Paul Hoffman wrote:
At 12:44 PM +0100 3/11/09, <pasi.ero...@nokia.com> wrote:
Vijay Devarapalli wrote:
I don't agree with the restriction that the original gateway and the
new gateway should have the same IDr. That is too restrictive. For
example, it should be possible for gw1 to redirect the client to
gw2, with the two gateways having two distinct FQDNs.
Right... but if the client does not have a PAD entry for gw2's IDr,
then the IKE negotiation will fail. (I guess we're not considering
updating the PAD based on REDIRECTs.)
Co-chair-hat on:
Right, we are not considering that currently. If we do consider it, it is a
significant change to the document and we would want to do (at least) another
WG last call.
Co-chair-hat off:
Right, and we should not consider that, given the difficulty of bounding the
security considerations if we do so.
There are environments where the client (e.g, Mobile IPv6 MN, 3GPP
I-WLAN client) always discovers the gateways they need to attach to.
They might get assigned different gateways based on what service they
want to access, what their subscription profile is, etc.. In such
environments, the PAD entries are created dynamically, but of course
bound by the configuration on the mobile node. I think the REDIRECT
mechanism is of limited use if you can only redirect to another gateway
for which the mobile node already has a PAD entry.
Note that Mobile IPv6 already allows the mobile node to discover home
agents dynamically and then create PAD and SPD entries. These are
already standards track documents.
On starting another WG last call for the document if we make this
change, I am fine with it.
Vijay
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
