Re: [Ipsec-tools-devel] CPU usage for IPSec in Linux 2.6.38

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

From: "Naveen B N (nbn)" <nb...@ci...>
Date: Wed, 11 Jan 2012 08:20:12 +0530

> Did anybody try creating IPSec Tunnels > 6000 in Linux
> And faced the same problem below.

The problem is that you must situate your rules according to
certain rules otherwise performance will suffer greatly.

You must:

1) Predominantly use fully specified, non-wildcard, rules.

   These go into a special hash table which approaches complexity
   O(1).

2) If you absolutely must have wildcarded rules, only have an
   extremely small number of them.

   These go onto a linked list which is O(N).

There is no reasonable reason to have thousands of wildcarded
rules.

Thousands of fully specified non-wildcard rules are reasonable,
and what we optimize the IPSEC datastructures for.