Re: IPCOMP and IPSEC
mark@mentat.com (Marc Hasson) Sat, 30 May 1998 01:36 UTC
Return-Path: mark@mentat.com
Received: from kickme.cisco.com (kickme.cisco.com [198.92.30.42]) by ftp-eng.cisco.com (8.8.5-Cisco.1/8.6.5) with ESMTP id SAA08569 for <ippcp-archive-file@ftp-eng.cisco.com>; Fri, 29 May 1998 18:36:32 -0700 (PDT)
Received: from proxy2.cisco.com (proxy2.cisco.com [192.31.7.89]) by kickme.cisco.com (8.8.5-Cisco.2-SunOS.5.5.1.sun4/CISCO.GATE.1.1) with ESMTP id NAA06818 for <ippcp@external.cisco.com>; Thu, 28 May 1998 13:45:03 -0700 (PDT)
Received: (from smap@localhost) by proxy2.cisco.com (8.8.7/8.8.5) id NAA21995 for <ippcp@external.cisco.com>; Thu, 28 May 1998 13:45:01 -0700 (PDT)
Received: from mentat.com(192.88.122.129) by proxy2.cisco.com via smap (V2.0) id xma021967; Thu, 28 May 98 20:44:54 GMT
X-SMAP-Received-From: outside
Received: from orna.mentat.com (mbone.mentat.com) by mentat.com (4.1/SMI-4.1) id AA10850; Thu, 28 May 98 13:40:52 PDT
Received: by orna.mentat.com (SMI-8.6/SMI-SVR4) id NAA01397; Thu, 28 May 1998 13:40:53 -0700
Date: Thu, 28 May 1998 13:40:53 -0700
From: mark@mentat.com
Message-Id: <199805282040.NAA01397@orna.mentat.com>
To: dharkins@cisco.com
Subject: Re: IPCOMP and IPSEC
Cc: rpereira@TimeStep.com, Stephen.Waters@digital.com, ippcp@external.cisco.com, ipsec@tis.com
X-Sun-Charset: US-ASCII
Dan,
>
> I guess you could say that ESP is in transport mode, but what about the
> case where both AH and ESP are applied to the same packet:
>
> [IP2][AH][ESP][IP1][data]
>
> Is AH in transport mode?
Good point. I can hear people arguing it both ways and am sorry I
raised that side tidbit. Whats more important is that we all understand
how to process the above, which I think is pretty clear in the specs.
> Roy's would correct if the compression was being done by the host before
> passing the packet to the SG, but Stephen (in the original post that started
> this all) stated that the original packet received by the SG was:
>
> [IP1][TCP][data]
Agreed, and a later post of Roy's corrected his response to Steve. I had
just wanted to confirm that Roy's packet description was correct *if* the
original host had instead emitted:
[IP1][IPCOMP][TCP][data]
which the first SG turns into Roy's:
[IP2][ESP][IP1][IPCOMP][TCP][data][ESP trailer]
Your paragraph above confirms this, thanks.
>
> In this case I don't think it's legal for a SG to add anything-- IPSec or
> IPCOMP-- in transport mode.
You sound right to me. One would certainly complicate the SG's job as well
as one is more likely to experience topology-related problems if this was
permitted since the SG containing the SA (or CA) is not explicitly addressed.
I believe the group has rejected this SG "transport mode addition" before.
-- Marc --
- Re: IPCOMP and IPSEC Daniel Harkins
- IPCOMP and IPSEC Stephen Waters
- Re: IPCOMP and IPSEC Daniel Harkins
- Re: IPCOMP and IPSEC Naganand Doraswamy
- Re: IPCOMP and IPSEC Saroop Mathur
- Re: IPCOMP and IPSEC Eric Dean
- Re: IPCOMP and IPSEC Marc Hasson
- Re: IPCOMP and IPSEC Marc Hasson
- RE: IPCOMP and IPSEC Avram Shacham
- FW: IPCOMP and IPSEC Stephen Waters
- RE: IPCOMP and IPSEC Avram Shacham
- Re: IPCOMP and IPSEC Daniel Harkins
- RE: IPCOMP and IPSEC Roy Pereira
- RE: IPCOMP and IPSEC Roy Pereira
- Re: IPCOMP and IPSEC Daniel Harkins
- RE: IPCOMP and IPSEC Roy Pereira
- RE: IPCOMP and IPSEC Eric Dean
- RE: IPCOMP and IPSEC Stephen Waters
- RE: IPCOMP and IPSEC Eric Dean
- RE: IPCOMP and IPSEC Eric Dean
- Re: IPCOMP and IPSEC Stephen Kent
- RE: IPCOMP and IPSEC Robert Moskowitz
- RE: IPCOMP and IPSEC Avram Shacham
- RE: IPCOMP and IPSEC Paul Koning