updated IPPCP architecture draft
Roy Pereira <rpereira@TimeStep.com> Thu, 07 August 1997 15:23 UTC
Return-Path: rpereira@TimeStep.com
Received: from maltese.cisco.com (maltese.cisco.com [171.69.1.187]) by ftp-eng.cisco.com (8.6.12/8.6.5) with ESMTP id IAA11504 for <ippcp-archive-file@ftp-eng.cisco.com>; Thu, 7 Aug 1997 08:23:11 -0700
Received: from hubbub.cisco.com (mailgate-sj-1.cisco.com [198.92.30.31]) by maltese.cisco.com (8.6.12/8.6.5) with ESMTP id IAA06274 for <extdom.ippcp@aliashost.cisco.com>; Thu, 7 Aug 1997 08:22:25 -0700
Received: from ns.newbridge.com (ns.newbridge.com [192.75.23.67]) by hubbub.cisco.com (8.8.4-Cisco.1/CISCO.GATE.1.1) with SMTP id IAA23267 for <ippcp@external.cisco.com>; Thu, 7 Aug 1997 08:22:16 -0700 (PDT)
Received: (from smap@localhost) by ns.newbridge.com (8.6.12/8.6.12) id LAA10498 for <ippcp@external.cisco.com>; Thu, 7 Aug 1997 11:21:58 -0400
Received: from kanata-gw1(192.75.23.72) by ns via smap (V1.3) id sma010484; Thu Aug 7 11:21:45 1997
Received: from kanmaster.ca.newbridge.com by kanata-gw1.ca.newbridge.com via smtpd (for ns.newbridge.com [192.75.23.67]) with SMTP; 7 Aug 1997 15:21:44 UT
Received: (from smap@localhost) by ca.newbridge.com. (8.8.6/8.8.6) id LAA27106 for <ippcp@external.cisco.com>; Thu, 7 Aug 1997 11:21:44 -0400 (EDT)
Received: from tsntsrv2.timestep.com(192.168.219.191) by kanmaster.ca.newbridge.com via smap (V1.3) id sma027062; Thu Aug 7 11:21:33 1997
Received: by tsntsrv2.timestep.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52) id <01BCA324.4CAA7180@tsntsrv2.timestep.com>; Thu, 7 Aug 1997 11:23:15 -0400
Message-ID: <c=US%a=_%p=TimeStep_Corpora%l=TSNTSRV2-970807152314Z-722@tsntsrv2.timestep.com>
From: Roy Pereira <rpereira@TimeStep.com>
To: 'IP Compression Mailing List' <ippcp@external.cisco.com>
Subject: updated IPPCP architecture draft
Date: Thu, 07 Aug 1997 11:23:14 -0400
X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.995.52
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="---- =_NextPart_000_01BCA324.4CE2E6A0"
I seems that the Archiecture draft that was submitted was cut-off short.
Here is the full version of that draft;
Internet Draft R. Monsour, Hi/fn, Inc.
Expires in six months R. Pereira, TimeStep Corporation
A. Shacham, Cisco Systems
July 30, 1997
IP Payload Compression Protocol Architecture
<draft-ietf-ippcp-arch-00.txt>
Status of this Memo
This document is an Internet-Draft. Internet Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working Groups. Note that other groups may also distribute
working documents as Internet Drafts.
Internet-Drafts draft documents are valid for a maximum of six months
and may be updated, replaced, or obsolete by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material
or to cite them other than as "work in progress."
To learn the current status of any Internet-Draft, please check the
"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
ftp.isi.edu (US West Coast).
Distribution of this memo is unlimited.
Abstract
This memo describes an architecture for applying lossless compression
to Internet Protocol datagrams. It defines several of the key
architectural elements of a compression protocol and describes
alternatives for each element.
Acknowledgments
The authors gratefully acknowledge the many sources of input who made
this draft possible, including Rodney Thayer, Bob Moskowitz, Naganand
Doraswamy, Thomas Narten and all those that participated in the early
discussions and debates of these concepts. It is hoped that the
continued focused effort of those involved in the IPCCP Working Group
will result in the rapid development of a useful IP compression
protocol.
R. Monsour, R. Pereira, A. Shacham [Page
1]
Internet Draft draft-ietf-ippcp-arch-00.txt July 29,
1997
Table of Contents
1. Introduction...................................................2
1.1. Background................................................2
1.2. IP Payload Compression Overview...........................3
1.3. Specification of Requirements.............................3
2. Use of IP Compression with IPSec...............................3
2.1. General Compression Processing............................3
2.2. Alternative Compression Protocol Approaches...............4
2.2.1. The IP Encapsulation Approach........................4
2.2.2. The IP Header Approach...............................5
2.2.3. Comparison of the Two Approaches.....................7
2.3. Interaction of IP Payload Compression with AH & ESP.......7
3. IP payload Compression without IPSec...........................7
4. Anti-expansion of Payload Data.................................8
5. Stateless vs. Stateful compression.............................8
6. Negotiation Mechanisms for IP Compression......................8
6.1. Use of ISAKMP in IPSec Contexts...........................9
6.1.1. Compression as a "Protocol"..........................9
6.1.2. Compression as a Protocol Attribute.................10
6.2. Static Configuration for Non-IPSec Contexts..............10
7. Implications with Ipv4 and Ipv6...............................11
8. Compression Method/Format Registration Mechanism..............11
9. Document Roadmap..............................................11
10. Security Considerations......................................12
11. References...................................................13
12. Authors' Addresses...........................................14
13. Working Group................................................14
1. Introduction
This document is a submission to the IETF IP Payload Compression
Protocol (IPCCP) Working Group. Comments are solicited and should be
addressed to the working group mailing list
(ippcp@external.cisco.com)
or to the editor.
1.1. Background
The motivation for the development of the IP Payload Compression
Protocol was initially driven by the use of the IP Security protocol
and the negative effect that IP encryption has on data link layer
compression techniques. Encrypted data is random in nature and not
compressible. When an IP datagram is encrypted, compression methods
used at lower protocol layers, e.g., the PPP Compression Control
Protocol [RFC-1962], are rendered ineffective. If both compression
and encryption are desired, compression must be performed first. Such
R. Monsour, R. Pereira, A. Shacham [Page
2]
Internet Draft draft-ietf-ippcp-arch-00.txt July 29,
1997
motivation drove the creation of a new working group, the IP Payload
Compression Protocol working group, and the development of this
document.
1.2. IP Payload Compression Overview
The IP payload compression architecture is designed to provide
compression services for the IP Protocol. Two fundamental
requirements
of such a compression protocol are: (1) that it supports the use of
any lossless compression method, and (2) the two communicating
parties
have a mechanism to negotiate the use of specific compression method
and any related parameters.
This document describes the architectural alternatives available for
supporting lossless compression services for IP datagrams. The
following topics are discussed:
a) alternative approaches for integrating compression with IP
Security
b) features of an IP compression protocol
c) negotiation and use of lossless compression techniques, both in
the presence and absence of the IP Security protocol
d) requirements for a registration mechanism used for identifying
compression methods for use with the protocol
e) a document roadmap to simplify access and understanding of the
necessary specifications
1.3. Specification of Requirements
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC2119 [RFC-2119].
2. Use of IP Compression with IPSec
2.1. General Compression Processing
The compression processing of IP datagrams has two phases,
compressing
of outbound IP datagrams and decompressing of inbound datagrams.
The compression of outbound IP datagrams MUST be done before any IP
security processing, such as encryption and authentication, and
before
any fragmentation of the IP datagram. Similarly, the decompression
of
inbound IP datagrams MUST be done after the reassembly of the IP
datagrams, and after the completion of all IP security processing,
such as authentication and decryption. Processing of inbound IP
R. Monsour, R. Pereira, A. Shacham [Page
3]
Internet Draft draft-ietf-ippcp-arch-00.txt July 29,
1997
datagrams MUST support both compressed and non-compressed IP
datagrams.
A different compression algorithm may be negotiated in each direction
of the communication channel, or only one direction may be
compressed.
2.2. Alternative Compression Protocol Approaches
Two recent Internet Drafts have been submitted by members of the
working group, each offering a different approach to the application
of lossless compression to IP datagram payloads. Note that in the
description of both approaches, examples are provided in the more
complex IP Security context. The simplification of the resulting
packet formats for non-IPSec environments should be apparent from the
examples.
