Re: SAs that carry fragments Was: Re: Some IKEv2 issues

[Stephen Kent <kent@bbn.com>]

Tero,

In 2401, and so far in 2401bis, we have distinguished between ANY and 
OPAQUE. if we decide to continue to do that, then at a minimum, we 
would not consider a fragment with no port fields to match an SA that 
allowed traffic with ANY as the value for port fields.

Also, If an IPsec implementation has two SA between the same 
source/dest address pairs, and with the same protocol value(s), but 
distinguished traffic based on specific (vs. ANY) port fields, then a 
non-initial fragment cannot be mapped to either SA unambiguously. An 
analogous problem arises if there is just one, extant SA that matches 
the addresses and protocol, and we are forced to search the SPD to 
see if another SA might be appropriate. These observations motivate 
use of a separate SA to carry fragments, right?


Steve