RE: IPCOMP and Tunnel Mode
Bob Monsour <rmonsour@hifn.com> Thu, 20 August 1998 22:18 UTC
Return-Path: rmonsour@hifn.com
Received: from hubbub.cisco.com (mailgate-sj-1.cisco.com [198.92.30.31]) by ftp-eng.cisco.com (8.8.5-Cisco.1/8.6.5) with ESMTP id PAA19781 for <ippcp-archive-file@ftp-eng.cisco.com>; Thu, 20 Aug 1998 15:18:11 -0700 (PDT)
Received: from kickme.cisco.com (kickme.cisco.com [198.92.30.42]) by hubbub.cisco.com (8.8.4-Cisco.1/CISCO.GATE.1.1) with ESMTP id GAA20001 for <ippcp-archive-file@ftp-eng.cisco.com>; Thu, 20 Aug 1998 06:59:47 -0700 (PDT)
Received: from hubbub.cisco.com (mailgate-sj-1.cisco.com [198.92.30.31]) by kickme.cisco.com (8.9.1a/8.9.1) with ESMTP id GAA20133 for <extdom.ippcp@aliashost.cisco.com>; Thu, 20 Aug 1998 06:59:29 -0700 (PDT)
Received: from sj-mailhub-2.cisco.com (sj-mailhub-2.cisco.com [171.69.43.88]) by hubbub.cisco.com (8.8.4-Cisco.1/CISCO.GATE.1.1) with ESMTP id GAA19995 for <ippcp@external.cisco.com>; Thu, 20 Aug 1998 06:59:06 -0700 (PDT)
Received: from proxy1.cisco.com (proxy1.cisco.com [192.31.7.88]) by sj-mailhub-2.cisco.com (8.9.1a/8.9.1) with ESMTP id HAA02014 for <ippcp@external.cisco.com>; Thu, 20 Aug 1998 07:00:36 -0700 (PDT)
Received: (from smap@localhost) by proxy1.cisco.com (8.8.7/8.8.5) id GAA28062 for <ippcp@external.cisco.com>; Thu, 20 Aug 1998 06:59:05 -0700 (PDT)
Received: from mailman.hifn.com(206.19.120.66) by proxy1.cisco.com via smap (V2.0) id xma028044; Thu, 20 Aug 98 13:58:59 GMT
X-SMAP-Received-From: outside
Received: by tbu1.hifn.com with Internet Mail Service (5.0.1458.49) id <NZCY8W6W>; Thu, 20 Aug 1998 07:01:00 -0700
Message-ID: <6297CD447F92D11199F5006097BA9D1E18632F@tbu1.hifn.com>
From: Bob Monsour <rmonsour@hifn.com>
To: Tim Jenkins <tjenkins@TimeStep.com>, Avram Shacham <shacham@cisco.com>
Cc: ipsec@tis.com, ippcp@external.cisco.com
Subject: RE: IPCOMP and Tunnel Mode
Date: Thu, 20 Aug 1998 07:00:56 -0700
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1458.49)
Content-Type: text/plain; charset="iso-8859-1"
Tim, see the data we published in http://www.ietf.org/internet-drafts/draft-ietf-ippcp-lzs-04.txt. Using the Calgary corpus, combining all of the files and treating the total as a series of packets, for 512 byte packets the average compression ratio was 1.58:1. All sorts of arguments can and will be made about what's the right set of data. People throw up web traffic as one example, others choose different data, but my view is that over time, in a vpn environment, you'll see more data that looks like LAN traffic as companies connect their distant LANs over the internet or other managed IP service. Also, the -06 draft was indeed advanced to Proposed Standard on 8/5. -Bob -----Original Message----- From: Tim Jenkins [mailto:tjenkins@TimeStep.com] Sent: Thursday, August 20, 1998 5:09 AM To: Avram Shacham Cc: ipsec@tis.com; ippcp@external.cisco.com Subject: RE: IPCOMP and Tunnel Mode The attempt to avoid possible fragmentation is a good one (your wording will is too strong), however: 1) No compression occurs for small packet sizes (below the threshold of the particular algorithm) 2) We're talking IPSec tunnel mode, which has to add another IP header, so the packet's going to grow anyway 3) The IPComp header is 4 bytes. Thus, the net increase is 24 bytes. If we assume that the smallest MTU in the network is 576 bytes, that means that packets that don't get compressed that are 552 bytes to 556 bytes in size will cause fragmentation under these conditions. What is the probability that there will be no compression of packets of that size? Does someone have any statistics on the probability of larger packets expanding during compression, thus not being compressed, so that this can be used as part of this discussion? On