IPsec¶
这里记录了在实际生产环境中部署各种IPsec配置时需要注意的已知IPsec极端情况。
- IPcomp
小型IP数据包在发送方不会被压缩,并且在接收方的策略检查中会失败。
引用自RFC3173
2.2. Non-Expansion Policy
If the total size of a compressed payload and the IPComp header, as
defined in section 3, is not smaller than the size of the original
payload, the IP datagram MUST be sent in the original non-compressed
form. To clarify: If an IP datagram is sent non-compressed, no
IPComp header is added to the datagram. This policy ensures saving
the decompression processing cycles and avoiding incurring IP
datagram fragmentation when the expanded datagram is larger than the
MTU.
Small IP datagrams are likely to expand as a result of compression.
Therefore, a numeric threshold should be applied before compression,
where IP datagrams of size smaller than the threshold are sent in the
original form without attempting compression. The numeric threshold
is implementation dependent.
当前的IPComp实现确实符合规范,但在实践中,当向对等方发送未压缩的数据包时(无论数据包长度是否小于阈值,或者压缩后的长度是否大于原始数据包长度),在检查策略时会丢弃该数据包,因为此数据包匹配选择器,但不是来自任何XFRM层,即没有安全路径。这种裸数据包最终不会到达上层。当使用不同的有效负载长度ping对等方时,用户会感到更加困惑。
一种解决方法是,如果用户观察到上述情况,则尝试为每个策略设置“level use”。这样做会带来的后果是,小数据包(未压缩)将在接收端跳过策略检查。