RE: SAs that carry fragments Was: Re: Some IKEv2 issues

["Michael Roe" <mroe@microsoft.com>]

From this discussion, it would appear that there is some disagreement
about exactly which packets are matched by the "ANY" and "OPAQUE"
traffic selectors. RFC 2401 and draft-ietf-ipsec-rfc2401bis-01.txt
aren't very clear on this point. Perhaps rfc2401bis should be updated
to be more explicit about this?

It's clear that a port selector of OPAQUE will match a non-initial fragment,
and a port selector of "ANY" will match an initial fragment with a cleartext
port number in it. The slightly trickier cases are
(a) Does "OPAQUE" match an initial fragment with a cleartext port number in it?
(b) Does "ANY" match a non-initial fragment?

Rfc2401bis, section 6, says 'Thus, fragments not containing port numbers may
only match rules having port selectors of OPAQUE or "ANY"' - implying that
the answer to question (b) is yes.

I would guess that "OPAQUE" doesn't match packets in which the port numbers
are visible, but the architecture document isn't very clear.

draft-ietf-ipsec-ikev2-12.txt doesn't define separate traffic selectors for
"ANY" and "OPAQUE", it just allows a port range of 0..65535. It looks to me
as though IKEv2 is inconsistent with the architecture document.

Cheers,
Mike