[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPCOMP Questions

To: IPSec <ipsec@lists.tislabs.com>
Subject: Re: IPCOMP Questions
From: Joern Sierwald <joern.sierwald@datafellows.com>
Date: Fri, 27 Aug 1999 19:25:58 +0300
In-Reply-To: <37C69972.A6AFE92C@ibm.net>
Sender: owner-ipsec@lists.tislabs.com

At 09:58 27.8.1999 -0400, Mike Williams wrote:
>I have a couple of easy questions with regards to IPCOMP.
>
>1) When IPCOMP is negotiated with ISAKMP, what is used for the SPI in
>the proposal payload?  My assumption is that SPIs are not exchanged,
>therefore the SPI size would be set to 0.  My first guess was that the
>CPI (per RFC2393) would be sent as the SPI, 

Send the CPI as SPI. SPI size should be 2 bytes, at least
that was the common opinion at the last interop. In case of
deflate that would be "0x00 0x02".

>however this does not make
>sense if the proposal contained different IPCOMP transforms.
>

Yea. If you want that, two possibilities:
1) Use random numbers for CPI, not the algorithm number.
I've seen Timestep doing this.

2) Start a new proposal. (3DES and (deflate or lzs)) would be like
Proposal 0, protocol ESP, transform 3DES
Proposal 0, protocol IPCOMP, transform deflate
Proposal 1, protocol ESP, transform 3DES
Proposal 1, protocol IPCOMP, transform lzs.
I've seen our implementation doing this.

RFC2408, chapter 4.2.

Jörn

References:

IPCOMP Questions

From: Mike Williams <mikewill@ibm.net>

Prev by Date: RE: IPSEC tunnels for LAN-to-LAN interop issue
Next by Date: Re: IPSEC tunnels for LAN-to-LAN interop issue
Prev by thread: IPCOMP Questions
Next by thread: More DoS resistant Base Mode
Index(es):
- Main
- Thread