Re: [Ipsec-tools-devel] racoon startup delay
Brought to you by:
mit_warlord,
netbsd
From: Scott L. <sl...@sl...> - 2007-07-16 18:27:45
|
ythhaj khkci wrote: > racoon.conf is below: > ================================== > > path include "/usr/sbin/racoon"; You're including the racoon binary as a configuration file?!? > path certificate "/etc/racoon/certs"; > > remote anonymous > { > exchange_mode main; > my_identifier asn1dn; > peers_identifier asn1dn "C=edited, O=edited, OU=edited, CN=*"; This doesn't parse; I think you wanted this to read CN=edited. ... > #!/usr/sbin/setkey -f > > # Flush the SAD and SPD > flush; > spdflush; > > spdadd 172.16.1.0/24 <http://172.16.1.0/24> 172.18.1.0/24 > <http://172.18.1.0/24> any -P out ipsec > esp/tunnel/172.17.1.1-172.17.1.2/require <http://172.17.1.2/require>; > spdadd 172.18.1.0/24 <http://172.18.1.0/24> 172.16.1.0/24 > <http://172.16.1.0/24> any -P in ipsec > esp/tunnel/172.17.1.2-172.17.1.1/require <http://172.17.1.1/require>; > > spdadd 172.16.1.0/24 <http://172.16.1.0/24> 172.18.n.0/24 any -P out ipsec > esp/tunnel/172.17.1.1-172.17.n.2/require; > spdadd 172.18.n.0/24 172.16.1.0/24 <http://172.16.1.0/24> any -P in ipsec > esp/tunnel/172.17. n.2-172.17.1.1/require <http://172.17.1.1/require>; > > and so on (for n=1; n<=total_size ; n++) Okay. I've attached a Python script, keysetup (attached), which duplicates this for any n in [1, 254]. If I put them both in my ipsec-tools working copy, then do the following: $ sudo ./keysetup 254 $ sudo src/racoon/racoon -Fdddf racoon.conf -l logfile <wait a while> ^C $ ls -laF logfile I see the generated log is 27 MB. So good news - it's easy to duplicate this problem on a less constrained system. If I hack pfkey.c to bail after the last SADB_X_SPDDUMP, then I can see the CPU usage on my Athlon 3000+: $ sudo time src/racoon/racoon -Ff racoon.conf ... 1.25user 0.02system 0:01.59elapsed 79%CPU (0avgtext+0avgdata 0maxresident)k 0inputs+0outputs (0major+542minor)pagefaults 0swaps Hmm. So really this isn't that big a deal for the rest of us. The startup time is fixable, but...man. If your machine is 24X slower than mine, do you really want to be running 254 tunnels on it? You might want to switch to a star topology with a faster machine at the hub. Anyway, what I see is what I hypothesized before. It does a dump on startup, and on each entry it does a linear search through its existing database to see if it already exists, so it does the following number of checks: 1 + 2 + ... + n = n(n+1)/2 = O(n^2) Using a hash table for lookups would reduce this from O(n^2) to O(n), fixing your immediate problem. Oh, regarding the times you gathered: > I ran the tests again today and saw these results: > Number of tunnels, Racoon delay time > 4, 1 > 30, 1 > 60, 4 > 90, 8 > 100, 34 + 11 > 120, 34 + 34 + 34 > 140, 34 > 150, 22 > 180, 27 > 210, 34 > 230, 27 > 240, 27 > 254, 34 I plotted those and saw no clear trend. Thanks for trying, but I think the stopwatch method just isn't accurate enough for this. If someone suggests a better way than mine to get racoon2 to automatically exit when the dump is over, I'll run a loop that gathers times automatically with precision. I'd expect it to say O(n^2), though, not the exponential time you suggested before. Best regards, Scott -- Scott Lamb <http://www.slamb.org/> |