: hello,pls help us clarify what server will do，according RFC5685 if redirect times more than MAX_REDIRECTS，

Zengxin (Ryan) Tue, 24 Jun 2014 00:40:25 -0700


发件人: Zengxin (Ryan)
发送时间: 2014年6月18日 11:50
收件人: '[email protected]'; '[email protected]'; '[email protected]'
抄送: Shenwenbin; dharmanandana pothulam; '[email protected]'; 
Fangongbin (Allan); vijay kn; Liujun (Leo, FW-IPSec)
主题: hello,pls help us clarify what server will do，according RFC5685 if redirect 
times more than MAX_REDIRECTS，


Dear Vijay Devarapalli & Kilian Weniger:
    We are from huawei, now implementing IKEv2 Redirect Featrue  according to 
RFC5685. But in some abnormal case, can u explain more about what action next.

RFC5685
7.  Handling Redirect Loops

   The client could end up getting redirected multiple times in a
   sequence, either because of a wrong configuration or a DoS attack.
   The client could even end up in a loop with two or more gateways
   redirecting the client to each other.  This could deny service to the
   client.  To prevent this, the client SHOULD be configured to not
   accept more than a certain number of redirects (MAX_REDIRECTS) within
   a short time period (REDIRECT_LOOP_DETECT_PERIOD) for a particular
   IKEv2 SA setup.


if redirect time is more than MAX_REDIRECTS(define for Handling Redirect 
Loops), we don’t know what the action the server will do , to make sure our 
negotiate can be succeed.
       (1) After client ignore the redirect payload sent from A-GW(a selected 
GW), if client continue to negotiates with A-GW, A-GW maybe still send redirect 
payload to client.
    At this time, client will ignore the payload again and repeat the steps 
mentioned before. So the the negotiation will have no chance to be success.

   (2) After client ignore the redirect payload sent from A-GW(a selected GW), 
if client negotiates with the initial GW, which maybe also send redirect 
payload as the step (1)
    So same as (1), we can't make sure whether the negotiation will be success 
or not

Best Regards,

Cyber Security Solutions Design Dept
Zeng Xin
________________________________
[cid:[email protected]]
Huawei Technologies Co., Ltd.
Phone: 86-21-38900743
Mobile: 15900686919
Email: [email protected]<mailto:[email protected]>
No.2222, Xinjinqiao Rd., Pudong District,Shanghai 201206, P.R.China
http://www.huawei.com<http://www.huawei.com/>

_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec

[IPsec] 【kindly remind】//: hello,pls help us clarify what server will do，according RFC5685 if redirect times more than MAX_REDIRECTS，

Reply via email to