Re: [Ipsec] Layer 2 processing inside IPsec

[Francis Dupont <Francis.Dupont@enst-bretagne.fr>]

 In your previous mail you wrote:

   I just skimmed rfc3095 for the first time so I might have missed
   something, but I can see a couple potential problems:
   
    - ROHC requires that the lower layer not reorder packets, whereas
   IPsec includes replay protection with a sequence number, it does *not*
   put packets back into their original order on receive.
   
=> I disagree: IPsec does not change the order (so it can't have
a negative effect) and more, it helps the detection of reordering
(by something else) and lost (i.e., it can have a positive effect).

    - ROHC changes the encoding of header fields which are used for
   access control purposes by IPsec (inner tunnel headers, payload
   protocol, and transport-layer ports); a naive integration of ROHC
   inside IPsec would bypass IPsec's post-decryption access controls.
   
=> I believe you refer to RFC 2401 section 5.2.1 steps 2 and 3.
Obviously the decompression must be integrated, i.e., done just after
decryption and before sanity post-decryption checks. BTW the checked
fields are likely not transported in packets but taken from the
decompression context. IMHO this is an implementation issue more
than a real problem.

Thanks

Francis.Dupont@enst-bretagne.fr

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec