Re: Temporary version of the new IKEv2 draft

["Michael Roe" <mroe@microsoft.com>]

draft-ietf-ipsec-ikev2-13.txt says:
>  o  Start Port (2 octets) - Value specifying the smallest port
>      number allowed by this Traffic Selector. For protocols for
>      which port is undefined, or if all ports are allowed or
>      port is OPAQUE, this field MUST be zero. 

The phrase "or port is OPAQUE" is dangerously ambiguous here.
What I *think* this text means is that the "ANY" selector is encoded
as [0, 65535], and that the "ANY" selector will match a non-initial
fragment ("OPAQUE" port number).

However, as well as OPAQUE port numbers, we also have the "OPAQUE" selector,
which matches non-initial fragments. There's a question of how IKE
represents the "OPAQUE" selector - how do you negotiate a fragment-only SA.
Someone might read this text as saying that to negotiate a fragment-only
SA (an SA whose selector is "port=OPAQUE") you set start_port=0 and
end_port=65535. But that won't work, because there's no way to distinguish
between "ANY" and "OPAQUE" if they are both encoded as [0, 65535].

I thought that Charlie Lynn's proposal was to represent an "OPAQUE" selector
as [65535, 0], to distinguish it from the "ANY" selector [0, 65535].

See http://www.vpnc.org/ietf-ipsec/mail-archive/msg02701.html:
> Please add text saying that OPAQUE is encoded by setting a "start"
> field to the maximum value and the "end" field to the minimum value.

Note that "start" is the *maximum* value and "end" is the *minimum* value...

Mike