RE: SAs that carry fragments Was: Re: Some IKEv2 issues

[Stephen Kent <kent@xxxxxxx>]

At 17:51 +0000 2/20/04, Michael Roe wrote:
>  >From this discussion, it would appear that there is some disagreement
> about exactly which packets are matched by the "ANY" and "OPAQUE"
> traffic selectors. RFC 2401 and draft-ietf-ipsec-rfc2401bis-01.txt
> aren't very clear on this point. Perhaps rfc2401bis should be updated
> to be more explicit about this?

yes, we need to be more explicit, and that has motivated some of the 
discussion.

> It's clear that a port selector of OPAQUE will match a non-initial fragment,
> and a port selector of "ANY" will match an initial fragment with a cleartext
> port number in it. The slightly trickier cases are
> (a) Does "OPAQUE" match an initial fragment with a cleartext port 
> number in it?
> (b) Does "ANY" match a non-initial fragment?

yes, these are the questoins we are trying to resolve.

> Rfc2401bis, section 6, says 'Thus, fragments not containing port numbers may
> only match rules having port selectors of OPAQUE or "ANY"' - implying that
> the answer to question (b) is yes.

we waffled on this, and you see the result of the waffling :-) if we 
don't specify different behavior for ANY vs. OPAQUE, then we need not 
have both, e.g., we can have just ANY.

> I would guess that "OPAQUE" doesn't match packets in which the port numbers
> are visible, but the architecture document isn't very clear.

that was the intent, but we need to be clear and nail it down.

> draft-ietf-ipsec-ikev2-12.txt doesn't define separate traffic selectors for
> "ANY" and "OPAQUE", it just allows a port range of 0..65535. It looks to me
> as though IKEv2 is inconsistent with the architecture document.

Yep. we exchanged mail with Charlie K on this, and he asked us to 
bring it to the list for resolution.

Steve