[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPCOMP and Tunnel Mode

To: Tim Jenkins <tjenkins@TimeStep.com>, Avram Shacham <shacham@cisco.com>
Subject: RE: IPCOMP and Tunnel Mode
From: Bob Monsour <rmonsour@hifn.com>
Date: Thu, 20 Aug 1998 07:00:56 -0700
Cc: ipsec@tis.com, ippcp@external.cisco.com
Sender: owner-ipsec@ex.tis.com

Tim, see the data we published in
http://www.ietf.org/internet-drafts/draft-ietf-ippcp-lzs-04.txt. Using
the Calgary corpus, combining all of the files and treating the total as
a series of packets, for 512 byte packets the average compression ratio
was 1.58:1. All sorts of arguments can and will be made about what's the
right set of data. People throw up web traffic as one example, others
choose different data, but my view is that over time, in a vpn
environment, you'll see more data that looks like LAN traffic as
companies connect their distant LANs over the internet or other managed
IP service.

Also, the -06 draft was indeed advanced to Proposed Standard on 8/5.

-Bob

-----Original Message-----
From: Tim Jenkins [mailto:tjenkins@TimeStep.com]
Sent: Thursday, August 20, 1998 5:09 AM
To: Avram Shacham
Cc: ipsec@tis.com; ippcp@external.cisco.com
Subject: RE: IPCOMP and Tunnel Mode


The attempt to avoid possible fragmentation is a good one (your wording
will is too strong), however:
1) No compression occurs for small packet sizes (below the threshold of
the particular algorithm)
2) We're talking IPSec tunnel mode, which has to add another IP header,
so the packet's going to grow anyway
3) The IPComp header is 4 bytes.

Thus, the net increase is 24 bytes. If we assume that the smallest MTU
in the network is 576 bytes, that means that packets that don't get
compressed that are 552 bytes to 556 bytes in size will cause
fragmentation under these conditions. What is the probability that there
will be no compression of packets of that size?

Does someone have any statistics on the probability of larger packets
expanding during compression, thus not being compressed, so that this
can be used as part of this discussion?

On the issue of the flags: The bits are there. If they can be made to
provide some useful purpose, they should. I note that this document
(draft-ietf-ippcp-protocol-06.txt) was *not* one of those advanced to
Proposed Standard. The document also states that the flag bits are
reserved for future use. Perhaps this could be a future use.

This discussion is based on the trade-offs between performance at the
network level (possible fragmentation) and performance at the
computational level (inconsistent implementation). Given equal
probability of impacting both, I would design in favour of the network.
However, in this case, I don't know that the probabilities favour the
network.
--- 
Tim Jenkins TimeStep Corporation 
tjenkins@timestep.com http://www.timestep.com 
(613) 599-3610 x4304 Fax: (613) 599-3617 

-----Original Message-----
From: Avram Shacham [mailto:shacham@cisco.com]
Sent: Wednesday, August 19, 1998 10:32 PM
To: Tim Jenkins
Cc: ipsec@tis.com; ippcp@external.cisco.com
Subject: Re: IPCOMP and Tunnel Mode


Tim, 


At 04:03 PM 8/19/98 -0400, Tim Jenkins wrote: 
 


I have some concerns about one of the requirements of the IPCOMP draft.
It states that if no compression is actually done, no IPCOMP header
should be added. While this may be fine in transport mode, it leads to
the appearance of an IP-in-IP packet in tunnel mode. 


This concerns me, since it seems that the only way to be sure that the
inbound IPCOMP SA should handle packet is to perform an SA lookup to see
if it should have been compressed. (Issues of policy verification on
inbound packets are intentionally left out of this discussion.) This
leads to inconsistent processing of inbound SAs. 


As an alternative, I implemented using one of the flag bits to indicate
that there was no compression and left the IPCOMP header in. This
allowed a consistent lookup on inbound processing for an SA based on SPI
(or the IPCOMP equivalent). I have also implemented the policy lookup
method, and the full-time use of the IPCOMP header was much cleaner... 


Comments encouraged (although I doubt most of you need that...) :-) 


The draft (rfc?) (sorry Dan, I could not avoid following your style :),
while defining the non-expansion policy, explains the reason for not
adding the IPCOMP header in that scenario (see the marked lines): 


2.2. Non-Expansion Policy 


If the total size of a compressed ULP payload and the IPComp header, 
as defined in section 3, is not smaller than the size of the original 
ULP payload, the IP datagram MUST be sent in the original 
non-compressed form. To clarify: If an IP datagram is sent 
non-compressed, no IPComp header is added to the datagram. This 
| policy ensures saving the decompression processing cycles and 
| avoiding incurring IP datagram fragmentation when the expanded 
| datagram is larger than MTU. 


In other words, when the size of a non-compressible packet is MTU, your
suggestion to add the IPCOMP header will cause packet fragmentation. 


The wg debated having always an IPCOMP header, even when the packet in
sent without compression. As such policy is actually equivalent to
lowering the MTU by four octets, the wg decided to reject this proposal.



In addition, your implementation does not comply with the requirement to
set the flags field to zero: 


3.3. IPComp Header Structure 


[snip] 


Flags 


8-bit field. Reserved for future use. MUST be set to zero. 
MUST be ignored by the receiving node. 


As for the implementation issues that you raised, there were several
interoperable stacks with IPComp in the bake-off last March, so working
draft-compliant solutions do exist. 


Regards, 
avram

Prev by Date: Commercially available secure units
Next by Date: Re: password-based authentication
Prev by thread: RE: IPCOMP and Tunnel Mode
Next by thread: Certificates, CRLs and Security Associations
Index(es):
- Main
- Thread