lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 23 Apr 2019 18:25:21 +0200
From:   Florian Westphal <>
To:     Vakul Garg <>
Cc:     Florian Westphal <>,
        "" <>
Subject: Re: ipsec tunnel performance degrade

Vakul Garg <> wrote:
> > Vakul Garg <> wrote:
> > > > Do you use xfrm interfaces?
> > >
> > > I don't think so. I use setkey to create policies/SAs.
> > > Can you please give me some hint about it?
> > 
> > Then you're not using ipsec interfaces.
> > 
> Instead of creating policies/SA using setkey, I shifted to using 'ip xfrm' commands.
> With this, I get good performance improvement (20% better in one case).
> Now xfrm_state_find() function is not taking much cpu.

Thats very strange, I have no explanation for this.
It would be good to find the cause, PF_KEY and 'ip xfrm'
are just different control plane frontends, they should have no impact
on data path performance.

> Is this what you meant by 'xfrm interfaces'?

No, i meant the xfrm network interfaces that were added recently, see

> > I have no further suggestions.  I don't know yet when I will have time to look
> > into refcnt optimizations.
> > 
> > Idea would be to make them same as dev_hold/put.
> I will try to address it. Can you provide some guidance? Thanks.

I will try to make ugly POC hack tomorrow that should
illustrate the general idea (and caveats/bugs that need fixing).

Powered by blists - more mailing lists