RE: IPCOMP and IPSEC

[Robert Moskowitz <rgm-sec@htt-consult.com>]

At 10:38 AM 5/30/98 +0100, Stephen Waters wrote:

Sorry I have been out of the loop for a while.  I am back for a bit.

First off, gateways will REALLY NEED to implement IPCOMP.  After all, what
will MOST remotes be maintaining a tunnel too?  Hmm?

In fact this points to an advantage of IPCOMP over V.42bis and PPP
compression.  The later only benefit the dialup link.  The former will tend
to reduce bandwidth over the net (that is if we get some of those 1.7:1
reductions).

Also, as Avram pointed out, where there is a compression gain, there will
be and encryption savings.  Given the 'right' hardware this might be a
total processing gain (time will tell), and this could benefit heavily
loaded gateways.

>
>	I guess time will tell.  For remote-access VPN stuff (over the
>Internet), there is no doubt that 
>	stateless compression is what you use.  For some of the newer
>VNP-focused providers offering
>	QOS for LAN-to-LAN, it may be possible to use a history - even
>for IPPCP.

Remember one of the design problems in IPsec:  you do not want IPsec
dealing with lost packets.  That is an upper layer problem.  If you use
history, will lost packets be an issue?  There was also some concern of
security weakening with history, but that was never really nailed down.

The general concensus was that IPCOMP was yet another hack, and really
TCPng needs to add intelligent compression (that is interact with the
application).  There is could have history.


Robert Moskowitz
ICSA
Security Interest EMail: rgm-sec@htt-consult.com