VPN data compression

  • Thread starter Thread starter Volker Hahn
  • Start date Start date
V

Volker Hahn

We have observed that activating software compression under
the PPP settings of a RAS VPN connection doesn't compress
any more than about 30%. When we did a standard RAS
connection (with no VPN) and also used MS software
compression we observed a compression rate of about 70%.
Can anybody explain this difference or tell us what we
might be doing wrong with our VPN access points?

We realize that encrypted packets are not compressible, but
we assume Microsoft compresses the data before encrypting
the data, so why aren't we getting the same compression
rates? It is hard to find detailed documentation on this.

Our tests were done on a Windows 2003 server but couldn't
find a more appropriate Newsgroup.

Thank you,
Volker Hahn
 
What size packets are you sending? Which VPN protocol are you using?

PPP compression compresses each packet. You may be getting different
fragmentation for VPN vs. modem.
 
Thank you for your reply.

We are using the PPTP protocol. The packets size differs
from 194 bytes up to 634 bytes using a VPN-Connection.
Using a standard connection to for example an ftp server,
the packets size are consistantly 1514 bytes.
We got this values from sniffing the stream with etherreal.
We downloaded an ASCII file (1,913,911 Bytes) from ftp
server behind the vpn server and from a ftp server via
internet.

Thank you,

Volker Hahn
 
I'm more familar with netmon and looking at things from an IP point of view
rather than an ethernet point of view...

VPN client connections have a smaller MTU (1400 in Win2k onward).

What should happen is that the client requests an MSS of < 1400 for the
connection and the packets received via FTP should be 1400 bytes each.

If the connection is a router-router connection, the requested MTU may be
1500.

In transactions like this, TCP (or the application?) often sets the don't
fragment bit so that when a 1500 byte packet is sent by the FTP server, the
RRAS server rejects it with an ICMP-must-frag message.

If the FTP server is sending > 1400 byte packets, you'll get fragmentation
if the "dont frag" bit is clear on the packet..

If you see 1400-byte packets heading into the RRAS box, but 700-byte GRE
payloads for PPTP on the VPN link, you're getting a little over 50%
compression on that packet. There will be some overhead on the wire for the
tunnel encapsulation.

Unless you also have VJ header compression enabled on the modem link, the
underlying compression mechanisms should be similar for all media types.

In short: If the difference can't be explained by fragmentation or VJ
compression (which VPN's do not do), I'm not sure why you're seeing a
difference in compression ratios since the compression algorithm should be
similar if not identical. : )
 
Back
Top