2.2.1. The IP Encapsulation Approach
The first approach, what we'll call IP encapsulation, is described in
[Shacham]. This approach involves the following steps (Note: this is
a
simplified view of the processing):
a) a complete IP datagram is treated as a payload and is compressed
b) a new IP header is prepended to the datagram to be compressed
c) subsequent IP security processing, if any, is applied to the new
datagram
The following is an example datagram structure which results when
using this approach in conjunction with ESP. This approach can be
used
with AH as well as without any security processing of the datagram.
R. Monsour, R. Pereira, A. Shacham [Page
4]
Internet Draft draft-ietf-ippcp-arch-00.txt July 29,
1997
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Outer IP Header ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ---
| Security Parameters Index (SPI) | ^
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Sequence Number | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
----
| | A ^ ^
~ Inner IP Header ~ | | |
| | | B C
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | |
| | | | |
~ Payload Data (variable) ~ | | |
| | | | v
~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
|---
| | Padding (0-255 bytes) | | |
+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| | Pad Length | Next Header | v v
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
------
| |
~ Authentication Data (variable) ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
A = Authentication Coverage
B = Confidentiality Coverage
C = Compression Coverage
Refer to [Shacham] for details on handling the Ipv4 and Ipv6 header
contents; i.e., which fields are copied from the inner header to the
outer header.
2.2.2. The IP Header Approach
The second approach, which we'll call the header approach, is
described in [Thomas]. In this approach, a compression header
immediately precedes the compressed payload. The header consists of a
compression parameters index (CPI); the CPI operates in a similar
manner to an SPI for security parameters. In other words, it uniquely
defines the parameters for compression processing on the receiving
end
of the compressed datagram. The CPI is followed by compression
method-
specific, optional, variable length field which includes all data
needed for a receiver to decompress the incoming datagram.
R. Monsour, R. Pereira, A. Shacham [Page
5]
Internet Draft draft-ietf-ippcp-arch-00.txt July 29,
1997
The following is an example datagram structure which results when
using this approach in conjunction with ESP. This approach can be
used
with AH as well as without any security processing of the datagram.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ IP Header ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ---
| Security Parameters Index (SPI) | ^
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Sequence Number | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |---
| Compression Parameters Index (CPI) | | ^
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| Optional, Variable Length | | |
| Compression Method-Specific Data | A B
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
|---
| | | | ^
~ Payload Data (variable) ~ | | C
| | | | v
~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
|---
| | Padding (0-255 bytes) | | |
+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| | Pad Length | Next Header | v v
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ----
| |
~ Authentication Data (variable) ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
A = Authentication Coverage
B = Confidentiality Coverage
C = Compression Coverage
R. Monsour, R. Pereira, A. Shacham [Page
6]
Internet Draft draft-ietf-ippcp-arch-00.txt July 29,
1997
2.2.3. Comparison of the Two Approaches
The relative advantages and disadvantages of the two approaches are
provided in the table below.
+-----------------------------+--------------------+
| Advantages | Disadvantages |
+---------------+-----------------------------+--------------------|
| Encapsulation | Simple, straightforward | 20 byte IP header |
| | | overhead |
| | | Only host-to-host |
| | | associations |
+---------------+-----------------------------+--------------------+
| Header | Minimal overhead (8 bytes) | Some additional |
| | More control over | complexity |
| | associations | |
+---------------+-----------------------------+--------------------+
2.3. Interaction of IP Payload Compression with AH & ESP
As stated previously, in the IP layer, compression MUST be applied
before any encryption is applied. Thus, when used within IPSec with
either ESP or
AH, any compression protocol header must precede the security
protocols headers. In the following examples, IPCOMP refers to the IP
compression header.
Example: IP, ESP, IPCOMP, TCP
When tunneling IP packets, the compression protocol SHOULD
encapsulate
the entire inner IP packet.
Example: IP, ESP, IPCOMP, IP, UDP
3. IP payload Compression without IPSec
The use of compression without IPSec is possible as long as both
parties have pre-arranged the use of compression between them. Such
"pre-arrangement" can be performed either automatically through the
use of a negotiation mechanism such as ISAKMP (see section 6 for more
on this topic), or by some manual configuration of the two nodes. One
method that has been suggested is the use of static "compression
associations". In this method, a limited number of compression
parameters indexes (CPIs) would be designated to represent a list of
specific compression methods.
R. Monsour, R. Pereira, A. Shacham [Page
7]
Internet Draft draft-ietf-ippcp-arch-00.txt July 29,
1997
4. Anti-expansion of Payload Data
If the size of a compressed IP datagram, including whatever overhead
is included to define the compression protocol, is not smaller than
the size of the original IP datagram, the IP datagram MUST be sent in
the original non-compressed form. This policy ensures saving the
decompression processing cycles and avoiding incurring IP datagram
fragmentation when the expanded datagram is larger than the MTU.
Small IP datagrams are likely to expand as a result of compression.
Therefore, a numeric threshold SHOULD be applied before compression,
where IP datagrams of size smaller than the threshold are sent in the
original form without attempting compression. The numeric threshold
is implementation dependent.
An IP datagram with payload, which has been previously compressed,
tends not to compress any further. Such previously compressed
payload
may be the result of external processes, such as compression applied
by an upper layer in the communication stack, or by an off-line
compression utility. An adaptive algorithm, SHOULD be implemented in
order to avoid the performance hit. Such as adaptive algorithm is
implementation dependent and independent of compression method.
5. Stateless vs. Stateful compression
Since IP is a connectionless protocol, it is important that each
compressed packet be capable of being decompressed independently of
any other packet; i.e., the successful decompression of a packet MUST
NOT depend on the contents of any other packet(s), nor should it
depend on order of receipt of any other packet(s).
ISSUE: Does the working group believe that stateful IP compression is
completely out of the question, or should the protocol allow for
implementation of stateful compression (i.e., maintaining compression
history across IP datagrams)? Such an implementation could be
negotiated by consenting parties, much like many other protocol
options.
6. Negotiation Mechanisms for IP Compression
This section describes the options available for negotiating the use
and method of lossless compression for use in an IP payload
compression protocol.
R. Monsour, R. Pereira, A. Shacham [Page
8]
Internet Draft draft-ietf-ippcp-arch-00.txt July 29,
1997
6.1. Use of ISAKMP in IPSec Contexts
The Internet Security Association Key Management Protocol (ISAKMP)
defines procedures and packet formats to establish, negotiate, modify
and delete Security Associations (SA). SAs contain all the
information
required for execution of various network security services, such as
the IP layer services (such as header authentication and payload
encapsulation), transport or application layer services, or self-
protection of negotiation traffic.
For IP payload compression in the context of IP Security, ISAKMP
provides the necessary mechanisms to enable compression and to choose
which compression method shall be used between the two parties.
This documents describes two approaches to using ISAKMP to negotiate
the use of compression: (1) defining compression as a "protocol" (a
peer to ESP and AH), and (2) defining compression as an attribute of
the protocols negotiated using ISAKMP. Each of these is described
below, along with their pros and cons. Regardless of which approach
is
used, compression would be negotiated during an ISAKMP phase 2
negotiation.
6.1.1. Compression as a "Protocol"
In this method, compression would be negotiated by the initiator
using
a Proposal Payload, which would include one or more Transform
Payloads. The Proposal Payload would specify a compression protocol
in
the protocol id field and each Transform Payload would contain the
specific compression method(s) being offered to the responder.
ISSUE: This method requires an extension of the IPSec DOI [DOI] to
include compression in the list of available protocols. Currently,
the
IPSec DOI defines the following protocols: PROTO_ISAKMP,
PROTO_IPSEC_AH, and PROTO_IPSEC_ESP. Additionally, a list of
transforms for the compression protocol would need to be added to the
DOI (and/or handled by IANA registration - more on this later).
+-----------------------------------+--------------------------------
+
| PROS | CONS
|
+-----------------------------------+--------------------------------
+
| Better support for non-IPSec | Simple changes to the IPSec
|
| contexts | DOI spec
|
+-----------------------------------+--------------------------------
+
R. Monsour, R. Pereira, A. Shacham [Page
9]
Internet Draft draft-ietf-ippcp-arch-00.txt July 29,
1997
6.1.2. Compression as a Protocol Attribute
In this method, compression is negotiated through the use of Data
Attributes as described in the ISAKMP specification. Data Attributes
are included in each Transform Payload. Such attributes can take two
different forms, a basic attribute which has an attribute identifier
and a value, and a variable-length attribute. Compression would be an
attribute of a negotiated transform for one or more of the
PROTO_ISAKMP, PROTO_IPSEC_AH, or PROTO_IPSEC_ESP protocols.
