[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [rohc] FW: ESP and header compression (ROHC)



David Mcgrew <mcgrew@cisco.com> writes:

> > In the case of IPsec/ESP it may make a great deal of sense to
> > compress the headers inside of the tunnel encapsulation.  The VPN
> > endpoints are probably disjoint from any particular physical link
> > that benefits from compression and so, to me, it makes sense to do
> > the compression in the two different places.
> 
> yes, I think that's right.  It seems to be the case that inner-tunnel
> header compression is worthwhile for telephony.  Do you think that it
> would be worth doing for wireless links as well?  I guess that the
> answer might depend on the traffic that's going over the VPN link.
> 
> There are some subtle security issues with this sort of scheme, but I
> don't think that they're insuperable.

It sounds like this is a job for a new IPCOMP algorithm type.  Define
an IPCOMP Algorithm that performs 'ROHC' operations inside the tunnel,
so you get:

        IP ESP IPCOMP IP UDP RTP ...

You could even perform ROHC on the outside packet, too.  Indeed, one
could even use the IPCOMP SA state to pre-configure known compression
points (for example, if the internal network is an IPv4 /24, you could
always reduce one address to a single 8-bit number because the other
24 bits are "understood".  Similar for port numbers, if you have a
limited SA you can put the information into the SA and then strip it
out of the actual packet.

-derek
-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com