FW: IPCOMP and IPSEC

[Stephen Waters <Stephen.Waters@digital.com>]

Ah, so there is some confusion then.   I think (thought) the right thing
to do was put the IPCOMP header outside the original IP header though -
that makes it obvious that the peer SG need to strip it off before
forwarding the original packet.  If the IPCOMP was inserted after IP1 by
a SG, how would the receiving SG know whether to extract it again - it
looks identical to a packet that has been compression by the original
host.

Steve. 


IPComp may be added by a security gateway just like IPSec ESP/AH is
added.  It would probably look like this though:
[IP2]
[ESP spi+replay+iv]
	[IP1]
	[IPCOMP]
	[TCP]
	[data] 
	[ESP padding+next protocol+auth]



	> -----Original Message-----
	> From:	Stephen Waters [mailto:Stephen.Waters@digital.com]
<mailto:[mailto:Stephen.Waters@digital.com]> 
	> Sent:	Wednesday, May 27, 1998 6:19 PM
	> To:	ippcp@external.cisco.com;
<mailto:ippcp@external.cisco.com;>  ipsec@tis.com <mailto:ipsec@tis.com>

	> Subject:	IPCOMP and IPSEC
	> 
	> 
	> 
	> Is IPCOMP restricted for use by Hosts (at packet origin), or
can it be
	> appended by a Security Gateway as part of the process of 
	> adding an IPSEC
	> tunnel header?
	> 
	> e.g.
	> 
	> Original host packet [IP1][TCP][data]
	> 
	> After passing through a security gateway/IP tunnel:
	> 
	> [IP2][ESP][IPCOMP][IP1][TCP][data][padding/next protocol][ESP
auth]
	> 
	> 
	> If this is supported, is it detailed anywhere?  For example,
if an
	> Explicit IV is used, would it come after the ESP header or
after the
	> IPCOMP header?
	> 
	> 
	> 
	> 
	> 
	> Stephen Waters
	> DEVON, UK
	> 
	> National: 01548 551012 / 550474
	> International: 44 1548 551012 / 550474
	> Stephen.Waters@Digital.com 
	>