Vijay Devarapalli writes: > Sounds ok to me. Anyone else have comments/opinions on this before I add > this to the document? > > We can have a random 32-bit identifier included in the > REDIRECTION_SUPPORTED payload and have the gateway echo this in the > REDIRECT payload. Note that this would be applicable only to redirect > during the IKE_SA_INIT exchange.
32-bits is way too short. If you want cookie better use something that is suitable for cookie, and even better do not limit the size. As there is no data currently in the REDIRECT_SUPPORTED, better to just say that the whole REDIRECT_SUPPORTED payload must be returned as is by the server when it is sending REDIRECT back. You can use similar text RFC4306 has about nonces, saying that they must be t least 128 bits in size, and must be randomly chosen (i.e. the length MUST be between 16 and 256 octects inclusive). -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
