[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: IBM VPN Bakeoff Issues
...and since ESP gets involved in adding trailer, it must go before AH since
AH want's to know (authenticate) the final packet length.
-----Original Message-----
From: Avram Shacham [mailto:shacham@cisco.com]
Sent: Thursday, November 05, 1998 6:33 AM
To: Roy Pereira; IPSEC Mailing List (E-mail)
Subject: Re: IBM VPN Bakeoff Issues
At 11:58 AM 11/4/98 -0500, Roy Pereira wrote:
>9. Should the order of protocols dictate the order of security association
or
should >AH, ESP, IPComp always be processed in a certain order? Most
vendors
agreed >with the latter.
Risking repeating the obvious, the order is dictated by the reality that
compression must precede encryption, as stated in the IPComp draft:
Encrypting the IP datagram causes the data
to be random in nature, rendering compression at lower protocol
layers (e.g., PPP Compression Control Protocol [RFC-1962])
ineffective. If both compression and encryption are required,
compression MUST be applied before encryption.
avram