~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/Documentation/networking/ipsec.rst

Version: ~ [ linux-6.11.5 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.58 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.114 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.169 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.228 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.284 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.322 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.9 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 .. SPDX-License-Identifier: GPL-2.0
  2 
  3 =====
  4 IPsec
  5 =====
  6 
  7 
  8 Here documents known IPsec corner cases which need to be keep in mind when
  9 deploy various IPsec configuration in real world production environment.
 10 
 11 1. IPcomp:
 12            Small IP packet won't get compressed at sender, and failed on
 13            policy check on receiver.
 14 
 15 Quote from RFC3173::
 16 
 17   2.2. Non-Expansion Policy
 18 
 19    If the total size of a compressed payload and the IPComp header, as
 20    defined in section 3, is not smaller than the size of the original
 21    payload, the IP datagram MUST be sent in the original non-compressed
 22    form.  To clarify: If an IP datagram is sent non-compressed, no
 23 
 24    IPComp header is added to the datagram.  This policy ensures saving
 25    the decompression processing cycles and avoiding incurring IP
 26    datagram fragmentation when the expanded datagram is larger than the
 27    MTU.
 28 
 29    Small IP datagrams are likely to expand as a result of compression.
 30    Therefore, a numeric threshold should be applied before compression,
 31    where IP datagrams of size smaller than the threshold are sent in the
 32    original form without attempting compression.  The numeric threshold
 33    is implementation dependent.
 34 
 35 Current IPComp implementation is indeed by the book, while as in practice
 36 when sending non-compressed packet to the peer (whether or not packet len
 37 is smaller than the threshold or the compressed len is larger than original
 38 packet len), the packet is dropped when checking the policy as this packet
 39 matches the selector but not coming from any XFRM layer, i.e., with no
 40 security path. Such naked packet will not eventually make it to upper layer.
 41 The result is much more wired to the user when ping peer with different
 42 payload length.
 43 
 44 One workaround is try to set "level use" for each policy if user observed
 45 above scenario. The consequence of doing so is small packet(uncompressed)
 46 will skip policy checking on receiver side.

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php