Ordered and unordered SPD in draft-ietf-ipsec-rfc2401bis-01

["Michael Roe" <mroe@microsoft.com>]

Karen, Steve,

In draft-ietf-rfc2401bis-01, the description of the processing
model is very confusing. The problem is that is keeps switching
between two different representations of the SPD:

 (a) An ordered SPD, which may contain overlapping entries
 (b) An unordered SPD, which must not contain overlapping entries

So we have:

[page 16] "The SPD is an ordered database,..."  - ordered SPD

[page 17] "An SPD is logically divided into three pieces, all of
which should be decorrelated ..."  - unordered SPD

[page 17] "The management interface for the SPD ... MUST support
(total) ordering of these entries, as seen via this interface." 
 - ordered SPD

It seems as though the description of packet processing is based on an
UNordered SPD; implementors may at their discretion implement it either
as an ordered or an unordered datastructure; and as a conformance
requirement, the management user interface MUST present the user with
the appearance of an ordered SPD, using the Annex B algorithm to translate
if necessary.

I appreciate that technical changes are unwelcome at this point, but I thought
I ought to try and explain why the current text is confusing.

Cheers,
Mike