RE: SAs that carry fragments Was: Re: Some IKEv2 issues

[Stephen Kent <kent@bbn.com>]

At 10:41 -0800 2/19/04, Bora Akyol wrote:
>Steve
>
>How often do we see multiple IPSEC Sas between the same two peers
>protecting different ports (or in general different selector sets)?

I don't know, but I do know that we have mandated the ability to 
support this for over 5 years.

>There are better and straightforward ways of getting around the
>issue of fragmented packets in the implementation
>without requiring a separate SA for fragments.

what are they and why are they better?

>As a side-note, configuring even the most basic traffic selectors in
>some host OS that are widely-deployed is a big chore (really
>hit-and-miss).
>The most deployed IPSEC scenarios supporting road warriors don't even
>use a traffic
>selector at the head-end.

I am aware of at least one very poor, definitely non-conforming, 
management UI for a widely deployed IPsec implementation.  But I 
don't think that a vendor's failures in this area ought to dictate 
our standards going forward.

Steve