[Top] [All Lists]

Re: [Openswan dev] IPComp

To: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Subject: Re: [Openswan dev] IPComp
From: James Morris <jmorris@xxxxxxxxxx>
Date: Tue, 6 Jul 2004 18:50:44 -0400 (EDT)
Cc: Paul Wouters <paul@xxxxxxxxxxxxx>, "D. Hugh Redelmeier" <hugh@xxxxxxxxxx>, <dev@xxxxxxxxxxxxxxxxxx>, Dominique Blas <ml@xxxxxxxx>, <netdev@xxxxxxxxxxx>
In-reply-to: <20040706213135.GA21477@xxxxxxxxxxxxxxxxxxx>
Sender: netdev-bounce@xxxxxxxxxxx
On Wed, 7 Jul 2004, Herbert Xu wrote:

> With most KMs the SAs are renegotiated periodically.  So as time
> goes on memory fragmentation will eventually cause this to fail.
> You also to consider IPsec gateways where there are hundreds or
> thousands of SAs.
> Maybe we can use a vmalloc instead? That seems to be what the
> deflate module does.

I think it would be better to go with your original idea of allocating a
scratch buffer for each packet, based on the size of the packet.  IPComp
is very slow path, and allocating 64k for each SA is optimizing for an
uncommon worst case in a way which will potentially eat up a lot of memory
(e.g. > 6MB for 100 tunnels).

- James
James Morris

<Prev in Thread] Current Thread [Next in Thread>