| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20100822.005353.260099324.davem@davemloft.net> Date: Sun, 22 Aug 2010 00:53:53 -0700 (PDT) From: David Miller <davem@...emloft.net> To: christophe.gouault@...nd.com Cc: netdev@...r.kernel.org Subject: Re: IPsec: Why do pfkey_getspi and xfrm_alloc_userspi call xfrm_find_acq_byseq? From: Christophe Gouault <christophe.gouault@...nd.com> Date: Thu, 19 Aug 2010 14:55:21 +0200 > The call to xfrm_find_acq_byseq() by the pfkey_getspi() and > xfrm_alloc_userspi() functions is quite costly and proves to entail > scalability issues when performing thousands of IKE negotiations with > racoon (from ipsec-tools distribution) or charon (from strongswan > distribution). > > Removing this call in the kernel drastically accelerates the > processing and does not seem to entail functional problems. > > For now, I don't see the point of this call. I need to understand its > purpose, because I'm highly tempted to simply remove it. First of all, removing a function because you don't understand why it's there is rarely a good idea :-) I think the semantics require that we check for existing ACQUIRE state entries before we allocate an SPI. The likelyhood of breaking something if you remove the call is very high. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists