[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SAs that carry fragments Was: Re: Some IKEv2 issues

To: Tero Kivinen <kivinen@xxxxxx>
Subject: Re: SAs that carry fragments Was: Re: Some IKEv2 issues
From: Stephen Kent <kent@xxxxxxx>
Date: Thu, 19 Feb 2004 11:09:20 -0500
Cc: Charles Lynn <clynn@xxxxxxx>, ipsec@xxxxxxxxxxxxxxxxx
In-reply-to: <>
References: <16434.27900.199285.136682@fireball.acr.fi> <20040218161436.9707F2051E@wolfe.bbn.com> <>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

Tero,

In 2401, and so far in 2401bis, we have distinguished between ANY and OPAQUE. if we decide to continue to do that, then at a minimum, we would not consider a fragment with no port fields to match an SA that allowed traffic with ANY as the value for port fields.

Also, If an IPsec implementation has two SA between the same source/dest address pairs, and with the same protocol value(s), but distinguished traffic based on specific (vs. ANY) port fields, then a non-initial fragment cannot be mapped to either SA unambiguously. An analogous problem arises if there is just one, extant SA that matches the addresses and protocol, and we are forced to search the SPD to see if another SA might be appropriate. These observations motivate use of a separate SA to carry fragments, right?

Steve

Follow-Ups:
- Re: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Tero Kivinen
- RE: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Bora Akyol

References:
- SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Tero Kivinen

Prev by Date: Re: IANA assignment policies
Next by Date: Re: SAs that carry fragments Was: Re: Some IKEv2 issues
Previous by thread: SAs that carry fragments Was: Re: Some IKEv2 issues
Next by thread: RE: SAs that carry fragments Was: Re: Some IKEv2 issues
Index(es):
- Date
- Thread