[Ipsec] Layer 2 processing inside IPsec

[Francois.PAUL@fr.thalesgroup.com]

Hello,

I am looking for a simple and efficient way to combine ROHC (Robust header
compression) and IPsec in tunnel mode, in the case of non-NULL ESP
encryption. This may be of high interest in the context of transporting VoIP
flows through encrypted tunnels, for example.

RFC 3095 (ROHC) seems to deal only with these two cases :
  - If non-NULL encryption is used, the profile proposed in section 5.12 of
RFC 3095 is limited to the compression of the ESP/IP header chain.
  - If NULL encryption algorithm is used (i.e : only authentication is
afforded by the SA through ESP), then section 5.8.4.3 describes how the
compressed header chain may be extended to higher level protocols (IP for
tunnel mode, UDP, RTP).

I wonder if the following possibility has already been considered :

In the case of tunnel mode with ESP non-NULL encryption, IPsec applies
encryption to the whole IP packet. So, it is possible to insert ROHC
compression just before ESP encryption.
At the destination IPsec tunnel endpoint, ROHC decompression may be inserted
just after ESP decryption.
In order for this ROHC insertion to map cleanly with the IPsec framework, it
should be considered as a new type of "next header". I looked up in
http://www.iana.org/assignments/protocol-numbers.txt, but I did not find any
number allocated to ROHC in this protocol number space : should it be
possible to apply for one ? Perhaps it should be necessary to extend IKE
child SA parameter values in order for such a tunnel to be negotiated.

When RTP/UDP/IP plain text packets are ROHC-compressed and then
ESP-encrypted, the ROHC profile defined in RFC 3095 sec. 5.8.4.3 (ESP/IP)
may be applied on the outer IP pakcets, on each IP hop of the "unprotected"
IP network.

Does any one know if such a mechanism was proposed ?

F. Paul

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec