[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Order of IPCOMP encapsulation
On Sat, 29 Jul 2000, =?iso-8859-1?Q?Svenning_S=F8rensen?= wrote:
> PGPNet does ESP(IPCOMP(IPIP(payload))), while I have done
> ESP(IPIP(IPCOMP(payload)))...
> I wondered what would be the most correct order of doing the IPCOMP
> processing.
There was some discussion of this on the IPsec list in the distant past,
as I recall. My notes say consensus favored ESP(IPCOMP(IPIP(payload))),
so compression covers the inner header as well as the data, but they don't
say why... although one obvious reason is compressing the IP header.
> RFC2393 states that IPCOMP must be done before any IPSec processing. While
> IPIP tunnelling isn't strictly an IPSec protocol, it nevertheless is a part
> of FreeS/Wan, and other IPSec implementations...
Moreover, it is very much part of IPsec *processing* -- RFC 2401 spends
considerable verbiage discussing how to construct the outer header for the
encapsulation, for example. So a strict reading of the specs would seem
to put IPcomp inside IPIP.
Henry Spencer
henry@spsystems.net
References: