[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
FW: IPCOMP and IPSEC
Ah, so there is some confusion then. I think (thought) the right thing
to do was put the IPCOMP header outside the original IP header though -
that makes it obvious that the peer SG need to strip it off before
forwarding the original packet. If the IPCOMP was inserted after IP1 by
a SG, how would the receiving SG know whether to extract it again - it
looks identical to a packet that has been compression by the original
host.
Steve.
IPComp may be added by a security gateway just like IPSec ESP/AH is
added. It would probably look like this though:
[IP2]
[ESP spi+replay+iv]
[IP1]
[IPCOMP]
[TCP]
[data]
[ESP padding+next protocol+auth]
> -----Original Message-----
> From: Stephen Waters [mailto:Stephen.Waters@digital.com]
<mailto:[mailto:Stephen.Waters@digital.com]>
> Sent: Wednesday, May 27, 1998 6:19 PM
> To: ippcp@external.cisco.com;
<mailto:ippcp@external.cisco.com;> ipsec@tis.com <mailto:ipsec@tis.com>
> Subject: IPCOMP and IPSEC
>
>
>
> Is IPCOMP restricted for use by Hosts (at packet origin), or
can it be
> appended by a Security Gateway as part of the process of
> adding an IPSEC
> tunnel header?
>
> e.g.
>
> Original host packet [IP1][TCP][data]
>
> After passing through a security gateway/IP tunnel:
>
> [IP2][ESP][IPCOMP][IP1][TCP][data][padding/next protocol][ESP
auth]
>
>
> If this is supported, is it detailed anywhere? For example,
if an
> Explicit IV is used, would it come after the ESP header or
after the
> IPCOMP header?
>
>
>
>
>
> Stephen Waters
> DEVON, UK
>
> National: 01548 551012 / 550474
> International: 44 1548 551012 / 550474
> Stephen.Waters@Digital.com
>