[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SAs that carry fragments Was: Re: Some IKEv2 issues
Tero,
In 2401, and so far in 2401bis, we have distinguished between ANY and
OPAQUE. if we decide to continue to do that, then at a minimum, we
would not consider a fragment with no port fields to match an SA that
allowed traffic with ANY as the value for port fields.
Also, If an IPsec implementation has two SA between the same
source/dest address pairs, and with the same protocol value(s), but
distinguished traffic based on specific (vs. ANY) port fields, then a
non-initial fragment cannot be mapped to either SA unambiguously. An
analogous problem arises if there is just one, extant SA that matches
the addresses and protocol, and we are forced to search the SPD to
see if another SA might be appropriate. These observations motivate
use of a separate SA to carry fragments, right?
Steve