IPComp - IP Payload Compression Protocol
IPComp is enabled with the following sysctl(3) variable in
/etc/sysctl.conf:
net.inet.ipcomp.enable
IPComp is a protocol used to reduce the size of IP datagrams. It can be
used to enhance the communication performance between a pair
of
hosts/gateways, especially on slow links, by compressing the
datagrams,
provided the communicating entities have enough computation
power.
This protocol is especially useful when encryption or authentication is
applied to IP datagrams using the IPsec protocol (see
ipsec(4) for more
information about IPsec). Encrypting information is increasing its entropy
to a point where compression to a lower layer becomes
completely
useless (e.g., the PPP Compression Control Protocol). IPcomp is applied
at the network layer before other encryption operations are
applied (except
encryption protocols applied at a higher layer such as
ssh(1) or
ssl(8)).
Just like for the other IPsec protocols, IPComp needs some
parameters for
each connection, specifying how the compression should be
done between
the entities. The parameters are collected in a structure
called an IPComp
Association or IPCA. The parameters stored in an IPCA
are the destination
address and the Compression Parameter Index (CPI).
An IPCA is
the pendant of the SA (Security Association) for IPsec.
Currently, IPCA can be created using the ipsecadm(8) tool.
Using
ipsecadm(8) it is also possible to create IPComp flows and
SA/IPCA bundles.
Such a bundle is used to create a combination of
IPsec and IPComp
flows (thus enabling compression in an IPsec protocol).
The compression is done on the data following the IP header
and an IPComp
header is inserted between the compressed data and the IP
header. In the
case of IPv6, there are extension headers which cannot be
compressed
since they are modified by the router along the way to the
destination.
These extension headers are hop-by-hop, routing, and fragmentation.
When doing compression, it is possible that the uncompressed
data is
smaller in size than the compressed data. To avoid this behaviour, a non
expansion policy is used in IPComp. If the data payload is
smaller than
a given threshold, it will not be compressed. No IPComp
header will be
inserted.
IPComp uses the same policy framework as IPsec. However unlike IPsec,
only one policy is available for IPComp:
IPSEC_LEVEL_USE Use IPComp for sending packets but still
accept packets
which are not compressed.
netstat(1) can be used to obtain some statistics about IPComp usage, using
the -p flag. Just like for IPsec, using the -r flag,
netstat(1) displays
information about IPComp flows.
enc(4), inet(4), ip(4), ipsec(4), netintro(4), ipsecadm(8)
The IPComp protocol first appeared in OpenBSD 3.0.
Support for the IPComp protocol was written by Jean-Jacques
BernardGundol
<[email protected]>.
OpenBSD 3.6 June 27, 2001
[ Back ] |
