[Sis-csi] IPSec AH and SCPS-NP

Scott, Keith L. kscott at mitre.org
Thu Dec 7 11:18:04 EST 2006


That would work (and *is* sort of what would happen with ESP, since the
inner IP header's encrypted).  One of the main points of SCPS-NP,
however, is bit efficiency, which would be lost with a tunneling
approach -- why not simply forward the original IPv4/AH packet and save
the few bytes of NP header?

I think the difference in size is significant.  A minimal NP header is
just one byte.  Granted it will take ~5-10 bytes for the AH header, but
another 40 for IP would be a lot.  One could use IPv4 header
compression to reduce that and tunnel the compressed IPv4 header, but
as above, one could simply route the (compressed) v4.

I was going to say that I don't think there's any issue with v6, since
all of the header information has to be reconstructable from the NP
packet, but there's that flow label field that I don't think NP would
support carrying...  There are defined TPIDs for IPv6 AH and ESP; I
wonder if we need to do something to support carriage of the flow label
field?  If we go with option 2 or 3 from the slides (that use some of
the reserved bits in the SCPS-NP control field), we could say that one
of those bits in conjunction with IPv6 mean that the flow label is
present (or not).

Certainly a question worth asking!

	--keith

-----Original Message-----
From: Marc Blanchet [mailto:marc.blanchet at viagenie.ca] 
Sent: Thursday, December 07, 2006 9:43 AM
To: Scott, Keith L.
Cc: sis-csi at mailman.ccsds.org; Feighery, Patrick D.; Durst, Robert C.
Subject: Re: [Sis-csi] IPSec AH and SCPS-NP

Maybe my comment is dumb, but why don't tunnel IPv*-with-IPsec into  
the payload of SCPS-NP (i.e. include the whole IP header and payload  
into the payload of SCPS-NP) and then you have "nothing" to do to  
support IPsec in NP, since IPsec will be managed by IP devices. dumb?

Marc.

Le 06-12-06 à 15:28, Scott, Keith L. a écrit :

> As part of our charter item to update existing CCSDS  
> specifications, there is a rather old outstanding action item to  
> update the SCPS Network Protocol (SCPS-NP) to support carriage of  
> information needed for end-to-end IPSec AH across SCPS-NP networks.
>
> I put together some slides on this topic and placed them at (http:// 
> public.ccsds.org/sites/cwe/sis-csi/Public/Draft%20Documents/Carrying 
> %20IPSEC%20Authentication%20Headers%20in%20SCPS-NP.ppt).  The  
> slides present three options with varying implications (one option  
> uses only a new TPID but costs a byte, the other two have lower  
> overhead but use bits from the NP control field).
>
> I'd like to open this up for disucussion and try to come to a rough  
> consensus before we go into the January meetings.
>
>         --keith
>
> _______________________________________________
> Sis-CSI mailing list
> Sis-CSI at mailman.ccsds.org
> http://mailman.ccsds.org/cgi-bin/mailman/listinfo/sis-csi




More information about the Sis-CSI mailing list