Vijay Devarapalli wrote: > > Hello, > > Yoav Nir wrote: > > I see that in section 6 the following: > > > > In such cases, the gateway should send the REDIRECT notification > > payload in the final IKE_AUTH response message that carries the AUTH > > payload and the traffic selectors. The gateway MUST NOT send and the > > client MUST NOT accept a redirect in an earlier IKE_AUTH message. > > > > I like that, and that was my position earlier, but wasn't the conclusion at > > San Francisco that the REDIRECT could come in either the first AUTH > > response (where we know the ID the client is using, temporary or not) > > *OR* in the last response? > > The text you quote above refers to the case when the gateway decides to > redirect based on the EAP exchange or a as a result of interaction with > the AAA server or some external entity (when multiple auth is used). The > redirect is done in the final IKE_AUTH message. > > > When did we decide to not allow it in the first resopnse? > > We allow it. The first paragraph in section 6 and the message exchange > just below it show this. > > Vijay
The first paragraph refers to the non-EAP case. The paragraph I quoted is the one that refers to the EAP case, and this is the case where it makes sense to allow the REDIRECT both in the first and last IKE_AUTH responses. The case for the last response is the one that you made: The AAA server may tell the gateway to send the user to another gateway. The case for the first response is a little different. The content of the IDi payload tells the gateway to what domain the user belongs. "Domain" could map to a specific AAA server, and/or to a specific gateway. Suppose a user connects to gateway-A with the IDi payload containing "j...@companyb.com". This is enough to tell the gateway that the user should use gateway-B instead - policy says that all companyB employees connect to the gateway-B. Or maybe the user is "j...@company.it" and all such users should connect to the gateway in Italy. In both cases there is no point in authenticating to the local AAA server. The gateway knows immediately to send the user to the appropriate gateway. That is why I think (and I believe that was the conclusion in SF) that the REDIRECT may come in both the first and last responses. Yoav Email secured by Check Point _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
