[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] Layer 2 processing inside IPsec

To: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Subject: Re: [Ipsec] Layer 2 processing inside IPsec
From: Bill Sommerfeld <sommerfeld@east.sun.com>
Date: Mon, 28 Jun 2004 08:22:06 -0400
Cc: ipsec@ietf.org
In-reply-to: Your message of "Mon, 28 Jun 2004 12:14:58 +0200."<200406281014.i5SAEwSj056812@givry.rennes.enst-bretagne.fr>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
Reply-to: sommerfeld@east.sun.com
Sender: ipsec-bounces@ietf.org

>     - ROHC requires that the lower layer not reorder packets, whereas
>    IPsec includes replay protection with a sequence number, it does *not*
>    put packets back into their original order on receive.
>    
> I disagree: IPsec does not change the order 

That's not at all clear to me.  

> (so it can't have a negative effect) and more, it helps the
> detection of reordering (by something else) and lost (i.e., it can
> have a positive effect).

No, it seems perfectly clear.

IPsec runs over IP, which is allowed to reorder packets.

ROHC runs over link layers which are not allowed to reorder packets.

Unless you have some impossible-to-obtain-in-general out-of-band
knowledge that an IPsec tunnel will only traverse links *and* routers
which never reorder packets, you cannot naively use ROHC over IPsec.

An integrated IPsec - ROHC implementation could look at the IPsec
sequence number and insert its own reorder buffer, but such an
integration would not be as simple as defining an IP protocol number
for ROHC.

>     - ROHC changes the encoding of header fields which are used for
>    access control purposes by IPsec (inner tunnel headers, payload
>    protocol, and transport-layer ports); a naive integration of ROHC
>    inside IPsec would bypass IPsec's post-decryption access controls.
>    
> I believe you refer to RFC 2401 section 5.2.1 steps 2 and 3.
> Obviously the decompression must be integrated, i.e., done just after
> decryption and before sanity post-decryption checks. BTW the checked
> fields are likely not transported in packets but taken from the
> decompression context. IMHO this is an implementation issue more
> than a real problem.

It's an architectural issue.  An integrated IPsec-ROHC means that the
ROHC would have to be inserted into the *middle* of IPsec processing,
between the policy enforcement part and the encryption part.  

Again, not so simple as merely defining an IP payload number for ROHC.

						- Bill
 

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Follow-Ups:
- Re: [Ipsec] Layer 2 processing inside IPsec
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

References:
- Re: [Ipsec] Layer 2 processing inside IPsec
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

Prev by Date: Re: [Ipsec] Layer 2 processing inside IPsec
Next by Date: [Ipsec] here, the serials
Previous by thread: Re: [Ipsec] Layer 2 processing inside IPsec
Next by thread: Re: [Ipsec] Layer 2 processing inside IPsec
Index(es):
- Date
- Thread