Re: Regression: kernel 4.14 an later very slow with many ipsec tunnels

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Wolfgang Walter <linux@stwm.de>
To: David Miller <davem@davemloft.net>
Cc: netdev@vger.kernel.org, fw@strlen.de,
	steffen.klassert@secunet.com, linux-kernel@vger.kernel.org,
	torvalds@linux-foundation.org, christophe.gouault@6wind.com,
	gregkh@linuxfoundation.org
Subject: Re: Regression: kernel 4.14 an later very slow with many ipsec tunnels
Date: Fri, 26 Oct 2018 14:18:58 +0200	[thread overview]
Message-ID: <3245883.cYmPfsiBkz@stwm.de> (raw)
In-Reply-To: <20181025.103450.1966639999117342457.davem@davemloft.net>

Am Donnerstag, 25. Oktober 2018, 10:34:50 schrieb David Miller:
> From: Wolfgang Walter <linux@stwm.de>
> Date: Thu, 25 Oct 2018 11:38:19 +0200
> 
> > there is now a new 4.19 which still has the big performance regression
> > when
> > many ipsec tunnels are configured (throughput and latency get worse by 10
> > to 50 times) which makes any kernel > 4.9 unusable for our routers.
> > 
> > I still don't understand why a revert of the flow cache removal at least
> > for the longterm kernels is that a bad option (maybe as a compile time
> > option), especially as there is no workaround available.
> 
> You do know that the flow cache is DDoS targettable, right?
> 
> That's why we removed it, we did not make the change lightly.

Though this is true, we now have simply a permanent DDoS situation. The 
removal of the flow cache leads to the situation so that with enough ipsec-
tunnels you are now always as bad as you would have been prior under a DDoS 
attack.

This is not comparable to the routing cache situation where a fast, well 
tested solution already existed (for routes in a table; if you use a lot of 
rules for policy routing this may be a different story).

Futher I don't think that the DoS is that a strong argument for the removal of 
the routing cache if the routing performance would have dropped 10 times and 
more.

Also, the routing cache was even a problem with legitimate traffic, so I never 
had a problem with the moderate performance regression it caused here.

> 
> Adding a DDoS vector back into the kernel is not an option sorry.

All kernels >= 4.14 are in our use case as bad as if they were under attack. 
They are completely unusable and I even can't 

> 
> Please work diligently with Florian and others to try and find ways to
> soften the performance hit.
> 

I proposed to revert this for the longterm kernels and I only depending on a 
compile time option which explicitely had to be switched on. Then we could 
start using 4.19. People not using ipsec or who use it only with < 100 rules 
would still live without flow cache.

Regards,
-- 
Wolfgang Walter
Studentenwerk München
Anstalt des öffentlichen Rechts

next prev parent reply	other threads:[~2018-10-26 12:19 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-09-13 11:30 Regression: kernel 4.14 an later very slow with many ipsec tunnels Wolfgang Walter
2018-09-13 13:58 ` Florian Westphal
2018-09-13 15:46   ` Wolfgang Walter
2018-09-13 16:38     ` Florian Westphal
2018-09-13 17:23       ` David Miller
2018-09-13 21:03         ` Florian Westphal
2018-09-13 21:12           ` David Miller
2018-09-14  5:06           ` Steffen Klassert
2018-09-14  5:54             ` Florian Westphal
2018-09-14  6:01               ` Steffen Klassert
2018-09-14  8:01                 ` Christophe Gouault
2018-09-14 11:49               ` Wolfgang Walter
2018-10-02 14:45               ` Wolfgang Walter
2018-10-02 14:56                 ` Florian Westphal
2018-10-02 17:34                   ` Wolfgang Walter
2018-10-02 21:35                     ` Florian Westphal
2018-10-04 13:57                       ` Wolfgang Walter
2018-10-25  9:38                         ` Wolfgang Walter
2018-10-25 17:34                           ` David Miller
2018-10-25 19:24                             ` Florian Westphal
2018-10-26 12:18                             ` Wolfgang Walter [this message]
2018-10-25 22:45                           ` Florian Westphal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3245883.cYmPfsiBkz@stwm.de \
    --to=linux@stwm.de \
    --cc=christophe.gouault@6wind.com \
    --cc=davem@davemloft.net \
    --cc=fw@strlen.de \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=steffen.klassert@secunet.com \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.