> >> From section 3.2 > > > > If the CFG_REQUEST included INTERNAL_DNS_DOMAIN attributes with non- > > zero lengths, the CFG_REPLY MUST NOT assign any domains in its > > INTERNAL_DNS_DOMAIN attributes that are not contained within the > > requested domains. The initiator SHOULD ignore any domains beyond > > its requested list. > > > > This whole thing about restricting the subdomains server can send by > > sending the list from client is different than what we normally do. In > > normal case the client sends list of suggestions for the configuration > > values to the server. Here the client forces server to do something. > > > > I think it would be better to say that client can send list of dns > > names it would like to be included, and server can then reply whatever > > list it has in its configuration, and client is free to ignore as many > > of the items from the list it likes. > > > > This way if you have originally configured company1.com to the > > internal dns names, and then company decides to buy another company > > called company2.com, teh client can still request company1.com and > > server can return both company1.com and company2.com in its reply. > > Then it is up to the client whether it will belive the list or not. > > I ran into this issue too when implementing. I realised that there is really > no > reason for the server to ever act on what the client sends. > So I wondered if we should send it at all. It seems we might as well not send > anything to the server, and when the server gives us a list, filter it based > on > what we will accept. This could be different based on the kind of ipsec tunnel > (corporate vs free proxy)
[HJ] I think it is most flexible to still allow client to send what it want in CFG_REQUEST, but it is up to gateway's local policy to decide if it should consider or ignore them; For example, the INTERNAL_DNS_DOMAIN could be used by gateway as additional hints for which DNS server address to return in case a gateway is serving multiple types of clients, each has its own internal domains to be resolved via its own DNS sever; Same applies to CFG_REPLY, it is up to client's local policy to decide whether to accept or ignore. In section 3.2, "If the CFG_REQUEST did not contain an INTERNAL_DNS_DOMAIN attribute, the responder MUST NOT include an INTERNAL_DNS_DOMAIN attribute in the CFG_REPLY." If it is agreed that it is essential local policy for what gateway send or accept, then gateway should be allowed to send INTERNAL_DNS_DOMAIN even when client doesn't include it in the CFG_REQUEST; According to section 2.19 of RFC7296, "the IRAS MAY also send other attributes that were not included in CP(CFG_REQUEST)", I think it is a general rule for all configuration attributes _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
