IPsec and ROHC

Asked by matthew on 2013-04-25

Hi All,

The system I'm looking to implement requires the use of Strong Swan to establish IPSec between two end points, using tunnel mode, though that last part might be up for negotiation.

I wish to implement ROHC in combination with the IPSec. The problem is I don't fully understand how StrongSwan works, or even how IPSec within Linux functions at the software source code level. Even something as simple as understanding what happens to my IP packet once it leaves netcat has been difficult for me to achieve.

So how would you go about tackling this problem, what do you think my options are?

Do I compress just the UDP and RTP headers prior to IPSec, does that work? Can I do better and get compression of the IP header as well?

Question information

Language:
English Edit question
Status:
Answered
For:
rohc Edit question
Assignee:
No assignee Edit question
Last query:
2013-04-29
Last reply:
2013-04-29

Matthew,

> So how would you go about tackling this problem, what do you think my
> options are?
>
> Do I compress just the UDP and RTP headers prior to IPSec, does that
> work? Can I do better and get compression of the IP header as well?

When using the tunnel mode of IPsec, I think that you can compress with
ROHC at your convenience before, after, or before+after protecting the
packets with IPsec.

1/ Case "before":
     IP/UDP/RTP/data -> ROHC/data -> IP/ESP/ROHC/data

2/ Case "after":
     IP/UDP/RTP/data -> IP/ESP/encrypted(IP/UDP/RTP/data)
                                      -> ROHC/encrypted(IP/UDP/RTP/data)

3/ Case "before + after":
     IP/UDP/RTP/data -> ROHC/data
                                      -> IP/ESP/encrypted(ROHC/data)
                                      -> ROHC/encrypted(ROHC/data)

Case 3 should provide you the best compression efficiency.

Cases 2 and 3 are not possible if you have to transmit packets
over IP network(s), except if you add some additional tunneling...

Regards,
Didier

matthew (xcalibre0) said : #2

Ok I opposite impressions about feasibility, so thank you if you can correct me (I'm sure you can).

In case 1, in order for IP/ESP to be added to the encrypted data IPSec first needs to inspect the IP header of the data so it can pull out the original destination ip address, but in case 1 ROHC has removed that information prior to handing the data off to IPSec.

Matthew,

> In case 1, in order for IP/ESP to be added to the encrypted data
> IPSec first needs to inspect the IP header of the data so it can
> pull out the original destination ip address, but in case 1 ROHC
> has removed that information prior to handing the data off to
> IPSec.

Yes, that's a problem if the IPsec tunneling packets use the same
destination IP address as the tunneled packets. However that's not
a problem if the tunnel uses another unrelated destination address.

Regards,
Didier

matthew (xcalibre0) said : #4

Ok well all this being said, back to my original question. How would you proceed using the ROHC-lib technology and incorporating this with StrongSwan?

Matthew,

> Ok well all this being said, back to my original question. How would you
> proceed using the ROHC-lib technology and incorporating this with
> StrongSwan?

Sorry, but I don't know how StrongSwan is designed. I cannot help you on
that part.

On the ROHC part, I encourage you to follow the tutorial [1] that will
explain you how to create a small application using the ROHC library. There
is also the reference documentation about the library API [2].

Regards,
Didier

[1] http://rohc-lib.org/wiki/doku.php?id=library-first-application
[2] http://rohc-lib.org/#doc

matthew (xcalibre0) said : #6

I appreciate your help in this regard and strongly appreciate the existence of this coding tutorial. However, I'm really trying to understand how the existing tools can help here, especial the iprohc. I am not opposed to writing my own application but again I do not understand where I would do this. I am not familiar with and having extreme difficulty finding out what code/application is responsible for taking the ip packets that leave my netcat and then processing them for ipsec and sending them out the computer. Is anyone on the mailing list familiar with what part of the operating system is responsible for this?

Matthew,

> I appreciate your help in this regard and strongly appreciate the existence
> of this coding tutorial. However, I'm really trying to understand how the
> existing tools can help here, especial the iprohc. I am not opposed to writing
> my own application but again I do not understand where I would do this. I am
> not familiar with and having extreme difficulty finding out what code/application
> is responsible for taking the ip packets that leave my netcat and then processing
> them for ipsec and sending them out the computer. Is anyone on the mailing list
> familiar with what part of the operating system is responsible for this?

The ROHC mailing list is probably not the best place for getting help on IPsec ;-)

I suggest you to ask you question on the mailing list related to your IPsec
implementation.

Regards,
Didier

Can you help with this problem?

Provide an answer of your own, or ask matthew for more information if necessary.

To post a message you must log in.