Compression, encryption and authentication at a Security Gateway
Stephen Waters <Stephen.Waters@digital.com> Sat, 30 May 1998 01:46 UTC
Return-Path: Stephen.Waters@digital.com
Received: from beasley.cisco.com (mailgate-sj-2.cisco.com [171.69.2.135]) by ftp-eng.cisco.com (8.8.5-Cisco.1/8.6.5) with ESMTP id SAA08682 for <ippcp-archive-file@ftp-eng.cisco.com>; Fri, 29 May 1998 18:46:34 -0700 (PDT)
Received: from trix.cisco.com (trix-hme0.cisco.com [171.69.63.45]) by beasley.cisco.com (8.8.4-Cisco.1/CISCO.GATE.1.1) with ESMTP id EAA04491 for <ippcp-archive-file@ftp-eng.cisco.com>; Fri, 29 May 1998 04:33:42 -0700 (PDT)
Received: from hubbub.cisco.com (mailgate-sj-1.cisco.com [198.92.30.31]) by trix.cisco.com (8.8.5-Cisco.2-SunOS.5.5.1.sun4/8.6.5) with ESMTP id EAA27214 for <extdom.ippcp@aliashost.cisco.com>; Fri, 29 May 1998 04:33:18 -0700 (PDT)
Received: from proxy1.cisco.com (proxy1.cisco.com [192.31.7.88]) by hubbub.cisco.com (8.8.4-Cisco.1/CISCO.GATE.1.1) with ESMTP id EAA12614 for <ippcp@external.cisco.com>; Fri, 29 May 1998 04:33:18 -0700 (PDT)
Received: (from smap@localhost) by proxy1.cisco.com (8.8.7/8.8.5) id EAA28191 for <ippcp@external.cisco.com>; Fri, 29 May 1998 04:33:17 -0700 (PDT)
Received: from mail11.digital.com(192.208.46.10) by proxy1.cisco.com via smap (V2.0) id xma028187; Fri, 29 May 98 11:33:15 GMT
X-SMAP-Received-From: outside
Received: from reohub2.reo.dec.com (reohub2.reo.dec.com [16.37.21.19]) by mail11.digital.com (8.8.8/8.8.8/WV1.0e) with ESMTP id HAA32477; Fri, 29 May 1998 07:29:28 -0400 (EDT)
Received: by reohub2.reo.dec.com with Internet Mail Service (5.5.1960.3) id <L4R2RAKQ>; Fri, 29 May 1998 12:29:27 +0100
Message-ID: <250F9C8DEB9ED011A14D08002BE4F64C01A1BD66@wade.reo.dec.com>
From: Stephen Waters <Stephen.Waters@digital.com>
To: ipsec@tis.com, ippcp@external.cisco.com
Cc: Stephen Waters <Stephen.Waters@digital.com>
Subject: Compression, encryption and authentication at a Security Gateway
Date: Fri, 29 May 1998 12:26:32 +0100
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.1960.3)
Content-Type: text/plain
The hunch/findings that folk seem to have when running IPPCP is that the performance is poor and if IPPCP is done in series with encryption, compression is probably not worth bothering with (I'm assuming that you would be using IPPCP because you wanted to use IPSEC encryption). Host hosts have IPSEC/IPPCP, there is the option that Security Gateways won't need to do encryption either, for example, a remote-worker who tunnels to a Security Gateway for authentication and then encrypts to a mail-server with transport mode : [IP2][AH][IP1][ESP][upper][pad/np][icv] The Security gateway does packet-level authentication and the target node (say, a mail server) does the decode. I see that the [IP1] header is no longer confidential, but the alternative is to have the SG re-encrypt the entire packet. What I'm coming to is that Security Gateways are likely to want to be VERY sharp at doing per-packet authentication. (hiding under table time) Steve. Stephen Waters DEVON, UK National: 01548 551012 / 550474 International: 44 1548 551012 / 550474 Stephen.Waters@Digital.com
- Compression, encryption and authentication at a S… Stephen Waters
- RE: Compression, encryption and authentication at… Bob Monsour