Traffic Selectors (was SA fragments)

["Bora Akyol" <bora@cisco.com>]

I think there is agreement that port based selectors 
do not make sense for tunnel mode. 

#1 use of transport mode SAs that I have seen is
GRE over IPSEC which also does not require port
selectors.

The other application of transport mode is communication
between two hosts. Nicolas brought up an excellent
point of a multi-user system where each socket can
require a different security protection level.
Even though the current socket APIs that I am aware of
are not capable of specifying a security protection grade,
I am sure this can be put in with some work. There is also 
the security policy management issue of how does an application
decide the security grade and is it better off using TLS, but that
is another nest of worms.

So based on this I would like to propose the following text
for traffic selectors (and please feel free to edit
and comment):
 ---
All IKE implementations MUST be able to negotiate IPSEC SAs 
based on tuples of {IP Source Address/Mask, IP Destination Address/Mask,
IP Protocol}.
Additionally, an implementation MAY support any traffic selector
of the form (Offset, Length, Value, Mask) where:

Offset: Offset of the field from the end of the IP version field in the
IP header.
Length: Length of the field being compared for SPD determination
Value: Value of the field
Mask: A bitmask that can be used for masking the value.

 ---

Note that range specifications are limited to bit boundaries for these
fields
but this should not be a significant limitation. If the word MAY is too
weak
for optional selectors, it can be changed to a SHOULD.

Comments?

Bora