Re: [Ipsec-tools-devel] racoon startup delay
Brought to you by:
mit_warlord,
netbsd
Menu
▾
▴
Re: [Ipsec-tools-devel] racoon startup delay
|
From: Scott L. <sl...@sl...> - 2007-07-16 18:27:45
|
ythhaj khkci wrote:
> racoon.conf is below:
> ==================================
>
> path include "/usr/sbin/racoon";
You're including the racoon binary as a configuration file?!?
> path certificate "/etc/racoon/certs";
>
> remote anonymous
> {
> exchange_mode main;
> my_identifier asn1dn;
> peers_identifier asn1dn "C=edited, O=edited, OU=edited, CN=*";
This doesn't parse; I think you wanted this to read CN=edited.
...
> #!/usr/sbin/setkey -f
>
> # Flush the SAD and SPD
> flush;
> spdflush;
>
> spdadd 172.16.1.0/24 <http://172.16.1.0/24> 172.18.1.0/24
> <http://172.18.1.0/24> any -P out ipsec
> esp/tunnel/172.17.1.1-172.17.1.2/require <http://172.17.1.2/require>;
> spdadd 172.18.1.0/24 <http://172.18.1.0/24> 172.16.1.0/24
> <http://172.16.1.0/24> any -P in ipsec
> esp/tunnel/172.17.1.2-172.17.1.1/require <http://172.17.1.1/require>;
>
> spdadd 172.16.1.0/24 <http://172.16.1.0/24> 172.18.n.0/24 any -P out ipsec
> esp/tunnel/172.17.1.1-172.17.n.2/require;
> spdadd 172.18.n.0/24 172.16.1.0/24 <http://172.16.1.0/24> any -P in ipsec
> esp/tunnel/172.17. n.2-172.17.1.1/require <http://172.17.1.1/require>;
>
> and so on (for n=1; n<=total_size ; n++)
Okay. I've attached a Python script, keysetup (attached), which
duplicates this for any n in [1, 254]. If I put them both in my
ipsec-tools working copy, then do the following:
$ sudo ./keysetup 254
$ sudo src/racoon/racoon -Fdddf racoon.conf -l logfile
<wait a while>
^C
$ ls -laF logfile
I see the generated log is 27 MB. So good news - it's easy to duplicate
this problem on a less constrained system.
If I hack pfkey.c to bail after the last SADB_X_SPDDUMP, then I can see
the CPU usage on my Athlon 3000+:
$ sudo time src/racoon/racoon -Ff racoon.conf
...
1.25user 0.02system 0:01.59elapsed 79%CPU (0avgtext+0avgdata
0maxresident)k
0inputs+0outputs (0major+542minor)pagefaults 0swaps
Hmm. So really this isn't that big a deal for the rest of us. The
startup time is fixable, but...man. If your machine is 24X slower than
mine, do you really want to be running 254 tunnels on it? You might want
to switch to a star topology with a faster machine at the hub.
Anyway, what I see is what I hypothesized before. It does a dump on
startup, and on each entry it does a linear search through its existing
database to see if it already exists, so it does the following number of
checks:
1 + 2 + ... + n = n(n+1)/2 = O(n^2)
Using a hash table for lookups would reduce this from O(n^2) to O(n),
fixing your immediate problem.
Oh, regarding the times you gathered:
> I ran the tests again today and saw these results:
> Number of tunnels, Racoon delay time
> 4, 1
> 30, 1
> 60, 4
> 90, 8
> 100, 34 + 11
> 120, 34 + 34 + 34
> 140, 34
> 150, 22
> 180, 27
> 210, 34
> 230, 27
> 240, 27
> 254, 34
I plotted those and saw no clear trend. Thanks for trying, but I think
the stopwatch method just isn't accurate enough for this. If someone
suggests a better way than mine to get racoon2 to automatically exit
when the dump is over, I'll run a loop that gathers times automatically
with precision. I'd expect it to say O(n^2), though, not the exponential
time you suggested before.
Best regards,
Scott
--
Scott Lamb <http://www.slamb.org/>
|