Hi,
While preparing to progress the draft to AD review, I reread it once again.
Here are a few comments. Although not all are nits, none of them should
block the document now.
Thanks,
Yaron
Not-quite-nits:
General: a long way back we discussed loop avoidance, but this never made
its way into the draft. The document implicitly allows multiple redirections
in sequence. We should specify somewhere that the client MUST have a
threshold value X (possibly 1), where it is willing to redirect at most X
times in sequence. This is meant to deal with faulty configuration, not with
active attacks.
9. I believe the last sentence "To protect against this kind of attack the
redirection based on the ID should happen only after client has also
authenticated himself." should read "after the *gateway* has also
authenticated itself".
10. Please add at the end of the section: A specification that extends this
registry MUST also define in which notification(s) the new values are
allowed.
Nits:
1. "connect to the IP address of the VPN gateways", change "gateways" to
"gateway".
3. "In practice, this means the new gateway either", remove one "either".
6. mesage -> message
6. "presented by the client in the first IKE_AUTH exchange itself." - this
text is duplicated.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
