5. Patch for 8.3 IPsec to better scale up to large SPD / SADB

Patch for 8.3 IPsec to better scale up to large SPD / SADB

  • D

    I seem to remember that pfSense had a patch for IPsec to allow large number of tunnels, but I can't seem to find it under pfsense-tools/patches

    Anyway, I just happened to notice this patch which was submitted to FreeBSD recently, coming from one of the maintainers of ipsec-tools (racoon):

    http://www.freebsd.org/cgi/query-pr.cgi?pr=181699

    From: Timo Teräs timo.teras@iki.fiDate: Sat, 31 Aug 2013 09:05:42 GMT
    Subject: IPsec does scale to large SPD / SADB
    Send-pr version: www-3.1
    Number: 181699
    Category: kern
    Synopsis: [ipsec] [patch] IPsec does scale to large SPD / SADB
    Severity: non-critical
    Priority: low
    Responsible: freebsd-net
    State: open
    Class: change-request
    Arrival-Date: Sat Aug 31 09:10:00 UTC 2013
    Closed-Date:
    Last-Modified: Sun Sep 01 04:35:30 UTC 2013
    Originator: Timo Teräs
    Release: 8.3-RELEASE-i386

    Description
    The algorithms for IPsec SA lookup and SPD lookups are O(n), and things slow down to unusable state if number of SPD or SADB entries goes >100.

    Fix
    Attached are patches to convert linear list lookups to hash lookups (SADB), and implementing a simple SPD caching layer to speed up SPD lookups.

    Patch attached with submission follows:/timo.teras@iki.fi

    0
  • D

    I thought this feature would generate some interest, since there are quite a few pfSense user who run or wish to run 100s of IPsec tunnels.

    Perhaps I should have posted it in the IPsec sub-forum …

    0
  • Rebel Alliance Developer Netgate

    Too late for a change like that on 2.1. Ermal looked at it yesterday also.

    IIRC we already have some changes for that. We have people with 300+ tunnels already, if that still applied to pfSense, we would have heard about it by now.

    Though it may still be worth looking at for 2.2 if it is a further improvement.

    0
  • D

    I also e-mailed Seth (who I afaik has many IPsec tunnels) who might be interested to test it out and compare results.

    Assuming the patch gets merged into FreeBSD-HEAD, I guess pfSense 2.2 based on FreeBSD10 would pick it up anyway.

    0
  • G

    I think O(n) means a gradual degradation (linear) so a statement that >100 items in one or other DB "causing" problems is a bit misleading - it depends on your horsepower and traffic.

    A quick look at one of my pfSense VMs shows 136 odd items in the SAD.  Can't say things are unusable by any stretch of the imagination.

    However a better algo is always a good idea in any area of IT - the bloody things are cut n paste out of many textbooks!  Amazing something as old as IPSEC has only just received this treatment.

    Cheers
    Jon

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy