IPCOMP(4) OpenBSD Programmer's Manual IPCOMP(4)NAMEipcomp - IP Payload Compression Protocol
DESCRIPTION
IPComp is enabled with the following sysctl(3) variable in
/etc/sysctl.conf:
net.inet.ipcomp.enable
IPComp is a protocol used to reduce the size of IP datagrams. It can be
used to enhance the communication performance between a pair of
hosts/gateways, especially on slow links, by compressing the datagrams,
provided the communicating entities have enough computational power.
This protocol is especially useful when encryption or authentication is
applied to IP datagrams using the IPsec protocol (see ipsec(4) for more
information about IPsec). Encrypting information is increasing its
entropy to a point where compression to a lower layer becomes completely
useless (e.g., the PPP Compression Control Protocol). IPcomp is applied
at the network layer before other encryption operations are applied
(except encryption protocols applied at a higher layer such as ssh(1) or
ssl(8)).
Just like for the other IPsec protocols, IPComp needs some parameters for
each connection, specifying how the compression should be done between
the entities. The parameters are collected in a structure called an
IPComp Association (IPCA). The parameters stored in an IPCA are the
destination address and the Compression Parameter Index (CPI). An IPCA
is the pendant of the SA (Security Association) for IPsec.
Currently, IPCA can be created using the ipsecctl(8) tool. Using
ipsecctl(8) it is also possible to create IPComp flows and SA/IPCA
bundles. Such a bundle is used to create a combination of IPsec and
IPComp flows (thus enabling compression in an IPsec protocol).
The compression is done on the data following the IP header and an IPComp
header is inserted between the compressed data and the IP header. In the
case of IPv6, there are extension headers which cannot be compressed
since they are modified by the router along the way to the destination.
These extension headers are hop-by-hop, routing, and fragmentation.
When doing compression, it is possible that the uncompressed data is
smaller in size than the compressed data. To avoid this behaviour, a non
expansion policy is used in IPComp. If the data payload is smaller than
a given threshold, it will not be compressed. No IPComp header will be
inserted.
IPComp uses the same policy framework as IPsec. However unlike IPsec,
only one policy is available for IPComp:
IPSEC_LEVEL_USE Use IPComp for sending packets but still accept packets
which are not compressed.
DIAGNOSTICSnetstat(1) can be used to obtain some statistics about IPComp usage,
using the -p flag. Just like for IPsec, using the -r flag, netstat(1)
displays information about IPComp flows.
SEE ALSOenc(4), inet(4), ip(4), ipsec(4), netintro(4), ipsecctl(8), sysctl(8)HISTORY
The ipcomp protocol first appeared in OpenBSD 3.0.
AUTHORS
Support for the ipcomp protocol was written by Jean-Jacques
Bernard-Gundol <jj@wabbitt.org>.
OpenBSD 4.9 May 31, 2007 OpenBSD 4.9
