| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20120110.223439.142967999090229499.davem@davemloft.net> Date: Tue, 10 Jan 2012 22:34:39 -0800 (PST) From: David Miller <davem@...emloft.net> To: nbn@...co.com Cc: ipsec-tools-devel@...ts.sourceforge.net, netdev@...r.kernel.org Subject: Re: CPU usage for IPSec in Linux 2.6.38 From: "Naveen B N (nbn)" <nbn@...co.com> Date: Wed, 11 Jan 2012 08:20:12 +0530 > Did anybody try creating IPSec Tunnels > 6000 in Linux > And faced the same problem below. The problem is that you must situate your rules according to certain rules otherwise performance will suffer greatly. You must: 1) Predominantly use fully specified, non-wildcard, rules. These go into a special hash table which approaches complexity O(1). 2) If you absolutely must have wildcarded rules, only have an extremely small number of them. These go onto a linked list which is O(N). There is no reasonable reason to have thousands of wildcarded rules. Thousands of fully specified non-wildcard rules are reasonable, and what we optimize the IPSEC datastructures for. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists