[strongSwan] ipcomp stats

Martin Willi martin at strongswan.org
Fri Mar 21 16:07:12 CET 2014


> When ipcomp is in play - are these stats before or after compression?

The test scenario at [1] uses:

> ping -n -c 2 -s 8184 -p deadbeef

but "ipsec statusall" shows:

> AES_CBC_128/HMAC_SHA1_96, 182 bytes_i (2 pkts, 0s ago), 180 bytes_o (2 pkts, 0s ago)

So the SA statistics on a Linux kernel count the compressed bytes, at
least when installing and querying the SA bundles as we do it.

> Would it be feasible to add stats (byte counters) for the other
> (before or after compression)?  [...] I had a look at the code
> and tls_compression.c seems to be involved but I am not clear where
> the low level "make a big buffer into a smaller one" code lives.

tls_compression.c is completely unrelated, it provides the
(unimplemented) TLS record compression as used by EAP-TTLS, but has
nothing to do with IPcomp compression in ESP.

Instead, the IPsec data path is handled in the kernel, strongSwan does
not do that (only if you are using the libipsec userland IPsec backend,
but that's usually not the case). So to modify the data path and the
used compression, you'll have to modify your kernel.

However, IPComp on Linux uses SA bundles, one SA for ESP encapsulation,
one for compression. strongSwan currently can't display that information
for you, but "ip -s xfrm state" can show these SAs individually. The
IPcomp SAs show the uncompressed number of processed bytes, so you can
compare that easily. That example mentioned previously shows that nicely

> Or do you envisage some other RPC mechanism to access stats?  I'm sure
> this has been discussed before so it would be interesting to hear what
> ideas you had.  At a most basic level - it would be nice if there was
> another variant of "ipsec statusall" which is more parseable by
> scripting languages, e.g. JSON or even just TAB delimited.

A more generic RPC mechanism to configure, control and query the IKE
daemon to do these kind of things in a proper way is currently in
development. Most likely an upcoming 5.2.0 will provide such a
functionality, stay tuned.



More information about the Users mailing list