[Gllug] IPComp

Russell Howe rhowe at wiss.co.uk
Thu Sep 2 17:51:30 UTC 2004 

On Thu, Sep 02, 2004 at 05:06:18PM +0100, Ian Norton wrote:
> Regarding encryption and compression, The reason that *SWAN encompases
> an IPComp system is if you have good encryption then you must always
> compress first to get any benefit (it also helps prevent fragmentation).

Makes sense

> I've already figured out about hooking into the network stack with
> sk_buffs and should be able to transform the relevant (only TCP or UDP)
> datagrams before they get munged into ipsec packets. So.. theoretically,
> It should co-exist with IPSec anyway.

Yup, although I would've expected IPcomp to have been IP
protocol-agnostic

> Also as IPComp has an IANA protocol number I would be able to do
> filtering on the data 'properly' with iptables,

Yep - would you be able to filter both the compressed IPcomp stream
(i.e. filter incoming/outgoing IPcomp packets) and the data within (the
original IP datagrams, TCP stream, etc)?

Presumably to do this, you'd have to make IPcomp appear as a tunnel
device. See the FreeS/WAN history on the routing mess this causes :)

> Given that I've not seen much evidence that IPComp is used
> frequently/easily outside IPSec (although I can't see why it shouldnt
> be) do you think that an easier to operate implementation would be a
> good idea?

Sure - I'm sure there are workloads which would benefit from even
simplistic compression of the datastream.

For these kind of policy-led decisions (and I extend this to IPsec as
well) where you say "traffic matching patterns x, y and z should have
this done to it", where "this" could be compress, encrypt, etc, I always
thought that netfilter/iptables was a fairly natural fit to this kind of
policy specification.

After all, firewall rules are a policy.

Something like
"iptables -t ipcomp -I OUTPUT -d a.b.c.d -j COMPRESS --alg RLE" or
"iptables -t ipcomp -I INPUT -s a.b.c.d -j DECOMPRESS --alg gzip"

I often wondered how hard and/or practical it'd be to specify IPsec
policy in this kind of way, but I haven't given it a great deal of
thought.

Netfilter's there, and it should allow you to intercept packets and
mangle them (there's a 'mangle' table in iptables, although I can't say
I've ever used it or know what it does)

-- 
Russell Howe       | Why be just another cog in the machine,
rhowe at siksai.co.uk | when you can be the spanner in the works?
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list