Commit | Line | Data |
---|---|---|
355e656e MCC |
1 | .. SPDX-License-Identifier: GPL-2.0 |
2 | ||
3 | ===== | |
4 | IPsec | |
5 | ===== | |
6 | ||
b3c6efbc FD |
7 | |
8 | Here documents known IPsec corner cases which need to be keep in mind when | |
9 | deploy various IPsec configuration in real world production environment. | |
10 | ||
355e656e MCC |
11 | 1. IPcomp: |
12 | Small IP packet won't get compressed at sender, and failed on | |
b3c6efbc FD |
13 | policy check on receiver. |
14 | ||
355e656e MCC |
15 | Quote from RFC3173:: |
16 | ||
17 | 2.2. Non-Expansion Policy | |
b3c6efbc FD |
18 | |
19 | If the total size of a compressed payload and the IPComp header, as | |
20 | defined in section 3, is not smaller than the size of the original | |
21 | payload, the IP datagram MUST be sent in the original non-compressed | |
22 | form. To clarify: If an IP datagram is sent non-compressed, no | |
23 | ||
24 | IPComp header is added to the datagram. This policy ensures saving | |
25 | the decompression processing cycles and avoiding incurring IP | |
26 | datagram fragmentation when the expanded datagram is larger than the | |
27 | MTU. | |
28 | ||
29 | Small IP datagrams are likely to expand as a result of compression. | |
30 | Therefore, a numeric threshold should be applied before compression, | |
31 | where IP datagrams of size smaller than the threshold are sent in the | |
32 | original form without attempting compression. The numeric threshold | |
33 | is implementation dependent. | |
34 | ||
35 | Current IPComp implementation is indeed by the book, while as in practice | |
bb38ccce OG |
36 | when sending non-compressed packet to the peer (whether or not packet len |
37 | is smaller than the threshold or the compressed len is larger than original | |
b3c6efbc FD |
38 | packet len), the packet is dropped when checking the policy as this packet |
39 | matches the selector but not coming from any XFRM layer, i.e., with no | |
40 | security path. Such naked packet will not eventually make it to upper layer. | |
41 | The result is much more wired to the user when ping peer with different | |
42 | payload length. | |
43 | ||
44 | One workaround is try to set "level use" for each policy if user observed | |
45 | above scenario. The consequence of doing so is small packet(uncompressed) | |
46 | will skip policy checking on receiver side. |