Re: IPCOMP and IPSEC
Daniel Harkins <dharkins@cisco.com> Sat, 30 May 1998 01:52 UTC
Return-Path: dharkins@cisco.com
Received: from beasley.cisco.com (mailgate-sj-2.cisco.com [171.69.2.135]) by ftp-eng.cisco.com (8.8.5-Cisco.1/8.6.5) with ESMTP id SAA08723 for <ippcp-archive-file@ftp-eng.cisco.com>; Fri, 29 May 1998 18:52:39 -0700 (PDT)
Received: from jindo.cisco.com (jindo.cisco.com [171.69.43.22]) by beasley.cisco.com (8.8.4-Cisco.1/CISCO.GATE.1.1) with ESMTP id LAA03419 for <ippcp-archive-file@ftp-eng.cisco.com>; Thu, 28 May 1998 11:35:07 -0700 (PDT)
Received: from hubbub.cisco.com (mailgate-sj-1.cisco.com [198.92.30.31]) by jindo.cisco.com (8.8.5-Cisco.2-SunOS.5.5.1.sun4/8.6.5) with ESMTP id LAA14140 for <extdom.ippcp@aliashost.cisco.com>; Thu, 28 May 1998 11:34:47 -0700 (PDT)
Received: from airedale.cisco.com (airedale.cisco.com [171.69.1.135]) by hubbub.cisco.com (8.8.4-Cisco.1/CISCO.GATE.1.1) with SMTP id LAA26590 for <ippcp@external.cisco.com>; Thu, 28 May 1998 11:34:46 -0700 (PDT)
Received: from dharkins-ss20.cisco.com (dharkins-ss20.cisco.com [171.69.56.149]) by airedale.cisco.com (8.6.12/8.6.5) with ESMTP id LAA06695; Thu, 28 May 1998 11:28:09 -0700
Received: from localhost.cisco.com (localhost.cisco.com [127.0.0.1]) by dharkins-ss20.cisco.com (8.6.8+c/CISCO.WS.1.1) with SMTP id LAA27629; Thu, 28 May 1998 11:28:09 -0700
Message-Id: <199805281828.LAA27629@dharkins-ss20.cisco.com>
X-Authentication-Warning: dharkins-ss20.cisco.com: Host localhost.cisco.com didn't use HELO protocol
To: Roy Pereira <rpereira@TimeStep.com>
Cc: Stephen Waters <Stephen.Waters@digital.com>, ippcp@external.cisco.com, ipsec@tis.com
Subject: Re: IPCOMP and IPSEC
In-Reply-To: Your message of "Thu, 28 May 1998 13:56:10 EDT." <319A1C5F94C8D11192DE00805FBBADDF12454A@exchange.timestep.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Thu, 28 May 1998 11:28:08 -0700
From: Daniel Harkins <dharkins@cisco.com>
Roy, Actually, I don't think the way you proposed is correct. While IPCOMP can be applied in either transport or tunnel mode it *has* to be applied in the same mode as the parallel IPSec SA. The way you proposed has IPCOMP in transport and IPSec in tunnel. That won't work. Dan. > IPCOMP may be applied in either tunnel mode or transport mode just like > IPSec. You are right, either way is equally correct. > > > -----Original Message----- > > From: Daniel Harkins [mailto:dharkins@cisco.com] > > Sent: Thursday, May 28, 1998 12:53 PM > > To: Roy Pereira > > Cc: Stephen Waters; ippcp@external.cisco.com; ipsec@tis.com > > Subject: Re: IPCOMP and IPSEC > > > > > > Roy, > > > > > IPComp may be added by a security gateway just like IPSec ESP/AH is > > > added. It would probably look like this though: > > > > > > [IP2] > > > [ESP spi+replay+iv] > > > [IP1] > > > [IPCOMP] > > > [TCP] > > > [data] > > > [ESP padding+next protocol+auth] > > > > Why would it look like that and not: > > > > [IP2] > > [ESP spi+replay+iv] > > [IPCOMP] > > [IP1] > > [TCP] > > [data] > > [ESP padding+next protocol+auth] > > > > I have a rule that says "for traffic from foo to bar apply > > IPCOMP then > > IPSec" so why would my IPCOMP be effectively a transport mode > > application > > while my IPSec would be tunnel. They're both part of the same rule so > > they're both done in the same mode. > > > > An intermediate gateway shouldn't muck with the inner packet. If you > > did what you propose the packet would be forwarded on to the > > destination > > address of IP1 who most likely doesn't have the IPCOMP SA to > > decompress > > it. The IPCOMP "SA" is negotiated along with the IPSec SA so > > they both > > have to be targeted to the same destination and be applied in > > the same mode. > > > > Dan. >
- Re: IPCOMP and IPSEC Daniel Harkins
- IPCOMP and IPSEC Stephen Waters
- Re: IPCOMP and IPSEC Daniel Harkins
- Re: IPCOMP and IPSEC Naganand Doraswamy
- Re: IPCOMP and IPSEC Saroop Mathur
- Re: IPCOMP and IPSEC Eric Dean
- Re: IPCOMP and IPSEC Marc Hasson
- Re: IPCOMP and IPSEC Marc Hasson
- RE: IPCOMP and IPSEC Avram Shacham
- FW: IPCOMP and IPSEC Stephen Waters
- RE: IPCOMP and IPSEC Avram Shacham
- Re: IPCOMP and IPSEC Daniel Harkins
- RE: IPCOMP and IPSEC Roy Pereira
- RE: IPCOMP and IPSEC Roy Pereira
- Re: IPCOMP and IPSEC Daniel Harkins
- RE: IPCOMP and IPSEC Roy Pereira
- RE: IPCOMP and IPSEC Eric Dean
- RE: IPCOMP and IPSEC Stephen Waters
- RE: IPCOMP and IPSEC Eric Dean
- RE: IPCOMP and IPSEC Eric Dean
- Re: IPCOMP and IPSEC Stephen Kent
- RE: IPCOMP and IPSEC Robert Moskowitz
- RE: IPCOMP and IPSEC Avram Shacham
- RE: IPCOMP and IPSEC Paul Koning