Hi Yoav, On 7/29/09 9:13 PM, "Yoav Nir" wrote:
> Hi Vijay. > > "default" is usually associated with a particular implementation or product. I > think it would be better to say "suggested value" rather than "default value". "default value" is the right terminology to use here. > Also, I don't see a point in mandating that all products should have an extra > knob for setting this value. For example, for an IKEv2 client you usually try > to have as little local configuration as possible, so this value may very well > be hard coded. > > The suggested value for MAX_REDIRECTS configuration > variable is 5. The suggested value for REDIRECT_LOOP_DETECT_PERIOD > configuration variable is 300 seconds. These values MAY be > configurable on the client. If you want to change it "MAY", you might as well say nothing about it. A sentence that says "These values MAY be configurable on the client" doesn't say much. I would be fine with "SHOULD" instead of "MUST". Vijay > > > -----Original Message----- > From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of > Vijay Devarapalli > Sent: Thursday, July 30, 2009 1:33 AM > To: ipsec@ietf.org > Subject: [IPsec] Handling Redirect Loops > > Hello, > > During the IESG review of draft-ietf-ipsecme-ikev2-redirect, it was brought > up that the text about handling redirect loops should be in the main body of > the draft instead of the security considerations section. One of the ADs > also wanted some default values to detect a loop. Here is the modified text. > The changes to the original text are minor, basically adding the default > values and using "SHOULD" and "MUST" (RFC 2119 language). > > 7. Handling Redirect Loops > > The client could end up getting redirected multiple times in a > sequence, either because of wrong configuration or a DoS attack. The > client could even end up in a loop with two or more gateways > redirecting the client to each other. This could deny service to the > client. To prevent this, the client SHOULD be configured not to > accept more than a certain number of redirects (MAX_REDIRECTS) within > a short time period (REDIRECT_LOOP_DETECT_PERIOD) for a particular > IKEv2 SA setup. The default value for MAX_REDIRECTS configuration > variable is 5. The default value for REDIRECT_LOOP_DETECT_PERIOD > configuration variable is 300 seconds. These values MUST be > configurable on the client. > > Please let me know if any one has comments on this. > > Vijay > > > Email secured by Check Point _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
