xref: /linux/Documentation/networking/ipsec.rst (revision a06c3fad49a50d5d5eb078f93e70f4d3eca5d5a5)
1.. SPDX-License-Identifier: GPL-2.0
2
3=====
4IPsec
5=====
6
7
8Here documents known IPsec corner cases which need to be keep in mind when
9deploy various IPsec configuration in real world production environment.
10
111. IPcomp:
12	   Small IP packet won't get compressed at sender, and failed on
13	   policy check on receiver.
14
15Quote from RFC3173::
16
17  2.2. Non-Expansion Policy
18
19   If the total size of a compressed payload and the IPComp header, as
20   defined in section 3, is not smaller than the size of the original
21   payload, the IP datagram MUST be sent in the original non-compressed
22   form.  To clarify: If an IP datagram is sent non-compressed, no
23
24   IPComp header is added to the datagram.  This policy ensures saving
25   the decompression processing cycles and avoiding incurring IP
26   datagram fragmentation when the expanded datagram is larger than the
27   MTU.
28
29   Small IP datagrams are likely to expand as a result of compression.
30   Therefore, a numeric threshold should be applied before compression,
31   where IP datagrams of size smaller than the threshold are sent in the
32   original form without attempting compression.  The numeric threshold
33   is implementation dependent.
34
35Current IPComp implementation is indeed by the book, while as in practice
36when sending non-compressed packet to the peer (whether or not packet len
37is smaller than the threshold or the compressed len is larger than original
38packet len), the packet is dropped when checking the policy as this packet
39matches the selector but not coming from any XFRM layer, i.e., with no
40security path. Such naked packet will not eventually make it to upper layer.
41The result is much more wired to the user when ping peer with different
42payload length.
43
44One workaround is try to set "level use" for each policy if user observed
45above scenario. The consequence of doing so is small packet(uncompressed)
46will skip policy checking on receiver side.
47