Issue #82: Creation of SAs -- clarifications

[Tero Kivinen <kivinen@ssh.fi>]

Parsing this text took quite a long time for me. I finally think I
managed to understand what it is trying to say, but I think the actual
text added to the final document must explain the things more clearly.

So my understanding of the issue is that this changes the text which
says that we can create SAs selectors based on the packet or based on
the SPD to text which says that we can create SA selectors based on
the packet or based on the SPD, or something between.

I.e in addition to only take selectors from the packet implementations
are allowed to expand them towards to the SPD selectors as much as
they like.

Orginal case a) allowed only very specific SA selectors based on the
packet itself. The original case b) takes the SA selectors from the
SPD. The current IKEv2 approach is that we take the selectors from the
packet and select the SPD which matches to them and then create SA
that is either that SPD or any subset of it, as long as the packet
itself fits to that subset.

Is my understanding correct?

If so, I think we can approve this change, but we do need better
wording for the actual text. It took quite a lot of parsing and
thinking while trying to understand what the proposed text actually
says... 
-- 
kivinen@ssh.fi
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/