[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [rohc] FW: ESP and header compression (ROHC)
David Mcgrew <mcgrew@cisco.com> writes:
> > In the case of IPsec/ESP it may make a great deal of sense to
> > compress the headers inside of the tunnel encapsulation. The VPN
> > endpoints are probably disjoint from any particular physical link
> > that benefits from compression and so, to me, it makes sense to do
> > the compression in the two different places.
>
> yes, I think that's right. It seems to be the case that inner-tunnel
> header compression is worthwhile for telephony. Do you think that it
> would be worth doing for wireless links as well? I guess that the
> answer might depend on the traffic that's going over the VPN link.
>
> There are some subtle security issues with this sort of scheme, but I
> don't think that they're insuperable.
It sounds like this is a job for a new IPCOMP algorithm type. Define
an IPCOMP Algorithm that performs 'ROHC' operations inside the tunnel,
so you get:
IP ESP IPCOMP IP UDP RTP ...
You could even perform ROHC on the outside packet, too. Indeed, one
could even use the IPCOMP SA state to pre-configure known compression
points (for example, if the internal network is an IPv4 /24, you could
always reduce one address to a single 8-bit number because the other
24 bits are "understood". Similar for port numbers, if you have a
limited SA you can put the information into the SA and then strip it
out of the actual packet.
-derek
--
Derek Atkins
Computer and Internet Security Consultant
derek@ihtfp.com www.ihtfp.com