RE: SAs that carry fragments Was: Re: Some IKEv2 issues

["Bora Akyol" <bora@cisco.com>]

Steve

How often do we see multiple IPSEC Sas between the same two peers
protecting different ports (or in general different selector sets)?

There are better and straightforward ways of getting around the
issue of fragmented packets in the implementation
without requiring a separate SA for fragments.

As a side-note, configuring even the most basic traffic selectors in
some host OS that are widely-deployed is a big chore (really
hit-and-miss).
The most deployed IPSEC scenarios supporting road warriors don't even
use a traffic
selector at the head-end.

Regards,

Bora


> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com 
> [mailto:owner-ipsec@lists.tislabs.com] On Behalf Of Stephen Kent
> Sent: Thursday, February 19, 2004 8:09 AM
> To: Tero Kivinen
> Cc: Charles Lynn; ipsec@lists.tislabs.com
> Subject: Re: SAs that carry fragments Was: Re: Some IKEv2 issues
> 
> 
> Tero,
> 
> In 2401, and so far in 2401bis, we have distinguished between ANY and 
> OPAQUE. if we decide to continue to do that, then at a minimum, we 
> would not consider a fragment with no port fields to match an SA that 
> allowed traffic with ANY as the value for port fields.
> 
> Also, If an IPsec implementation has two SA between the same 
> source/dest address pairs, and with the same protocol value(s), but 
> distinguished traffic based on specific (vs. ANY) port fields, then a 
> non-initial fragment cannot be mapped to either SA unambiguously. An 
> analogous problem arises if there is just one, extant SA that matches 
> the addresses and protocol, and we are forced to search the SPD to 
> see if another SA might be appropriate. These observations motivate 
> use of a separate SA to carry fragments, right?
> 
> 
> Steve
>