the issue of the flags: The bits are there. If they can be made to provide some useful purpose, they should. I note that this document (draft-ietf-ippcp-protocol-06.txt) was *not* one of those advanced to Proposed Standard. The document also states that the flag bits are reserved for future use. Perhaps this could be a future use. This discussion is based on the trade-offs between performance at the network level (possible fragmentation) and performance at the computational level (inconsistent implementation). Given equal probability of impacting both, I would design in favour of the network. However, in this case, I don't know that the probabilities favour the network. --- Tim Jenkins TimeStep Corporation tjenkins@timestep.com http://www.timestep.com (613) 599-3610 x4304 Fax: (613) 599-3617 -----Original Message----- From: Avram Shacham [mailto:shacham@cisco.com] Sent: Wednesday, August 19, 1998 10:32 PM To: Tim Jenkins Cc: ipsec@tis.com; ippcp@external.cisco.com Subject: Re: IPCOMP and Tunnel Mode Tim, At 04:03 PM 8/19/98 -0400, Tim Jenkins wrote: I have some concerns about one of the requirements of the IPCOMP draft. It states that if no compression is actually done, no IPCOMP header should be added. While this may be fine in transport mode, it leads to the appearance of an IP-in-IP packet in tunnel mode. This concerns me, since it seems that the only way to be sure that the inbound IPCOMP SA should handle packet is to perform an SA lookup to see if it should have been compressed. (Issues of policy verification on inbound packets are intentionally left out of this discussion.) This leads to inconsistent processing of inbound SAs. As an alternative, I implemented using one of the flag bits to indicate that there was no compression and left the IPCOMP header in. This allowed a consistent lookup on inbound processing for an SA based on SPI (or the IPCOMP equivalent). I have also implemented the policy lookup method, and the full-time use of the IPCOMP header was much cleaner... Comments encouraged (although I doubt most of you need that...) :-) The draft (rfc?) (sorry Dan, I could not avoid following your style :), while defining the non-expansion policy, explains the reason for not adding the IPCOMP header in that scenario (see the marked lines): 2.2. Non-Expansion Policy If the total size of a compressed ULP payload and the IPComp header, as defined in section 3, is not smaller than the size of the original ULP payload, the IP datagram MUST be sent in the original non-compressed form. To clarify: If an IP datagram is sent non-compressed, no IPComp header is added to the datagram. This | policy ensures saving the decompression processing cycles and | avoiding incurring IP datagram fragmentation when the expanded | datagram is larger than MTU. In other words, when the size of a non-compressible packet is MTU, your suggestion to add the IPCOMP header will cause packet fragmentation. The wg debated having always an IPCOMP header, even when the packet in sent without compression. As such policy is actually equivalent to lowering the MTU by four octets, the wg decided to reject this proposal. In addition, your implementation does not comply with the requirement to set the flags field to zero: 3.3. IPComp Header Structure [snip] Flags 8-bit field. Reserved for future use. MUST be set to zero. MUST be ignored by the receiving node. As for the implementation issues that you raised, there were several interoperable stacks with IPComp in the bake-off last March, so working draft-compliant solutions do exist. Regards, avram
- RE: IPCOMP and Tunnel Mode Tim Jenkins
- RE: IPCOMP and Tunnel Mode Bob Monsour
- Re: IPCOMP and Tunnel Mode Avram Shacham
- RE: IPCOMP and Tunnel Mode Paul Koning