Re: [Hipsec] IPCOMP support in HIP

Derek Fawcus <dfawcus+lists-hipsec@employees.org> Thu, 10 March 2016 19:10 UTC

Return-Path: <dfawcus@employees.org>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFC7412DBF4 for <hipsec@ietfa.amsl.com>; Thu, 10 Mar 2016 11:10:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=employees.org; domainkeys=pass (1024-bit key) header.from=dfawcus+lists-hipsec@employees.org header.d=employees.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RNdxL6UFLdCd for <hipsec@ietfa.amsl.com>; Thu, 10 Mar 2016 11:10:43 -0800 (PST)
Received: from cowbell.employees.org (cowbell.employees.org [65.50.211.142]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C784B12DBEF for <hipsec@ietf.org>; Thu, 10 Mar 2016 11:10:43 -0800 (PST)
Received: from cowbell.employees.org (localhost [127.0.0.1]) by cowbell.employees.org (Postfix) with ESMTP id 2AA0FD7893; Thu, 10 Mar 2016 11:10:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=employees.org; h=date:from :to:cc:subject:message-id:references:mime-version:content-type :in-reply-to; s=selector1; bh=Ukk1lpd1sNYQvswW4KEpK1Zf2dk=; b=gd 3T0QKbZyuIdGtwYm0GSLSL8Iav3+9uWZw+rNZFCGjZ/MyMm3fYtqKBwzw6uJZbYy OFG5BMVIb3gMnyhsiSm20aq4LRzvScyGPgJn7NsFND4X+NfU3mpGWEP12wGb9tPi fgqsPozOs3ZsB0na6aeBHMo12+uhAqq//mpyAapVI=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=employees.org; h=date:from :to:cc:subject:message-id:references:mime-version:content-type :in-reply-to; q=dns; s=selector1; b=MjyLS8mZ4HtsusWTJ465fEShZPLa avBBG8H7gL+J70thN2UHGOsX/Ed6NyTcKG/dEL581cFJx52LycJn327xxR+dpUuQ 0koUe6SeO4yg69DnXSPsIDKA140qlMTQF8BOvp1AzNnxFoF2FR6IDfZGstBogZBl +UWqaUlQmBGuFpc=
Received: by cowbell.employees.org (Postfix, from userid 1736) id 1ABB0D7882; Thu, 10 Mar 2016 11:10:41 -0800 (PST)
Date: Thu, 10 Mar 2016 19:10:41 +0000
From: Derek Fawcus <dfawcus+lists-hipsec@employees.org>
To: Robert Moskowitz <rgm@htt-consult.com>
Message-ID: <20160310191041.GA14546@cowbell.employees.org>
Mail-Followup-To: Robert Moskowitz <rgm@htt-consult.com>, hipsec@ietf.org
References: <56E03F56.5040300@htt-consult.com> <56E176AB.5070709@htt-consult.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <56E176AB.5070709@htt-consult.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/hipsec/OHhXd53R_G2L1s6h-muP8I-IGOA>
Cc: hipsec@ietf.org
Subject: Re: [Hipsec] IPCOMP support in HIP
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Mar 2016 19:10:45 -0000

On Thu, Mar 10, 2016 at 08:29:15AM -0500, Robert Moskowitz wrote:
> I have found comp in TLS, RFC 3749, so HIP's ESP is the only one missing 
> compression.  How did I miss that?  It should have been included in 7402 
> as an option within ESP.

Hasn't use of compression with TLS largely been abandoned now?
Simply because one or more of the recently published exploits depended upon
it,  such that now one is recommended to disable compression?

So if TLS is avoiding compression,  why is normal IPsec still using it?
It is because the compositions of compression and encryption used in IPsec
are safe,  or has no simply tried (or not published) such attacks for IPsec?

DF