[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Handling of IPcomp in IKEv2



reading between the lines from the point of view of a dynamic stack:

 - outbound AH/ESP SA's contain/reference a (possibly empty) set of
   acceptable (algorithm, ipcomp spi) pairs, (using the intersection of
   the local compressor and remote decompressor algorithm sets)

 - on hosts where IPcomp algorithms are unloadable, inbound AH/ESP SA's
   contain/reference a similar algorithm set, preventing the
   referenced algorithms from being unloaded until after the SA is deleted.

one potential downside to this proposal is that, on a system where
IPcomp algorithms are dynamically unloadable, you'll likely advertise
all of them and keep them all loaded all the time.  given that we
generally don't want a proliferation of vanity algorithms, this
doesn't seem like such a bad downside.

that said, how about:

 A1) we assume the algorithm set is symmetric (if you can decompress
you can also compress), or

 A2) each node separately announces which algorithms it can compress.

and

 B) The commitment to keeping the algorithms around only extends to
those algorithms which the sending end of the SA indicated it could
compress.

For what little it's worth, I prefer A1 over A2.

					- Bill