[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Order of IPCOMP encapsulation



On Sat, 29 Jul 2000, =?iso-8859-1?Q?Svenning_S=F8rensen?= wrote:
> PGPNet does ESP(IPCOMP(IPIP(payload))), while I have done
> ESP(IPIP(IPCOMP(payload)))...
> I wondered what would be the most correct order of doing the IPCOMP
> processing.

There was some discussion of this on the IPsec list in the distant past,
as I recall.  My notes say consensus favored ESP(IPCOMP(IPIP(payload))),
so compression covers the inner header as well as the data, but they don't
say why... although one obvious reason is compressing the IP header. 

> RFC2393 states that IPCOMP must be done before any IPSec processing. While
> IPIP tunnelling isn't strictly an IPSec protocol, it nevertheless is a part
> of FreeS/Wan, and other IPSec implementations...

Moreover, it is very much part of IPsec *processing* -- RFC 2401 spends
considerable verbiage discussing how to construct the outer header for the
encapsulation, for example.  So a strict reading of the specs would seem
to put IPcomp inside IPIP. 

                                                          Henry Spencer
                                                       henry@spsystems.net





References: