[strongSwan] TFC with compression

Jafar Al-Gharaibeh jafar at atcorp.com
Thu Jan 25 17:39:25 CET 2018

The whole point of TFC is to make all packets have the same length so 
that an outside observer
can't infer anything from the size of the packets in the flow. 
Compression changes the size of
every packet so you end up with non-equal size packets anyway. 
Compression defeats the purpose
of TFC. Furthermore, if you really care about bandwidth and you use 
compression then TFC is a bad idea
in the first place since it adds a considerable overhead.  The other 
case of applying TFC after compression
doesn't make sense at all.


On 1/25/2018 9:30 AM, Stefan Xenon wrote:
> Hi!
> I enabled TFC in ipsec.conf and traced the traffic with Wireshark. I
> noticed that TFC only seems to work when compression is disabled (in
> which case packed length is identical). Is there a way to use both TFC
> and compression at the same time? If not, what is the reason behind this
> limitation? Thank you for your help.
> Best regards,
> Stefan

More information about the Users mailing list