RE: SAs that carry fragments Was: Re: Some IKEv2 issues

["Bora Akyol" <bora@cisco.com>]

Thanks for the comments, please see inline.

> -----Original Message-----
> From: Nicolas Williams [mailto:Nicolas.Williams@sun.com] 
> Sent: Thursday, February 19, 2004 11:05 AM
> To: Bora Akyol
> Cc: 'Stephen Kent'; 'Tero Kivinen'; Barbara Fraser; 'Charles 
> Lynn'; ipsec@lists.tislabs.com
> Subject: Re: SAs that carry fragments Was: Re: Some IKEv2 issues
> 
> 
> On Thu, Feb 19, 2004 at 10:41:38AM -0800, Bora Akyol wrote:
> > Steve
> > 
> > How often do we see multiple IPSEC Sas between the same two peers 
> > protecting different ports (or in general different selector sets)?
> 
> Consider cases where one peer is a multi-user system and 
> different connections are protected by [likely 
> transport-mode] SAs with different IDs for different users.  
> I would not want such scenarios to be precluded.
> 

And they don't need to be, I just think that creating a separate SA
for the fragments is unnecessary. How to handle fragments is
a topic better left to the implementer. 
Current IKE semantics allow this granularity BTW.

OTOH, I think implementing the functionality you specify above in 
a multi-user kernel would be quite the challenge :-) Sounds like an
excellent project indeed.

Bora