Defining compression as a basic attribute could cause what we'll call
"transform payload explosion" (not unlike the earlier transform
explosion problem that IPSec suffered in earlier days). The reason
for
this is that in order for an initiator to provide a variety of
compression choices to the responder, each protocol would have to be
"proposed" to the responder once for each value of compression
attribute (which can only contain a single value for compression
choice).
An alternative to the preceding technique would be to define
compression as a variable-length attribute where the attribute,
provided once for each protocol for which compression would be
offered, would contain a list of offered compression algorithms, with
the first in the list being the most preferred by the initiator.
ISSUE: Both of these methods require an extension of the IPSec DOI to
include compression in the list of Security Association attributes.
Examples of the currently defined attributes include: Replay
Prevention and Encapsulation Mode (transport or tunnel mode).
+----------------------------------------+---------------------------
+
| PROS | CONS
|
+----------------------------------------+---------------------------
+
| Achieves primary goal of working group | Less general solution
|
| Simple changes to the IPSec DOI spec |
|
+----------------------------------------+---------------------------
+
6.2. Static Configuration for Non-IPSec Contexts
It may be desirable to use IP compression in contexts other than
IPSec/ISAKMP. Where this is the case, an alternate method for
communicating which compression method is used will be necessary. One
method that has been suggested is the use of static, "compression
associations". In this method, a limited number of compression
parameters indexes (CPIs) would be designated to represent a list of
specific compression methods. Note that CPIs and Compression
Associations are protocol dependent fields.
R. Monsour, R. Pereira, A. Shacham [Page
10]
Internet Draft draft-ietf-ippcp-arch-00.txt July 29,
1997
7. Implications with Ipv4 and Ipv6
The two approaches to applying compression to IP datagrams face the
same interaction issues with Ipv4 and IPV6 as other protocols (like
IPSec). The ones that immediately come to mind involve alignment of
headers, particularly in Ipv6. There may be additional, more serious
implications for the working group to consider and resolve during the
development of the protocol specification.
8. Compression Method/Format Registration Mechanism
The negotiation of which compression method will be used by the two
communicating parties requires that there be a means for identifying
which compression method to use. Protocols such as PPP, which use
compression, have a list of identifiers for compression
sub-protocols.
This list of identifiers is maintained by the IANA. The IP payload
compression protocol will require a similar list of compression
method
identifiers.
ISSUE: It was suggested by Jon Postel, who runs the IANA, that this
group investigate the possibility of using the same list of
identifiers as PPP. There are two potential problems in using this
list: First, the numbers do not define unique compression methods
(e.g., two of them refer to LZS, but have different PPP-specific
protocol handling). Secondly, the list is under the list of PPP
number
assignments and may be nerve-racking to locate during the
implementation of the resulting IP payload compression protocol. One
approach to use these numbers would be to document which of the PPP
numbers are valid for IP payload compression; in addition, each
compression method would specify the appropriate PPP number that it
would use.
9. Document Roadmap
This section provides an overall roadmap to the documents to be
produced by the IP payload compression protocol working group.
This document, while not specifically called for in the working group
charter, has been produced to provide a general architectural
framework for the development of the detailed protocol
specifications,
from which implementations will be built.
R. Monsour, R. Pereira, A. Shacham [Page
11]
Internet Draft draft-ietf-ippcp-arch-00.txt July 29,
1997
The working group charter calls for the following documents to be
produced:
a) IP payload compression protocol specification
b) Compression transform specifications (one or more)
c) ISAKMP negotiation mechanism specification
As of the date of this writing, two drafts have been generated to
address the protocol specification. The basic architectural
approaches
of these drafts is discussed earlier in this document.
The compression transform specifications shall specify how a specific
compression algorithm can be used with the IP payload compression
protocol.
The ISAKMP negotiation mechanism specification shall specify the
details of using ISAKMP to negotiate the use of compression. There
may
be two such drafts, one to address use of ISAKMP in the IPSec context
and one for non-IPSec contexts. In the case where ISAKMP is used in
contexts other than IPSec, an additional document, a compression
Domain of Interpretation will be required.
