[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [rohc] RE: (in)security of ESP with header compression



ESP includes a 32-bit sequence number. It is mandatory for the sender to set
and increment it correctly, but optional for the receiver to verify it. It
is there to prevent malicious replay of messages.

In the case of ROHC over ESP, if the receiver's policy is to delete packets
with an out-of-order ESP sequence number (possibly using a small reorder
buffer), then packets reaching the decompressor are always in order. The
channel is not reliable of course, since entire packets may be deleted. All
in all, this channel becomes analogous to your plain vanilla PPP.

Applicability: in general, IP (and ESP) packets may be drastically
reordered, with packets coming in many seconds out of order. For Internet
telephony, those packets are useless and can be discarded on arrival.

Under these assumptions, I don't believe any change to the operating
assumptions of ROHC, or a new ROHC profile, is needed. This is not "ROHC
over tunnels" but only "ROHC over ESP", but it's still an interesting case.

Thanks,
	Yaron

-----Original Message-----
From: rohc-admin@ietf.org [mailto:rohc-admin@ietf.org]On Behalf Of Lars-Erik
Jonsson (EAB)
Sent: Wednesday, April 16, 2003 10:18 PM
To: Derek Atkins
Cc: rohc@ietf.org; ipsec@lists.tislabs.com
Subject: [rohc] RE: (in)security of ESP with header compression


> So, I don't see why IPCOMP should be any different than ESP or AH in
> terms of packet independence.  If ROHC is truly dependent on packet
> ordering, then I think this is a bug in ROHC and needs to be addressed
> there.  It certainly limits the types of links in which ROHC can be
> used.

The RFC 3095 profiles are defined with an assumption on in-order delivery
from compressor to decompressor, but modified profiles could easily be
defined to tolerate packet misordering. The ROHC WG just has not yet
addressed this issue, but we would appreciate input on the subject,
especially motivations for us to look at it.

BR
/L-E
_______________________________________________
Rohc mailing list
Rohc@ietf.org
https://www1.ietf.org/mailman/listinfo/rohc