About Kernel Documentation Linux Kernel Contact Linux Resources Linux Blog

Documentation / networking / ipsec.txt




Custom Search

Based on kernel version 3.16. Page generated on 2014-08-06 21:40 EST.

1	
2	Here documents known IPsec corner cases which need to be keep in mind when
3	deploy various IPsec configuration in real world production environment.
4	
5	1. IPcomp: Small IP packet won't get compressed at sender, and failed on
6		   policy check on receiver.
7	
8	Quote from RFC3173:
9	2.2. Non-Expansion Policy
10	
11	   If the total size of a compressed payload and the IPComp header, as
12	   defined in section 3, is not smaller than the size of the original
13	   payload, the IP datagram MUST be sent in the original non-compressed
14	   form.  To clarify: If an IP datagram is sent non-compressed, no
15	
16	   IPComp header is added to the datagram.  This policy ensures saving
17	   the decompression processing cycles and avoiding incurring IP
18	   datagram fragmentation when the expanded datagram is larger than the
19	   MTU.
20	
21	   Small IP datagrams are likely to expand as a result of compression.
22	   Therefore, a numeric threshold should be applied before compression,
23	   where IP datagrams of size smaller than the threshold are sent in the
24	   original form without attempting compression.  The numeric threshold
25	   is implementation dependent.
26	
27	Current IPComp implementation is indeed by the book, while as in practice
28	when sending non-compressed packet to the peer(whether or not packet len
29	is smaller than the threshold or the compressed len is large than original
30	packet len), the packet is dropped when checking the policy as this packet
31	matches the selector but not coming from any XFRM layer, i.e., with no
32	security path. Such naked packet will not eventually make it to upper layer.
33	The result is much more wired to the user when ping peer with different
34	payload length.
35	
36	One workaround is try to set "level use" for each policy if user observed
37	above scenario. The consequence of doing so is small packet(uncompressed)
38	will skip policy checking on receiver side.
Hide Line Numbers
About Kernel Documentation Linux Kernel Contact Linux Resources Linux Blog

Information is copyright its respective author. All material is available from the Linux Kernel Source distributed under a GPL License. This page is provided as a free service by mjmwired.net.