It depends on the particular content of the messages. Those payloads that
contain
random (or randomly-looking) data like Nonce, KE, most VIDs are almost
uncompressable.
However the content of SA payload contains so many zeroes that it can be
compressed
of up to 90%. So, if your IKE_SA_INIT's SA payload contains only a couple of
transforms,
the saving is minimal - about few tens of bytes. However if it contains a
long list of transforms,
then you could make initial message 30% or even twice as small comparing to
no compression.
But IoT devices would likely only suggest one or at most two transforms
anyway? Not a long list?
As far as I understand for some lower power consumption systems even small reduction
of message is significant. For example see the following:
https://mailarchive.ietf.org/arch/msg/ipsec/TsI1OPGL-84AjZGB_RMyhqOPucY
And IKE_AUTH messages often contains a certificates, that is usually
compressable by 30%.
I thought IoT devices did not even have the memory to do X.509, which is
why raw public keys were added to TLS ?
I don't think raw public keys cover all use cases. The IoT device could present
its own certificate even if it cannot process the peer's one. And even without
certificates the IKE_AUTH messages contain some redundancy to compress.
Paul
Regards,
Valery.
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
