Re: IPCOMP and IPSEC

[mark@mentat.com (Marc Hasson)]

Dan,

 > 
 > I guess you could say that ESP is in transport mode, but what about the
 > case where both AH and ESP are applied to the same packet:
 > 
 > 	[IP2][AH][ESP][IP1][data]
 > 
 > Is AH in transport mode? 

Good point.  I can hear people arguing it both ways and am sorry I
raised that side tidbit.  Whats more important is that we all understand
how to process the above, which I think is pretty clear in the specs.

 > Roy's would correct if the compression was being done by the host before
 > passing the packet to the SG, but Stephen (in the original post that started
 > this all) stated that the original packet received by the SG was:
 > 
 > 	 [IP1][TCP][data]

Agreed, and a later post of Roy's corrected his response to Steve.  I had
just wanted to confirm that Roy's packet description was correct *if* the
original host had instead emitted:

 	 [IP1][IPCOMP][TCP][data]

which the first SG turns into Roy's:

 	 [IP2][ESP][IP1][IPCOMP][TCP][data][ESP trailer]

Your paragraph above confirms this, thanks.

 > 
 > In this case I don't think it's legal for a SG to add anything-- IPSec or
 > IPCOMP-- in transport mode. 

You sound right to me.  One would certainly complicate the SG's job as well
as one is more likely to experience topology-related problems if this was
permitted since the SG containing the SA (or CA) is not explicitly addressed.
I believe the group has rejected this SG "transport mode addition" before.
                        
                         
   -- Marc --