From: Stephen Frost <sfrost@snowman.net>
To: Wolfgang Walter <wolfgang.walter@studentenwerk.mhn.de>
Cc: netdev@oss.sgi.com
Subject: Re: [IPSEC] Too many SADs!
Date: Tue, 22 Mar 2005 11:59:28 -0500 [thread overview]
Message-ID: <20050322165928.GC8725@ns.snowman.net> (raw)
In-Reply-To: <200503220052.52756.wolfgang.walter@studentenwerk.mhn.de>
[-- Attachment #1: Type: text/plain, Size: 1273 bytes --]
* Wolfgang Walter (wolfgang.walter@studentenwerk.mhn.de) wrote:
> We had the same problem. Seems to be a limitation of the pfkey-implementation
> of linux.
>
> racoon and setkey both use the pfkey-interface.
>
> We switched to iproute2 and openswan which both use the netfilter-interface.
> Therefor they can handle thousands of SAD and SPD rules.
Well, that's quite interesting. I didn't realize there were multiple
interfaces to the IPSEC in Linux. Additionally, the problem isn't that
I've got too many policies which end up requiring too many SADs- the
problem is that SADs are being created above and beyond what's actually
necessary for my policies, which is a problem. I'm not entirely sure
why that's happening either. At one point a SAD was being added every
second when there was *already* an apparently current SAD for the
required policy. Not good, looks like a bug to me, and I would have
thought it was a kernel bug but I could be wrong there.
I'm certainly curious about the alternative interface to IPSEC in
Linux, and especially your claim that it's a 'netfilter' interface.
I'll certainly look into that... What kernel are you using? What
version of iproute2 and Openswan? Do you have to patch the kernel?
Stephen
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
next prev parent reply other threads:[~2005-03-22 16:59 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-03-21 23:52 [IPSEC] Too many SADs! Wolfgang Walter
2005-03-22 16:59 ` Stephen Frost [this message]
2005-03-22 18:46 ` Michael Richardson
2005-03-22 19:11 ` Stephen Frost
2005-03-22 22:48 ` Scott Mcdermott
2005-03-23 0:33 ` Stephen Frost
2005-03-23 5:55 ` Scott Mcdermott
2005-03-28 13:33 ` Stephen Frost
2005-03-23 8:30 ` jean-mickael guerin
2005-03-23 9:57 ` KOVACS Krisztian
2005-03-23 18:15 ` Wolfgang Walter
-- strict thread matches above, loose matches on Subject: below --
2005-03-23 12:22 Wolfgang Walter
2005-03-23 12:20 Wolfgang Walter
2005-03-21 14:52 Stephen Frost
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050322165928.GC8725@ns.snowman.net \
--to=sfrost@snowman.net \
--cc=netdev@oss.sgi.com \
--cc=wolfgang.walter@studentenwerk.mhn.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.