Re: Does anyone care about IPcomp with IKE? (IPcomp=IP compression)
"Steven M. Bellovin" <smb@research.att.com> Mon, 29 October 2001 02:34 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9T2Yg828071; Sun, 28 Oct 2001 18:34:42 -0800 (PST)
Received: by lists.tislabs.com (8.9.1/8.9.1) id UAA04726 Sun, 28 Oct 2001 20:47:57 -0500 (EST)
X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4
From: "Steven M. Bellovin" <smb@research.att.com>
To: Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com>
Cc: ipsec@lists.tislabs.com
Subject: Re: Does anyone care about IPcomp with IKE? (IPcomp=IP compression)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Sun, 28 Oct 2001 20:55:44 -0500
Message-Id: <20011029015544.B57687B55@berkshire.research.att.com>
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
In message <200110290135.UAA18324@bcn.East.Sun.COM>, Radia Perlman - Boston Cen ter for Networking writes: >I don't quite understand why IKE is negotiating IPcomp, and it clutters >up the IKE spec. Presumably IPcomp should exist outside of IPsec, as >in you might want to send a compressed packet even if it isn't >cryptographically protected. So presumably there's already some way >of negotiating compression algorithms, or at least there would have >to be in order to deploy IPcomp without IPsec. So would anyone object >to removing all mention of IPcomp from the IKE spec? > >If anyone likes IPcomp and wants it >to stay in IKE, perhaps they'd be willing to explain it to me? :-) The problem is that link-layer encryption -- the most common form below the application -- doesn't work on IPsec packets, and the upper layers may not be aware of, say, gateway-to-gateway IPsec. The IPsec layer, in other words, is the first to know for sure that a lower layer can't do the encryption that might be desired. There's no other negotiation mechanism for IPcomp because compression is circuit-like, and there are no other circuits at the IP layer. (For discussion on how to negotiate compression at the TCP layer, see http://www.research.att.com/~smb/papers/draft-bellovin-tcpfilt-00.txt and http://www.research.att.com/~smb/papers/draft-bellovin-tcpcomp-00.txt. We've implemented the scheme, and are planning on updating and resubmitting the drafts.) --Steve Bellovin, http://www.research.att.com/~smb Full text of "Firewalls" book now at http://www.wilyhacker.com
- Does anyone care about IPcomp with IKE? (IPcomp=I… Radia Perlman - Boston Center for Networking
- Re: Does anyone care about IPcomp with IKE? (IPco… Steven M. Bellovin
- Re: Does anyone care about IPcomp with IKE? (IPco… Steven M. Bellovin
- Re: Does anyone care about IPcomp with IKE? (IPco… Radia Perlman - Boston Center for Networking
- Re: Does anyone care about IPcomp with IKE? (IPco… itojun
- Re: Does anyone care about IPcomp with IKE? (IPco… John Border
- Re: Does anyone care about IPcomp with IKE? (IPco… Joel Snyder
- Re: Does anyone care about IPcomp with IKE? (IPco… Thomas Narten