10. Security Considerations
This memo discusses the use of lossless compression technology in a
security protocol, specifically IPSec. The proposed use of
compression
within this protocol is not believed to have an effect on the
underlying security functionality provide by the protocol; i.e., the
use of compression is not known to degrade or alter the nature of the
underlying security architecture or the encryption technologies used
to implement it.
The use of compression does change the length of ESP payloads, in a
manner that depends on the data prior to encryption. Thus, the use
of
compression may have an effect on the ability of an eavesdropper to
glean information by analyzing the length of transmitted packets.
For the encapsulation approach, IP compression potentially reduces
the
security of the Internet, similar to the effects of IP encapsulation
[RFC-2003]. For example, IP compression makes it difficult for
border
routers to filter datagrams based on header fields. In particular,
the original value of the Protocol field in the IP header, and any
transport header fields within the datagram, such as port numbers,
are
neither located in their normal positions within the datagram nor
presented in their original values after compression. Filtering
border router can filter the datagram only if it shares the security
association used for the compression. To allow this sort of
R. Monsour, R. Pereira, A. Shacham [Page
12]
Internet Draft draft-ietf-ippcp-arch-00.txt July 29,
1997
compression in environments in which all packets need to be filtered
(or at least accounted for), a mechanism must be in place for the
receiving node to securely communicate the security association to
the
border.
11. References
[AH] Kent, S., Atkinson, R., "IP Authentication Header", draft-ietf-
ipsec-auth-header-01.txt, Work in Progress, July 1997.
[DOI] Piper, D., "The Internet IP Security Domain of Interpretation
for ISAKMP", Internet-Draft: draft-ietf-ipsec-ipsec-doi-02.txt, Work
in Progress, February 1997.
[ESP] Kent, S., Atkinson, R., "IP Encapsulating Security Payload,"
draft-ietf-ipsec-esp-v2-00.txt, Work in Progress, July 1997.
[ISAKMP] Maughan, D., Schertler, M., Schneider, M., and Turner, J.,
"Internet Security Association and Key Management Protocol (ISAKMP)",
draft-ietf-ipsec-isakmp-08.txt, Work in Progress, July 1997.
[RFC-1700] Reynolds, J., Postel, J., "Assigned Numbers", RFC 1700,
October 1994.
[RFC-1883] Deering, S., Hinden, R., "Internet Protocol, Version 6
(IPv6) Specification", RFC 1883, April 1996.
[RFC-1962] Rand, D., "The PPP Compression Control Protocol (CCP)",
RFC-1962, June 1996.
[RFC-2003] Perkins, C., "IP Encapsulation within IP", RFC 2003,
October 1996.
[RFC-2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997.
[Shacham] Shacham, A., "IP Payload Compression Protocol (IPComp)",
draft-ietf-ippcp-protocol-00.txt, Work in Progress, July 1997.
[Thayer] Thayer, R., "Compression Payload for Use with IP Security",
draft-thayer-seccomp-01.txt, Work in Progress, March, 1997.
[Thomas] Thomas, M., "The Compressed Payload Header", draft-thomas-
ippcp-compression-00.txt, Work in Progress, July 1997.
R. Monsour, R. Pereira, A. Shacham [Page
13]
Internet Draft draft-ietf-ippcp-arch-00.txt July 29,
1997
12. Authors' Addresses
Robert Monsour
Hi/fn Inc.
5973 Avenida Encinas
Carlsbad, CA 92008
Email: rmonsour@hifn.com
Roy Pereira
TimeStep Corporation
362 Terry Fox Drive
Kanata, Ontario K2K 2P5
Email: rpereira@timestep.com
Abraham Shacham
Cisco Systems
101 Cooper Street
Santa Cruz, CA 95060
Email: shacham@cisco.com
13. Working Group
The IP Payload Compression Protocol (IPPCP) working group can be
contacted through its chair:
Naganand Dorswamy
Bay Networks
naganand@baynetworks.com
The IPPCP mailing list may be subscribed to by sending an email to
"mailer@cisco.com" and including "SUBSCRIBE ippcp" in the text of the
message.
R. Monsour, R. Pereira, A. Shacham [Page
14]
- updated IPPCP architecture draft Roy Pereira