[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Does anyone care about IPcomp with IKE? (IPcomp=IP compression)



"Steven M. Bellovin" <smb@research.att.com> writes:
>The problem is that link-layer encryption -- the most common form below 
>the application -- doesn't work on IPsec packets, and the upper layers 
>may not be aware of, say, gateway-to-gateway IPsec.  The IPsec layer, 
>in other words, is the first to know for sure that a lower layer can't 
>do the encryption that might be desired.
>	
>There's no other negotiation mechanism for IPcomp because compression 
>is circuit-like, and there are no other circuits at the IP layer.  (For 
>discussion on how to negotiate compression at the TCP layer, see
>http://www.research.att.com/~smb/papers/draft-bellovin-tcpfilt-00.txt 
>and http://www.research.att.com/~smb/papers/draft-bellovin-tcpcomp-00.txt.

[I assume you mean "link-layer compression" above, not "link-layer encryption"]. 
Thanks! What I needed was a pointer to RFC 2393, which I got from your
paper pointed to above.

It does seem as though doing it end-to-end independently of IPsec (as
is done in the internet draft you pointed me to) would
be a better thing. Though I suppose doing it in IKE means that it works
for UDP also. So I guess I can't assume a TCP mechanism for negotiating
compression will replace the IKE mechanism.

Radia