Patch for 8.3 IPsec to better scale up to large SPD / SADB

dhatz · Sep 1, 2013, 7:05 PM

I seem to remember that pfSense had a patch for IPsec to allow large number of tunnels, but I can't seem to find it under pfsense-tools/patches

Anyway, I just happened to notice this patch which was submitted to FreeBSD recently, coming from one of the maintainers of ipsec-tools (racoon):

http://www.freebsd.org/cgi/query-pr.cgi?pr=181699

From: Timo Teräs timo.teras@iki.fiDate: Sat, 31 Aug 2013 09:05:42 GMT
Subject: IPsec does scale to large SPD / SADB
Send-pr version: www-3.1
Number: 181699
Category: kern
Synopsis: [ipsec] [patch] IPsec does scale to large SPD / SADB
Severity: non-critical
Priority: low
Responsible: freebsd-net
State: open
Class: change-request
Arrival-Date: Sat Aug 31 09:10:00 UTC 2013
Closed-Date:
Last-Modified: Sun Sep 01 04:35:30 UTC 2013
Originator: Timo Teräs
Release: 8.3-RELEASE-i386

Description
The algorithms for IPsec SA lookup and SPD lookups are O(n), and things slow down to unusable state if number of SPD or SADB entries goes >100.

Fix
Attached are patches to convert linear list lookups to hash lookups (SADB), and implementing a simple SPD caching layer to speed up SPD lookups.

Patch attached with submission follows:/timo.teras@iki.fi

dhatz · Sep 4, 2013, 6:42 PM

I thought this feature would generate some interest, since there are quite a few pfSense user who run or wish to run 100s of IPsec tunnels.

Perhaps I should have posted it in the IPsec sub-forum …

jimp · Sep 4, 2013, 7:16 PM

Too late for a change like that on 2.1. Ermal looked at it yesterday also.

IIRC we already have some changes for that. We have people with 300+ tunnels already, if that still applied to pfSense, we would have heard about it by now.

Though it may still be worth looking at for 2.2 if it is a further improvement.

dhatz · Sep 5, 2013, 4:01 PM

I also e-mailed Seth (who I afaik has many IPsec tunnels) who might be interested to test it out and compare results.

Assuming the patch gets merged into FreeBSD-HEAD, I guess pfSense 2.2 based on FreeBSD10 would pick it up anyway.

gerdesj · Sep 7, 2013, 9:27 PM

I think O(n) means a gradual degradation (linear) so a statement that >100 items in one or other DB "causing" problems is a bit misleading - it depends on your horsepower and traffic.

A quick look at one of my pfSense VMs shows 136 odd items in the SAD. Can't say things are unusable by any stretch of the imagination.

However a better algo is always a good idea in any area of IT - the bloody things are cut n paste out of many textbooks! Amazing something as old as IPSEC has only just received this treatment.

Cheers
Jon