[linux-block.git] / Documentation / networking / ipsec.rst

.. SPDX-License-Identifier: GPL-2.0

=====
IPsec
=====


Here documents known IPsec corner cases which need to be keep in mind when
deploy various IPsec configuration in real world production environment.

1. IPcomp:
	   Small IP packet won't get compressed at sender, and failed on
	   policy check on receiver.

Quote from RFC3173::

  2.2. Non-Expansion Policy

   If the total size of a compressed payload and the IPComp header, as
   defined in section 3, is not smaller than the size of the original
   payload, the IP datagram MUST be sent in the original non-compressed
   form.  To clarify: If an IP datagram is sent non-compressed, no

   IPComp header is added to the datagram.  This policy ensures saving
   the decompression processing cycles and avoiding incurring IP
   datagram fragmentation when the expanded datagram is larger than the
   MTU.

   Small IP datagrams are likely to expand as a result of compression.
   Therefore, a numeric threshold should be applied before compression,
   where IP datagrams of size smaller than the threshold are sent in the
   original form without attempting compression.  The numeric threshold
   is implementation dependent.

Current IPComp implementation is indeed by the book, while as in practice
when sending non-compressed packet to the peer (whether or not packet len
is smaller than the threshold or the compressed len is larger than original
packet len), the packet is dropped when checking the policy as this packet
matches the selector but not coming from any XFRM layer, i.e., with no
security path. Such naked packet will not eventually make it to upper layer.
The result is much more wired to the user when ping peer with different
payload length.

One workaround is try to set "level use" for each policy if user observed
above scenario. The consequence of doing so is small packet(uncompressed)
will skip policy checking on receiver side.
Commit	Line	Data
355e656e MCC	1	.. SPDX-License-Identifier: GPL-2.0
	2
	3	=====
	4	IPsec
	5	=====
	6
b3c6efbc FD	7
	8	Here documents known IPsec corner cases which need to be keep in mind when
	9	deploy various IPsec configuration in real world production environment.
	10
355e656e MCC	11	1. IPcomp:
355e656e MCC	12	Small IP packet won't get compressed at sender, and failed on
b3c6efbc FD	13	policy check on receiver.
b3c6efbc FD	14
355e656e MCC	15	Quote from RFC3173::
	16
	17	2.2. Non-Expansion Policy
b3c6efbc FD	18
	19	If the total size of a compressed payload and the IPComp header, as
	20	defined in section 3, is not smaller than the size of the original
	21	payload, the IP datagram MUST be sent in the original non-compressed
	22	form. To clarify: If an IP datagram is sent non-compressed, no
	23
	24	IPComp header is added to the datagram. This policy ensures saving
	25	the decompression processing cycles and avoiding incurring IP
	26	datagram fragmentation when the expanded datagram is larger than the
	27	MTU.
	28
	29	Small IP datagrams are likely to expand as a result of compression.
	30	Therefore, a numeric threshold should be applied before compression,
	31	where IP datagrams of size smaller than the threshold are sent in the
	32	original form without attempting compression. The numeric threshold
	33	is implementation dependent.
	34
	35	Current IPComp implementation is indeed by the book, while as in practice
bb38ccce OG	36	when sending non-compressed packet to the peer (whether or not packet len
bb38ccce OG	37	is smaller than the threshold or the compressed len is larger than original
b3c6efbc FD	38	packet len), the packet is dropped when checking the policy as this packet
	39	matches the selector but not coming from any XFRM layer, i.e., with no
	40	security path. Such naked packet will not eventually make it to upper layer.
	41	The result is much more wired to the user when ping peer with different
	42	payload length.
	43
	44	One workaround is try to set "level use" for each policy if user observed
	45	above scenario. The consequence of doing so is small packet(uncompressed)
	46	will skip policy checking on receiver side.