[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipsec compression support

To: stroh@VNET.IBM.COM, ipsec@ans.net
Subject: Re: ipsec compression support
From: Paul_Lambert-P15452@email.mot.com
Date: 4 May 95 15:20:00 -0500


Oscar,


Glad to see you jump in to help out on compression.

I have a small comment on your request.

>>>>>>Oscar Strohacker
>All I want is a reserved value for compression algorithm somewhere in the
>header, and if there is going to be a default compression algorithm, to
>compete for that designation.

Ipsec currently does not have any "clear header" fields to describe the 
encryption, integrity, or compression algorithm.  Our approach has been to 
bundle all of the negotiated attributes of the "security transform" into a 
single identifier (SPI or SAID) that determines the "security association" (SA).

The use of compression with encryption needs to be defined as a new security 
transformation.  These transformations are currently identified in the 
documentation as a arbitrary string of characters (e.g. DES-CBC-FOO).  It might 
be reasonable to define for your needs a DES-CBC-MD5-LZ77 transformation.

The working group will soon have to address  in more detail the registration of 
these transforms for use in the IKMP negotiation process.  This will likely 
yield a large space for new transformation so there will be plenty of room for 
LZ77.

The more difficult issue is whether there should be a "recommended" compression 
algorithm.  A rough first cut at the IPSEC requirements for compression are:

The compression algorithm shall:

1) work effectively on IP packets.

2) work well combined with a selected encryption algorithm

3) not adversely decreases the "strength" of the selected encryption algorithm

5) be easily and effectively implemented in software.  Software processing time
   should not be excessive.

5) be easily and effectively implemented in hardware to support high speeds

6) have well defined and accepted licensing terms

It is not a requirement, but it also helps in the process to have openly 
available software implementations

I assume that the IBM technology you are proposing must be patented.  Has LZ77 
been placed into the public domain?  Are there well defined and acceptable 
licensing terms?  Is there a publically available software implementation?  Why 
is this algorithm better then others?  What other algorithm should we consider?  
Does LZ77 provide any integrity checking (we might then only need to define DES-
CBC-LZ77 instead of DES-CBC-MD5-LZ77)?


Regards,

Paul

PS - I am out 5/7,8,9,10...

Follow-Ups:

Re: ipsec compression support

From: "Donald E. Eastlake 3rd" <dee@world.std.com>

Prev by Date: Re: Compression - was Re[2]: Comments on latest IPSP drafts
Next by Date: ipsec compression support
Prev by thread: CBC encryption document
Next by thread: Re: ipsec compression support
Index(es):
- Main
- Thread