[Sis-csi] IPSec AH and SCPS-NP
Scott, Keith L.
kscott at mitre.org
Thu Dec 7 11:18:04 EST 2006
That would work (and *is* sort of what would happen with ESP, since the
inner IP header's encrypted). One of the main points of SCPS-NP,
however, is bit efficiency, which would be lost with a tunneling
approach -- why not simply forward the original IPv4/AH packet and save
the few bytes of NP header?
I think the difference in size is significant. A minimal NP header is
just one byte. Granted it will take ~5-10 bytes for the AH header, but
another 40 for IP would be a lot. One could use IPv4 header
compression to reduce that and tunnel the compressed IPv4 header, but
as above, one could simply route the (compressed) v4.
I was going to say that I don't think there's any issue with v6, since
all of the header information has to be reconstructable from the NP
packet, but there's that flow label field that I don't think NP would
support carrying... There are defined TPIDs for IPv6 AH and ESP; I
wonder if we need to do something to support carriage of the flow label
field? If we go with option 2 or 3 from the slides (that use some of
the reserved bits in the SCPS-NP control field), we could say that one
of those bits in conjunction with IPv6 mean that the flow label is
present (or not).
Certainly a question worth asking!
--keith
-----Original Message-----
From: Marc Blanchet [mailto:marc.blanchet at viagenie.ca]
Sent: Thursday, December 07, 2006 9:43 AM
To: Scott, Keith L.
Cc: sis-csi at mailman.ccsds.org; Feighery, Patrick D.; Durst, Robert C.
Subject: Re: [Sis-csi] IPSec AH and SCPS-NP
Maybe my comment is dumb, but why don't tunnel IPv*-with-IPsec into
the payload of SCPS-NP (i.e. include the whole IP header and payload
into the payload of SCPS-NP) and then you have "nothing" to do to
support IPsec in NP, since IPsec will be managed by IP devices. dumb?
Marc.
Le 06-12-06 à 15:28, Scott, Keith L. a écrit :
> As part of our charter item to update existing CCSDS
> specifications, there is a rather old outstanding action item to
> update the SCPS Network Protocol (SCPS-NP) to support carriage of
> information needed for end-to-end IPSec AH across SCPS-NP networks.
>
> I put together some slides on this topic and placed them at (http://
> public.ccsds.org/sites/cwe/sis-csi/Public/Draft%20Documents/Carrying
> %20IPSEC%20Authentication%20Headers%20in%20SCPS-NP.ppt). The
> slides present three options with varying implications (one option
> uses only a new TPID but costs a byte, the other two have lower
> overhead but use bits from the NP control field).
>
> I'd like to open this up for disucussion and try to come to a rough
> consensus before we go into the January meetings.
>
> --keith
>
> _______________________________________________
> Sis-CSI mailing list
> Sis-CSI at mailman.ccsds.org
> http://mailman.ccsds.org/cgi-bin/mailman/listinfo/sis-csi
More information about the Sis-CSI
mailing list