Re: some questions about IPComp
Avram Shacham <shacham@cisco.com> Sun, 22 March 1998 22:14 UTC
Return-Path: shacham@cisco.com
Received: from bubbuh.cisco.com (bubbuh.cisco.com [198.92.30.35]) by ftp-eng.cisco.com (8.8.5-Cisco.1/8.6.5) with ESMTP id OAA00416 for <ippcp-archive-file@ftp-eng.cisco.com>; Sun, 22 Mar 1998 14:14:52 -0800 (PST)
Received: from pita.cisco.com (pita.cisco.com [171.71.68.13]) by bubbuh.cisco.com (8.8.4-Cisco.1/CISCO.GATE.1.1) with ESMTP id OAA18190 for <ippcp@external.cisco.com>; Sun, 22 Mar 1998 14:14:26 -0800 (PST)
Received: from shacham-home-pc-4.cisco.com (shacham-home-pc-4.cisco.com [171.69.149.181]) by pita.cisco.com (8.8.5-Cisco.1/8.6.5) with SMTP id OAA16436; Sun, 22 Mar 1998 14:14:22 -0800 (PST)
Message-Id: <2.2.32.19980322221326.00684934@pita.cisco.com>
X-Sender: shacham@pita.cisco.com
X-Mailer: Windows Eudora Pro Version 2.2 (32)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Sun, 22 Mar 1998 14:13:26 -0800
To: Xuechen Yang <xuechen@osgroup.com>
From: Avram Shacham <shacham@cisco.com>
Subject: Re: some questions about IPComp
Cc: Jeffrey Goodwin <jeffg@osgroup.com>, ippcp@external.cisco.com
Xuechen, At 01:54 PM 3/22/98 -0600, Xuechen Yang wrote: >Hello all, > >I'm a software engineer from Ashley Laurent. I'm working on IPSec and IPComp >software solution based on NT and Unix. > >I got a few questions about IPComp: > >(1) Why IPComp can only work in transport mode? > >Although the draft doesn't say anything about "Tunnel mode" or "Transport >mode", it implies that IPComp cannot be applied in tunnel mode. I understand >working in tunnel mode will introduce more overhead for compression, which >is not the good for IPComp. But IPComp will face the same problem that AH >and ESP (transport mode) have. You cannot use it for the communication >between IPComp gateways, or between remote host and IPComp gateway; unless >combine IPComp with tunnel mode AH or ESP. rfc-2003 "IP Encapsulation within IP" clearly defines how to "tunnel." To implement IPComp "tunnel", first apply rfc-2003 and then IPComp. The steps are original datagram IP ULP rfc-2003 IP IP ULP IPComp IP IPCOMP IP ULP >(2) Why compression must be applied before encryption? > >Well, I understand this rule makes the architecture more clean and easy to >implement. (From my viewpoint, it will be more flexible if the >implementation can process IPSec and IPComp in any order. ) But is that >possible that under certain situation, applying compression after encryption >may gain higher compression ratio? <draft-ietf-ippcp-protocol-05.txt> states: 1. Introduction [...] IP payload compression is especially useful when encryption is applied to IP datagrams. Encrypting the IP datagram causes the data to be random in nature, rendering compression at lower protocol layers (e.g., PPP Compression Control Protocol [RFC-1962]) ineffective. If both compression and encryption are required, compression MUST be applied before encryption. >Let's say the upper transport sends down >a non-compressible payload (could have been compressed already, or might be >a JPG image or MPEG clip), it won't do any good if applying compression >again. Then skip compression and do encryption according to local security >policy. So how about compressing the data after encryption since the >encryption makes the data more random? Maybe even worse, since every byte >becomes more independent and unpredictable. Just a thought. >I'm not an expert on encryption and compression, I just thought it's >interesting. As for previously compressed payloads, compression at L3 will fail. The document provides a recommendation to avoid the performance hit by applying an adaptive algorithm: 2.2. Non-Expansion Policy [...] An IP datagram with payload that has been previously compressed tends not to compress any further. The previously compressed payload may be the result of external processes, such as compression applied by an upper layer in the communication stack, or by an off-line compression utility. An adaptive algorithm should be implemented to avoid the performance hit. For example, if the compression of i consecutive IP datagrams of an IPCA fails, the next k IP datagrams are sent without attempting compression. If the next j datagrams are also failing to compress, the next k+n datagrams are sent without attempting compression. Once a datagram is compressed successfully, the normal process of IPComp restarts. Such an adaptive algorithm, including all the related thresholds, is implementation dependent. avram
- Re: some questions about IPComp Avram Shacham