Hi Padam, It possible and avoidable by configuring a policy on client for MAX no. of REDIRECTs. Draft has a mention of this scenario in Section 10.
With Regards, Raj On Wed, Jul 1, 2009 at 4:24 PM, Padmakumar AV <paav.ci...@gmail.com> wrote: > Hi Vijay, > > I have a doubt regarding the usage of redirect during INIT exchange. > > An attacker in between spoke and hub spoofs the init exchange to anycast > address and then redirects it to another FAKE-HUB1 by specifying unicast > address of the FAKE-HUB1. FAKE-HUB1 subsequently redirects it to FAKE-HUB2 > and FAKE-HUB2 to FAKE-HUB3 and go on... > > Is that possible. > > > > Thanks > > Padmakumar > > On Tue, Jun 16, 2009 at 11:45 PM, <internet-dra...@ietf.org> wrote: > >> A New Internet-Draft is available from the on-line Internet-Drafts >> directories. >> This draft is a work item of the IP Security Maintenance and Extensions >> Working Group of the IETF. >> >> >> Title : Redirect Mechanism for IKEv2 >> Author(s) : V. Devarapalli, K. Weniger >> Filename : draft-ietf-ipsecme-ikev2-redirect-11.txt >> Pages : 16 >> Date : 2009-06-16 >> >> IKEv2 is a protocol for setting up VPN tunnels from a remote location >> to a gateway so that the VPN client can access services in the >> network behind the gateway. Currently there is no standard mechanism >> specified that allows an overloaded VPN gateway or a VPN gateway that >> is being shut down for maintenance to redirect the VPN client to >> attach to another gateway. This document proposes a redirect >> mechanism for IKEv2. The proposed mechanism can also be used in >> Mobile IPv6 to enable the home agent to redirect the mobile node to >> another home agent. >> >> A URL for this Internet-Draft is: >> >> http://www.ietf.org/internet-drafts/draft-ietf-ipsecme-ikev2-redirect-11.txt >> >> Internet-Drafts are also available by anonymous FTP at: >> ftp://ftp.ietf.org/internet-drafts/ >> >> Below is the data which will enable a MIME compliant mail reader >> implementation to automatically retrieve the ASCII version of the >> Internet-Draft. >> >> >> _______________________________________________ >> IPsec mailing list >> IPsec@ietf.org >> https://www.ietf.org/mailman/listinfo/ipsec >> >> > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > >
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
