Re: [Ipsec-tools-devel] Hanging Connection

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Larry Baird <la...@gt...> writes:
>> Sorry to be so blunt but this is a totally weird idea. The various
>> SADB_DUMP based loops in racoon (used for SA deletion) may cause
>> performance issues because of the insane amount of needless copying of
>> data which needs to be done in order to delete single SA but this will
>> certainly not get better when increasing the number of messages
>> received in reply to a SADB_DUMP request.
> All I can say is that it fixed some issues for me.  Had older versions
> of racoon with large number of SAs that worked fine.  Upgrading to newest
> racoon and they quit working.  Adding this patch made everything work
> again.

It will increase 'threshold' beyond which the kernel (at least Linux)
silently truncates the dump reply. This means the racoon SA deletion
code (in purge_remote and purge_ipsec_spi) will be able to deal with
more SAs instead of just not deleting ph2 SAs which weren't part of
this reply because of the 'buffer overflow'. It's just inconceivable
that this helps with otherwise unrelated 'performance problems', at
least as far as my understanding goes (I know what the purge_* code
does because I replaced it ;-).