Re: [IPSEC] Too many SADs!

To:	Stephen Frost <sfrost@xxxxxxxxxxx>
Subject:	Re: [IPSEC] Too many SADs!
From:	Wolfgang Walter <wolfgang.walter@xxxxxxxxxxxxxxxxxxxx>
Date:	Wed, 23 Mar 2005 13:20:21 +0100
Cc:	netdev@xxxxxxxxxxx
Organization:	Studentenwerk München
Sender:	netdev-bounce@xxxxxxxxxxx
User-agent:	KMail/1.7.2

> > We had the same problem. Seems to be a limitation of the 
pfkey-implementation 
> > of linux.
> > 
> > racoon and setkey both use the pfkey-interface.
> > 
> > We switched to iproute2 and openswan which both use the 
netfilter-interface. 

Sorry, wanted to say netlink-interface.

> > Therefor they can handle thousands of SAD and SPD rules.
> 

> Well, that's quite interesting.  I didn't realize there were multiple
> interfaces to the IPSEC in Linux.  Additionally, the problem isn't that
> I've got too many policies which end up requiring too many SADs- the
> problem is that SADs are being created above and beyond what's actually
> necessary for my policies, which is a problem.  I'm not entirely sure
> why that's happening either.  At one point a SAD was being added every
> second when there was *already* an apparently current SAD for the
> required policy.  Not good, looks like a bug to me, and I would have
> thought it was a kernel bug but I could be wrong there.

Hmm, we saw this with racoon, too.

I think that linux sometimes can not send pfkey-messages because it can not 
allocate enough memory in that moment. The message get lost and then racoon 
and kernel have different views of the situation. I think the pfkey-protocoll 
is unreliable by design so racoon should handle that.

If you start racoon with no spd-rules and then start to add a lot of them with 
setkey you get a similar behaviour: some of the new rules don't make it to 
racoon and racoon will never learn them. (we tried this as a workaround 
because racoon does not start when more than about 400 spd-rules are already 
set).

That racoon does not start with more then about 400 spd-rules seems to be also 
a problem of the pfkey-implementation: the pfkey-answer to the dump-request 
which racoons does at startup gets to large: the kernel can not allocate 
enough memory.

(and this is the reason setkey can not list the rules, either, so you may use 
it to add more spd-rules it can later list).

> 
> I'm certainly curious about the alternative interface to IPSEC in
> Linux, and especially your claim that it's a 'netfilter' interface.

As mentioned, meant netlink-interface, not netfilter.

> I'll certainly look into that...  What kernel are you using?  What
> version of iproute2 and Openswan?  Do you have to patch the kernel?
> 

iproute2 from debian unstable (20041019-3).

openswan from debian unstable: openswan 2.3.0 (debian version: 2.3.0-2)

>         Stephen
>

Greetings,

Wolfgang Walter

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [IPSEC] Too many SADs!, (continued) Re: [IPSEC] Too many SADs!, Stephen Frost Re: [IPSEC] Too many SADs!, Michael Richardson Re: [IPSEC] Too many SADs!, Stephen Frost Re: [IPSEC] Too many SADs!, Scott Mcdermott Re: [IPSEC] Too many SADs!, Stephen Frost Re: [IPSEC] Too many SADs!, Scott Mcdermott Re: [IPSEC] Too many SADs!, Stephen Frost Re: [IPSEC] Too many SADs!, jean-mickael guerin Re: [IPSEC] Too many SADs!, KOVACS Krisztian Re: [IPSEC] Too many SADs!, Wolfgang Walter Re: [IPSEC] Too many SADs!, Wolfgang Walter <= Re: [IPSEC] Too many SADs!, Wolfgang Walter

Previous by Date:	Re: memory leak in net/sched/ipt.c?, Herbert Xu
Next by Date:	Re: [IPSEC] Too many SADs!, Wolfgang Walter
Previous by Thread:	Re: [IPSEC] Too many SADs!, Wolfgang Walter
Next by Thread:	Re: [IPSEC] Too many SADs!, Wolfgang Walter
Indexes:	[Date] [Thread] [Top] [All Lists]