From: David M. <da...@da...> - 2012-01-11 06:34:50
|
From: "Naveen B N (nbn)" <nb...@ci...> Date: Wed, 11 Jan 2012 08:20:12 +0530 > Did anybody try creating IPSec Tunnels > 6000 in Linux > And faced the same problem below. The problem is that you must situate your rules according to certain rules otherwise performance will suffer greatly. You must: 1) Predominantly use fully specified, non-wildcard, rules. These go into a special hash table which approaches complexity O(1). 2) If you absolutely must have wildcarded rules, only have an extremely small number of them. These go onto a linked list which is O(N). There is no reasonable reason to have thousands of wildcarded rules. Thousands of fully specified non-wildcard rules are reasonable, and what we optimize the IPSEC datastructures for. |