[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: IPCOMP and IPSEC
My appologies Stephen, you were correct. I got a little confused and
wrote things backwards. Your original layout is the correct mechanism
to use when the gateway is handling both IPSec and IPComp.
[IP2][ESP][IPCOMP][IP1][TCP][data][padding/next protocol][ESP
auth]
To answer you question of where the explicit IV goes; it must go right
after the ESP header (spi+replay), thus it is before the IPComp. This
is because IPComp is really another protocol and not part of IPSec, thus
it is treated as protocol data just like TCP/UDP to IPSec.
> -----Original Message-----
> From: Stephen Waters [mailto:Stephen.Waters@digital.com]
> Sent: Thursday, May 28, 1998 1:56 PM
> To: Roy Pereira
> Cc: ipsec@tis.com; ippcp@external.cisco.com
> Subject: FW: IPCOMP and IPSEC
>
>
>
> Ah, so there is some confusion then. I think (thought) the
> right thing
> to do was put the IPCOMP header outside the original IP
> header though -
> that makes it obvious that the peer SG need to strip it off before
> forwarding the original packet. If the IPCOMP was inserted
> after IP1 by
> a SG, how would the receiving SG know whether to extract it again - it
> looks identical to a packet that has been compression by the original
> host.
>
> Steve.
>
>
> IPComp may be added by a security gateway just like IPSec ESP/AH is
> added. It would probably look like this though:
> [IP2]
> [ESP spi+replay+iv]
> [IP1]
> [IPCOMP]
> [TCP]
> [data]
> [ESP padding+next protocol+auth]
>
>
>
> > -----Original Message-----
> > From: Stephen Waters [mailto:Stephen.Waters@digital.com]
> <mailto:[mailto:Stephen.Waters@digital.com]>
> > Sent: Wednesday, May 27, 1998 6:19 PM
> > To: ippcp@external.cisco.com;
> <mailto:ippcp@external.cisco.com;> ipsec@tis.com
<mailto:ipsec@tis.com>
> Subject: IPCOMP and IPSEC
>
>
>
> Is IPCOMP restricted for use by Hosts (at packet origin), or
can it be
> appended by a Security Gateway as part of the process of
> adding an IPSEC
> tunnel header?
>
> e.g.
>
> Original host packet [IP1][TCP][data]
>
> After passing through a security gateway/IP tunnel:
>
> [IP2][ESP][IPCOMP][IP1][TCP][data][padding/next protocol][ESP
auth]
>
>
> If this is supported, is it detailed anywhere? For example,
if an
> Explicit IV is used, would it come after the ESP header or
after the
> IPCOMP header?
>
>
>
>
>
> Stephen Waters
> DEVON, UK
>
> National: 01548 551012 / 550474
> International: 44 1548 551012 / 550474
> Stephen.Waters@Digital.com
>