RE: IPCOMP and IPSEC
Roy Pereira <rpereira@TimeStep.com> Sat, 30 May 1998 01:55 UTC
Return-Path: rpereira@TimeStep.com
Received: from beasley.cisco.com (mailgate-sj-2.cisco.com [171.69.2.135]) by ftp-eng.cisco.com (8.8.5-Cisco.1/8.6.5) with ESMTP id SAA08740 for <ippcp-archive-file@ftp-eng.cisco.com>; Fri, 29 May 1998 18:55:26 -0700 (PDT)
Received: from proxy3.cisco.com (proxy3.cisco.com [192.31.7.90]) by beasley.cisco.com (8.8.4-Cisco.1/CISCO.GATE.1.1) with ESMTP id MAA07541 for <ippcp@external.cisco.com>; Thu, 28 May 1998 12:08:16 -0700 (PDT)
Received: (from smap@localhost) by proxy3.cisco.com (8.8.7/8.8.5) id MAA06047 for <ippcp@external.cisco.com>; Thu, 28 May 1998 12:08:14 -0700 (PDT)
Received: from ns.newbridge.com(192.75.23.67) by proxy3.cisco.com via smap (V2.0) id xma006030; Thu, 28 May 98 19:08:11 GMT
X-SMAP-Received-From: outside
Received: (from smap@localhost) by ns.newbridge.com (8.8.8/8.6.12) id PAA21620; Thu, 28 May 1998 15:04:26 -0400 (EDT)
Received: from kanata-gw1(192.75.23.72) by ns via smap (V1.3) id sma018551; Thu May 28 14:42:38 1998
Received: from kanmaster.ca.newbridge.com by kanata-gw1.ca.newbridge.com via smtpd (for ns.newbridge.com [192.75.23.67]) with SMTP; 28 May 1998 18:42:38 UT
Received: from exchange.timestep.com (exchange.timestep.com [192.168.219.193]) by ca.newbridge.com. (8.8.6/8.8.6) with ESMTP id OAA27398; Thu, 28 May 1998 14:42:37 -0400 (EDT)
Received: by exchange.timestep.com with Internet Mail Service (5.5.1960.3) id <LKBYXLL7>; Thu, 28 May 1998 14:41:36 -0400
Message-ID: <319A1C5F94C8D11192DE00805FBBADDF12457E@exchange.timestep.com>
From: Roy Pereira <rpereira@TimeStep.com>
To: Stephen Waters <Stephen.Waters@digital.com>
Cc: ipsec@tis.com, ippcp@external.cisco.com
Subject: RE: IPCOMP and IPSEC
Date: Thu, 28 May 1998 14:41:36 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.1960.3)
Content-Type: text/plain
My appologies Stephen, you were correct. I got a little confused and wrote things backwards. Your original layout is the correct mechanism to use when the gateway is handling both IPSec and IPComp. [IP2][ESP][IPCOMP][IP1][TCP][data][padding/next protocol][ESP auth] To answer you question of where the explicit IV goes; it must go right after the ESP header (spi+replay), thus it is before the IPComp. This is because IPComp is really another protocol and not part of IPSec, thus it is treated as protocol data just like TCP/UDP to IPSec. > -----Original Message----- > From: Stephen Waters [mailto:Stephen.Waters@digital.com] > Sent: Thursday, May 28, 1998 1:56 PM > To: Roy Pereira > Cc: ipsec@tis.com; ippcp@external.cisco.com > Subject: FW: IPCOMP and IPSEC > > > > Ah, so there is some confusion then. I think (thought) the > right thing > to do was put the IPCOMP header outside the original IP > header though - > that makes it obvious that the peer SG need to strip it off before > forwarding the original packet. If the IPCOMP was inserted > after IP1 by > a SG, how would the receiving SG know whether to extract it again - it > looks identical to a packet that has been compression by the original > host. > > Steve. > > > IPComp may be added by a security gateway just like IPSec ESP/AH is > added. It would probably look like this though: > [IP2] > [ESP spi+replay+iv] > [IP1] > [IPCOMP] > [TCP] > [data] > [ESP padding+next protocol+auth] > > > > > -----Original Message----- > > From: Stephen Waters [mailto:Stephen.Waters@digital.com] > <mailto:[mailto:Stephen.Waters@digital.com]> > > Sent: Wednesday, May 27, 1998 6:19 PM > > To: ippcp@external.cisco.com; > <mailto:ippcp@external.cisco.com;> ipsec@tis.com <mailto:ipsec@tis.com> > Subject: IPCOMP and IPSEC > > > > Is IPCOMP restricted for use by Hosts (at packet origin), or can it be > appended by a Security Gateway as part of the process of > adding an IPSEC > tunnel header? > > e.g. > > Original host packet [IP1][TCP][data] > > After passing through a security gateway/IP tunnel: > > [IP2][ESP][IPCOMP][IP1][TCP][data][padding/next protocol][ESP auth] > > > If this is supported, is it detailed anywhere? For example, if an > Explicit IV is used, would it come after the ESP header or after the > IPCOMP header? > > > > > > Stephen Waters > DEVON, UK > > National: 01548 551012 / 550474 > International: 44 1548 551012 / 550474 > Stephen.Waters@Digital.com >
- Re: IPCOMP and IPSEC Daniel Harkins
- IPCOMP and IPSEC Stephen Waters
- Re: IPCOMP and IPSEC Daniel Harkins
- Re: IPCOMP and IPSEC Naganand Doraswamy
- Re: IPCOMP and IPSEC Saroop Mathur
- Re: IPCOMP and IPSEC Eric Dean
- Re: IPCOMP and IPSEC Marc Hasson
- Re: IPCOMP and IPSEC Marc Hasson
- RE: IPCOMP and IPSEC Avram Shacham
- FW: IPCOMP and IPSEC Stephen Waters
- RE: IPCOMP and IPSEC Avram Shacham
- Re: IPCOMP and IPSEC Daniel Harkins
- RE: IPCOMP and IPSEC Roy Pereira
- RE: IPCOMP and IPSEC Roy Pereira
- Re: IPCOMP and IPSEC Daniel Harkins
- RE: IPCOMP and IPSEC Roy Pereira
- RE: IPCOMP and IPSEC Eric Dean
- RE: IPCOMP and IPSEC Stephen Waters
- RE: IPCOMP and IPSEC Eric Dean
- RE: IPCOMP and IPSEC Eric Dean
- Re: IPCOMP and IPSEC Stephen Kent
- RE: IPCOMP and IPSEC Robert Moskowitz
- RE: IPCOMP and IPSEC Avram Shacham
- RE: IPCOMP and IPSEC Paul Koning