Re: Does anyone care about IPcomp with IKE? (IPcomp=IP compression)
Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com> Mon, 29 October 2001 03:30 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9T3UZ829012; Sun, 28 Oct 2001 19:30:36 -0800 (PST)
Received: by lists.tislabs.com (8.9.1/8.9.1) id VAA04822 Sun, 28 Oct 2001 21:38:21 -0500 (EST)
Message-Id: <200110290247.VAA18598@bcn.East.Sun.COM>
Date: Sun, 28 Oct 2001 21:47:10 -0500
From: Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com>
Reply-To: Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com>
Subject: Re: Does anyone care about IPcomp with IKE? (IPcomp=IP compression)
To: Radia.Perlman@sun.com, smb@research.att.com
Cc: ipsec@lists.tislabs.com
MIME-Version: 1.0
Content-Type: TEXT/plain; charset="us-ascii"
Content-MD5: mDF6awvk+WzneJAABQcb6g==
X-Mailer: dtmail 1.3.0 @(#)CDE Version 1.3.5 SunOS 5.7 sun4u sparc
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
"Steven M. Bellovin" <smb@research.att.com> writes: >The problem is that link-layer encryption -- the most common form below >the application -- doesn't work on IPsec packets, and the upper layers >may not be aware of, say, gateway-to-gateway IPsec. The IPsec layer, >in other words, is the first to know for sure that a lower layer can't >do the encryption that might be desired. > >There's no other negotiation mechanism for IPcomp because compression >is circuit-like, and there are no other circuits at the IP layer. (For >discussion on how to negotiate compression at the TCP layer, see >http://www.research.att.com/~smb/papers/draft-bellovin-tcpfilt-00.txt >and http://www.research.att.com/~smb/papers/draft-bellovin-tcpcomp-00.txt. [I assume you mean "link-layer compression" above, not "link-layer encryption"]. Thanks! What I needed was a pointer to RFC 2393, which I got from your paper pointed to above. It does seem as though doing it end-to-end independently of IPsec (as is done in the internet draft you pointed me to) would be a better thing. Though I suppose doing it in IKE means that it works for UDP also. So I guess I can't assume a TCP mechanism for negotiating compression will replace the IKE mechanism. Radia
- Does anyone care about IPcomp with IKE? (IPcomp=I… Radia Perlman - Boston Center for Networking
- Re: Does anyone care about IPcomp with IKE? (IPco… Steven M. Bellovin
- Re: Does anyone care about IPcomp with IKE? (IPco… Steven M. Bellovin
- Re: Does anyone care about IPcomp with IKE? (IPco… Radia Perlman - Boston Center for Networking
- Re: Does anyone care about IPcomp with IKE? (IPco… itojun
- Re: Does anyone care about IPcomp with IKE? (IPco… John Border
- Re: Does anyone care about IPcomp with IKE? (IPco… Joel Snyder
- Re: Does anyone care about IPcomp with IKE? (IPco… Thomas Narten