Stephen Kent writes:
>Yes, and people have figured ways of supporting this
>without needing separate SAs for fragments.
your said "ways" which is plural. It's not enough for a vendor to
decide how to map a fragment to an SA, since the receiver is supposed
to check each received packet against the selectors for the SA via
which it is received. So, if there is ONE way to do this, and
everybody already does it, and if it accommodates all the possible SA
configurations that a compliant implementation MUST support, then we
should just describe that way in 2401bis. But, what I fear you are
indicating is that different vendors have different ways of
accommodating fragments, and that these may not be common, which
means that interoperability problems may (will) occur, OR that not
all possible SA configurations will work. if so, then we need to fix
this situation.
I do not know what others do, or do they support port selectors at
all. For VPN style setups (== tunnel mode) port selectors are not that
usefull, I think the most used setup there is tunnel from one IP or
network to network, and no port selectors at all. They might have
additional firewall rules after that, checking that only allowed
protocols are used (smtp, www etc).
Port selectors are more usefull in the host to host case, i.e.
transport mode, as there you might have per TCP/IP flow SAs (or per
user SAs). In those cases the IPsec processing is done for the whole
packet, thus this is non-issue (there are no fragments to be processed
in the transport mode case).
So we are now only talking about tunnel mode. How often do people use
tunnel mode along with port selectors? Does anybody have example of
real world example where it is needed? How does other implemenations
process the fragmented tunnel mode packet along with SAs with port
selectors.