times in a > sequence, either because of wrong configuration or a DoS attack. The > client could even end up in a loop with two or more gateways > redirecting the client to each other. This could deny service to the > client. To prevent this, the client SHOULD be configured not to > accept more than a certain number of redirects (MAX_REDIRECTS) within > a short time period (REDIRECT_LOOP_DETECT_PERIOD) for a particular > IKEv2 SA setup. The default value for MAX_REDIRECTS configuration > variable is 5. The default value for REDIRECT_LOOP_DETECT_PERIOD > configuration variable is 300 seconds. These values MUST be > configurable on the client. > > Please let me know if any one has comments on this. > > Vijay > > > Email secured by Check Point
- [IPsec] Handling Redirect Loops Vijay Devarapalli
- Re: [IPsec] Handling Redirect Loops Yoav Nir
- Re: [IPsec] Handling Redirect Loops Vijay Devarapalli
- [IPsec] Handling Redirect Loops Tero Kivinen
- Re: [IPsec] Handling Redirect Loops Yoav Nir
- Re: [IPsec] Handling Redirect Loops Vijay Devarapalli
- [IPsec] Preshared key authentication in IKEv2 Valery Smyslov