RE: SAs that carry fragments Was: Re: Some IKEv2 issues

[Stephen Kent <kent@bbn.com>]

At 17:51 +0000 2/20/04, Michael Roe wrote:
>  >From this discussion, it would appear that there is some disagreement
>about exactly which packets are matched by the "ANY" and "OPAQUE"
>traffic selectors. RFC 2401 and draft-ietf-ipsec-rfc2401bis-01.txt
>aren't very clear on this point. Perhaps rfc2401bis should be updated
>to be more explicit about this?

yes, we need to be more explicit, and that has motivated some of the 
discussion.

>It's clear that a port selector of OPAQUE will match a non-initial fragment,
>and a port selector of "ANY" will match an initial fragment with a cleartext
>port number in it. The slightly trickier cases are
>(a) Does "OPAQUE" match an initial fragment with a cleartext port 
>number in it?
>(b) Does "ANY" match a non-initial fragment?

yes, these are the questoins we are trying to resolve.

>Rfc2401bis, section 6, says 'Thus, fragments not containing port numbers may
>only match rules having port selectors of OPAQUE or "ANY"' - implying that
>the answer to question (b) is yes.

we waffled on this, and you see the result of the waffling :-) if we 
don't specify different behavior for ANY vs. OPAQUE, then we need not 
have both, e.g., we can have just ANY.

>I would guess that "OPAQUE" doesn't match packets in which the port numbers
>are visible, but the architecture document isn't very clear.

that was the intent, but we need to be clear and nail it down.

>draft-ietf-ipsec-ikev2-12.txt doesn't define separate traffic selectors for
>"ANY" and "OPAQUE", it just allows a port range of 0..65535. It looks to me
>as though IKEv2 is inconsistent with the architecture document.

Yep. we exchanged mail with Charlie K on this, and he asked us to 
bring it to the list for resolution.

Steve