[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Decorrelated SPD and IKEv2 traffic selectors



Now that the architecture defines two forms of the SPD
(an ordered one and a decorrelated one), there is the
question of which one is used by IKEv2 to construct
traffic selectors. draft-ietf-ipesec-ikev2-12 doesn't
seem to say.

Suppose the ordered SPD looks like this:

Local Remote Protocol            Action
X     Y     ICMP (type=146..147) Apply (ESP, transport, DES3CBC, HMAC-MD5) [Prefix Solicitation]
X     *     ICMP                 BYPASS
X     *     UDP (port=IKE)       BYPASS
X     Y     MobilityHeader       Apply (ESP, transport, DES3CBC, HMAC-MD4)  [Binding Update]
X     *     MobilityHeader       Apply (ESP, tunnel, DES3CBC, HMAC-MD5)     [Return Routability]
X     *     *                    Apply (ESP, tunnel, NULL, HMAC-MD5)

(See draft-ietf-mobileip-mipv6-ha-ipsec-0 for why this is an interesting case...)


When it's been decorrelated, it looks something like this (my apologies
if I've made a mistake - I did this by hand):

Local  Remote  Protocol             Action
X      <Y      ICMP                 BYPASS
X      >Y      ICMP                 BYPASS
X      Y       ICMP (type=0..146)   BYPASS
X      Y       ICMP (type=148..255) BYPASS
X      *       UDP (port=IKE)       BYPASS

X      Y       ICMP (type=146..147) Apply (ESP, transport, DES3CBC, HMAC-MD5)

X      Y       MobilityHeader       Apply (ESP, tunnel, DES3CBC, HMAC-MD5)

X      <Y      MobilityHeader       }
X      >Y      MobilityHeader       } Apply (ESP, tunnel, DES3CBC, HMAC-MD5)

X       *      UDP (port=0..499)    }
X       *      UDP (port=501..65535)}
X       *      UDP (port=OPAQUE)    }      
X       *       2..16               }  Apply (ESP, tunnel, NULL, HMAC-MD5)
X       *       18..134             }  
X       *       136..255            } 

When IKEv2 negotiates the last SA, which selectors does it send?
A single selector with protocol=0 (representing the ANY in the ordered SPD),
or the long list of selectors in the decorrelated SPD?
(I make it 255 selectors, because ranges of protocol numbers aren't supported
in an IKEv2 transport selector)

Thanks!
Mike

PS. If that list of selectors makes the IKE packet larger
than the MTU it will get fragmented using IPv6 end-to-end
fragmentation, which means that the port number is OPAQUE
in non-initial fragments...