[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Ipsec] Layer 2 processing inside IPsec
In your previous mail you wrote:
I just skimmed rfc3095 for the first time so I might have missed
something, but I can see a couple potential problems:
- ROHC requires that the lower layer not reorder packets, whereas
IPsec includes replay protection with a sequence number, it does *not*
put packets back into their original order on receive.
=> I disagree: IPsec does not change the order (so it can't have
a negative effect) and more, it helps the detection of reordering
(by something else) and lost (i.e., it can have a positive effect).
- ROHC changes the encoding of header fields which are used for
access control purposes by IPsec (inner tunnel headers, payload
protocol, and transport-layer ports); a naive integration of ROHC
inside IPsec would bypass IPsec's post-decryption access controls.
=> I believe you refer to RFC 2401 section 5.2.1 steps 2 and 3.
Obviously the decompression must be integrated, i.e., done just after
decryption and before sanity post-decryption checks. BTW the checked
fields are likely not transported in packets but taken from the
decompression context. IMHO this is an implementation issue more
than a real problem.
Thanks
Francis.Dupont@enst-bretagne.fr
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec