Hi.
I've read through the draft again, and here are a few comments:
Section 3 has the following line:
If the
IKE_SA_INIT request did not include the REDIRECT_SUPPORTED payload,
the responder MUST NOT send the REDIRECT payload to the VPN client.
This IMO should apply to all variations, not just to redirect during the
Initial exchange.
I'm wondering if the REDIRECT notification type should not be allocated from
the error range. It makes more sense, since it always fails the exchange (or at
least part of it - the child SA in the IKE_AUTH exchange)
Section 10 sets up an IANA registry for identity types. Couldn't we just reuse
the "IKEv2 Identification Payload ID Types"? There's already IPv4, IPv6 and
FQDN, and additionally KEY_ID for locally meaningful names and a range of
private use IP addresses. Why set up a new registry for the same thing?
Yoav
Email secured by Check Point
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
