[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SAs that carry fragments Was: Re: Some IKEv2 issues

To: "Stephen Kent" <kent@xxxxxxx>
Subject: RE: SAs that carry fragments Was: Re: Some IKEv2 issues
From: "Michael Roe" <mroe@xxxxxxxxxxxxx>
Date: Fri, 20 Feb 2004 17:51:44 -0000
Cc: <ipsec@xxxxxxxxxxxxxxxxx>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx
Thread-index: AcP3uDs1Ywn5uBNhTaewMjUtWgZhKQAHGI1g
Thread-topic: SAs that carry fragments Was: Re: Some IKEv2 issues

>From this discussion, it would appear that there is some disagreement
about exactly which packets are matched by the "ANY" and "OPAQUE"
traffic selectors. RFC 2401 and draft-ietf-ipsec-rfc2401bis-01.txt
aren't very clear on this point. Perhaps rfc2401bis should be updated
to be more explicit about this?

It's clear that a port selector of OPAQUE will match a non-initial fragment,
and a port selector of "ANY" will match an initial fragment with a cleartext
port number in it. The slightly trickier cases are
(a) Does "OPAQUE" match an initial fragment with a cleartext port number in it?
(b) Does "ANY" match a non-initial fragment?

Rfc2401bis, section 6, says 'Thus, fragments not containing port numbers may
only match rules having port selectors of OPAQUE or "ANY"' - implying that
the answer to question (b) is yes.

I would guess that "OPAQUE" doesn't match packets in which the port numbers
are visible, but the architecture document isn't very clear.

draft-ietf-ipsec-ikev2-12.txt doesn't define separate traffic selectors for
"ANY" and "OPAQUE", it just allows a port range of 0..65535. It looks to me
as though IKEv2 is inconsistent with the architecture document.

Cheers,
Mike

Prev by Date: Re: SAs that carry fragments Was: Re: Some IKEv2 issues
Next by Date: Re: SAs that carry fragments Was: Re: Some IKEv2 issues
Previous by thread: Re: SAs that carry fragments Was: Re: Some IKEv2 issues
Next by thread: RE: SAs that carry fragments Was: Re: Some IKEv2 issues
Index(es):
- Date
- Thread