Menu
▾
▴
Re: [Lksctp-developers] SCTP over IPsec get stalled with packet lost rate
|
From: Daniel M. <mgl...@gm...> - 2010-08-18 07:35:34
|
Although the mail is list in the Archive, it seems it hasn't been sent on the ML. On Tue, Aug 17, 2010 at 7:25 PM, Daniel Migault <mgl...@gm...> wrote: > Hi, > > We have problem running lksctp with IPsec on a network with a non null > Packet Lost Rate. > > We are running the latest version of lksctp on linux ubuntu 10.04, and > testing the performances of ftp transfert on various network conditions. > The used ftp server is tnftpd and with use the withsctp tool to run it over > sctp. Network packet lost rate is configured with dummynet tools on a > router. The IKEv2 implementation we use is StrongSwan. > > If we run SCTP without IPsec it works pretty well eventhough we happen to > be in a stalled state from time to time with Packet Lost Rate less than 7%. > If we run SCTP with IPsec and the Packet Lost Rate is set to 0, then files > transfert works properly. > If we have any other value for the Packet Lost Rate (0.2%), then we are in > a stalled state immediatly after the file transfert has started. > > We proceeded to the tests both with 3 interfaces and with a single > interface. > > > We looked for stalled states and SCTP [ > http://pel.ucd.ie/files/stall%20and%20path.pdf]. Stalled states seems to > happen when the latency between the different channel has a huge difference > or when SACK messages are "always" lost. We think we are neither in one nor > the other case, since our channel have the same characteristics. We also > looked for IPsec misconfigurations on mulitple interfaces, and so tryied to > make it run on a single interface, which did not solve the problem. > > Our understanding is that there might be incompatibilities between > retransmission policies between StrongSwan and LKSCTP. Has anyone any > thoughts on that? or has anyone already experienced similar problems with > SCTP and IPsec? > > Regards, > Daniel > > > -- > Daniel Migault > Orange Labs / Security Lab > +33 (0) 1 45 29 60 52 > +33 (0) 6 70 72 69 58 > -- Daniel Migault Orange Labs / Security Lab +33 (0) 1 45 29 60 52 +33 (0) 6 70 72 69 58 |