SAs that carry fragments Was: Re: Some IKEv2 issues

[Charles Lynn <clynn@bbn.com>]

Tero,

>	4) Fragment only SA, and non-initial fragments

> point 4 should be left out, as fragment only SAs (issue 81 and 49)
> in RFC 2401 was rejected, i.e. there is no need to change anything
> in the IKEv2 document because of that]

My understanding was that the WG rejected the proposal of creating a
special SA that *only* carried non-initial fragments, not that the
WG rejected affording fragments (other than IPv4 in transport mode)
IPsec protection.

The issue that has to be resolved is how fragments are identified (a
local issue) and communicated using IKEv2's Traffic Selector
mechanism.  Fragments can then be directed to *an appropriate SA* that
is, or may be, carrying other, not-fragmented, traffic.

Since the transport layer selectors are not available in fragments,
they are OPAQUE.  Thus fragments of TCP packets between A and B could
be specified as:

    TS {
	TSi { ...
	      {IP=A, Protocol=TCP, Port=OPAQUE(start=65535,end=0)}
	      ...
	    }
	TSr { ...
	      {IP=B, Protocol=TCP, Port=OPAQUE}
	      ...
	    }
       }

alternatively, one could use:

    TS {
	TSi { ...
	      {IP=A, Protocol=Fragment(61), Port=TCP}
	      ...
	    }
	TSr { ...
	      {IP=B, Protocol=Fragment(61), Port=TCP}
	      ...
	    }
       }

I think that the IKEv2 document needs to specify which encoding, one
of the above or something someone else suggests, MUST be used to
enable interoperability.

Charlie