1 2Here documents known IPsec corner cases which need to be keep in mind when 3deploy various IPsec configuration in real world production environment. 4 51. IPcomp: Small IP packet won't get compressed at sender, and failed on 6 policy check on receiver. 7 8Quote from RFC3173: 92.2. Non-Expansion Policy 10 11 If the total size of a compressed payload and the IPComp header, as 12 defined in section 3, is not smaller than the size of the original 13 payload, the IP datagram MUST be sent in the original non-compressed 14 form. To clarify: If an IP datagram is sent non-compressed, no 15 16 IPComp header is added to the datagram. This policy ensures saving 17 the decompression processing cycles and avoiding incurring IP 18 datagram fragmentation when the expanded datagram is larger than the 19 MTU. 20 21 Small IP datagrams are likely to expand as a result of compression. 22 Therefore, a numeric threshold should be applied before compression, 23 where IP datagrams of size smaller than the threshold are sent in the 24 original form without attempting compression. The numeric threshold 25 is implementation dependent. 26 27Current IPComp implementation is indeed by the book, while as in practice 28when sending non-compressed packet to the peer(whether or not packet len 29is smaller than the threshold or the compressed len is large than original 30packet len), the packet is dropped when checking the policy as this packet 31matches the selector but not coming from any XFRM layer, i.e., with no 32security path. Such naked packet will not eventually make it to upper layer. 33The result is much more wired to the user when ping peer with different 34payload length. 35 36One workaround is try to set "level use" for each policy if user observed 37above scenario. The consequence of doing so is small packet(uncompressed) 38will skip policy checking on receiver side. 39