[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ipsec compression support
Oscar,
Glad to see you jump in to help out on compression.
I have a small comment on your request.
>>>>>>Oscar Strohacker
>All I want is a reserved value for compression algorithm somewhere in the
>header, and if there is going to be a default compression algorithm, to
>compete for that designation.
Ipsec currently does not have any "clear header" fields to describe the
encryption, integrity, or compression algorithm. Our approach has been to
bundle all of the negotiated attributes of the "security transform" into a
single identifier (SPI or SAID) that determines the "security association" (SA).
The use of compression with encryption needs to be defined as a new security
transformation. These transformations are currently identified in the
documentation as a arbitrary string of characters (e.g. DES-CBC-FOO). It might
be reasonable to define for your needs a DES-CBC-MD5-LZ77 transformation.
The working group will soon have to address in more detail the registration of
these transforms for use in the IKMP negotiation process. This will likely
yield a large space for new transformation so there will be plenty of room for
LZ77.
The more difficult issue is whether there should be a "recommended" compression
algorithm. A rough first cut at the IPSEC requirements for compression are:
The compression algorithm shall:
1) work effectively on IP packets.
2) work well combined with a selected encryption algorithm
3) not adversely decreases the "strength" of the selected encryption algorithm
5) be easily and effectively implemented in software. Software processing time
should not be excessive.
5) be easily and effectively implemented in hardware to support high speeds
6) have well defined and accepted licensing terms
It is not a requirement, but it also helps in the process to have openly
available software implementations
I assume that the IBM technology you are proposing must be patented. Has LZ77
been placed into the public domain? Are there well defined and acceptable
licensing terms? Is there a publically available software implementation? Why
is this algorithm better then others? What other algorithm should we consider?
Does LZ77 provide any integrity checking (we might then only need to define DES-
CBC-LZ77 instead of DES-CBC-MD5-LZ77)?
Regards,
Paul
PS - I am out 5/7,8,9,10...
Follow-Ups: