I have some concerns about one of the requirements of the IPCOMP draft. It states that if no compression is actually done, no IPCOMP header should be added. While this may be fine in transport mode, it leads to the appearance of an IP-in-IP packet in tunnel mode.
This concerns me, since it seems that the only way to be sure that the inbound IPCOMP SA should handle packet is to perform an SA lookup to see if it should have been compressed. (Issues of policy verification on inbound packets are intentionally left out of this discussion.) This leads to inconsistent processing of inbound SAs.
As an alternative, I implemented using one of the flag bits to indicate that there was no compression and left the IPCOMP header in. This allowed a consistent lookup on inbound processing for an SA based on SPI (or the IPCOMP equivalent). I have also implemented the policy lookup method, and the full-time use of the IPCOMP header was much cleaner...
Comments encouraged (although I doubt most of you need that...) :-)
---
Tim Jenkins TimeStep Corporation
tjenkins@timestep.com http://www.timestep.com
(613) 599-3610 x4304 Fax: (613) 599-3617