The pfSense Store

Author Topic: Patch for 8.3 IPsec to better scale up to large SPD / SADB  (Read 3240 times)

0 Members and 1 Guest are viewing this topic.

Offline dhatz

  • Hero Member
  • *****
  • Posts: 1000
  • Karma: +5/-0
    • View Profile
Patch for 8.3 IPsec to better scale up to large SPD / SADB
« on: September 01, 2013, 02:05:26 pm »
I seem to remember that pfSense had a patch for IPsec to allow large number of tunnels, but I can't seem to find it under pfsense-tools/patches

Anyway, I just happened to notice this patch which was submitted to FreeBSD recently, coming from one of the maintainers of ipsec-tools (racoon):

Quote
http://www.freebsd.org/cgi/query-pr.cgi?pr=181699

From:    Timo Teräs <timo.teras@iki.fi>
Date:    Sat, 31 Aug 2013 09:05:42 GMT
Subject:    IPsec does scale to large SPD / SADB
Send-pr version:    www-3.1
Number:    181699
Category:    kern
Synopsis:    [ipsec] [patch] IPsec does scale to large SPD / SADB
Severity:    non-critical
Priority:    low
Responsible:    freebsd-net
State:    open
Class:    change-request
Arrival-Date:    Sat Aug 31 09:10:00 UTC 2013
Closed-Date:    
Last-Modified:    Sun Sep 01 04:35:30 UTC 2013
Originator:    Timo Teräs
Release:    8.3-RELEASE-i386

Description
The algorithms for IPsec SA lookup and SPD lookups are O(n), and things slow down to unusable state if number of SPD or SADB entries goes >100.

Fix
Attached are patches to convert linear list lookups to hash lookups (SADB), and implementing a simple SPD caching layer to speed up SPD lookups.

Patch attached with submission follows:

Offline dhatz

  • Hero Member
  • *****
  • Posts: 1000
  • Karma: +5/-0
    • View Profile
Re: Patch for 8.3 IPsec to better scale up to large SPD / SADB
« Reply #1 on: September 04, 2013, 01:42:58 pm »
I thought this feature would generate some interest, since there are quite a few pfSense user who run or wish to run 100s of IPsec tunnels.

Perhaps I should have posted it in the IPsec sub-forum ...

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21404
  • Karma: +1437/-26
    • View Profile
Re: Patch for 8.3 IPsec to better scale up to large SPD / SADB
« Reply #2 on: September 04, 2013, 02:16:08 pm »
Too late for a change like that on 2.1. Ermal looked at it yesterday also.

IIRC we already have some changes for that. We have people with 300+ tunnels already, if that still applied to pfSense, we would have heard about it by now.

Though it may still be worth looking at for 2.2 if it is a further improvement.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline dhatz

  • Hero Member
  • *****
  • Posts: 1000
  • Karma: +5/-0
    • View Profile
Re: Patch for 8.3 IPsec to better scale up to large SPD / SADB
« Reply #3 on: September 05, 2013, 11:01:09 am »
I also e-mailed Seth (who I afaik has many IPsec tunnels) who might be interested to test it out and compare results.

Assuming the patch gets merged into FreeBSD-HEAD, I guess pfSense 2.2 based on FreeBSD10 would pick it up anyway.

Offline Jon Gerdes

  • Full Member
  • ***
  • Posts: 160
  • Karma: +11/-1
    • View Profile
    • Blueloop Ltd
Re: Patch for 8.3 IPsec to better scale up to large SPD / SADB
« Reply #4 on: September 07, 2013, 04:27:22 pm »
I think O(n) means a gradual degradation (linear) so a statement that >100 items in one or other DB "causing" problems is a bit misleading - it depends on your horsepower and traffic.

A quick look at one of my pfSense VMs shows 136 odd items in the SAD.  Can't say things are unusable by any stretch of the imagination.

However a better algo is always a good idea in any area of IT - the bloody things are cut n paste out of many textbooks!  Amazing something as old as IPSEC has only just received this treatment.

Cheers
Jon