From: "Gabriele Beltrame" <belgab@drvsource.net>
To: "'Steffen Klassert'" <steffen.klassert@secunet.com>
Cc: <netdev@vger.kernel.org>
Subject: RE: Random packet loss using IPsec with AES128-SHA1
Date: Thu, 17 Dec 2015 16:36:06 +0100 [thread overview]
Message-ID: <005901d138e0$a6a7a750$f3f6f5f0$@drvsource.net> (raw)
In-Reply-To: <20151216095954.GN29565@gauss.secunet.com>
Hi Steffen,
I don't think it's IPsec (I can see the outbound packet in tcpdump), not
alone at least but the XEN /AWS Ethernet driver (or multiple things
concurring to the issue) actually... the odd thing is that it does seem to
affect AES-CBS only (3DES-CBS, AES-GCM are fine)
This is the short discussion on the Strongswan support wiki:
https://wiki.strongswan.org/issues/1220
Thanks,
Gabriele
-----Original Message-----
From: Steffen Klassert [mailto:steffen.klassert@secunet.com]
Sent: mercoledì 16 dicembre 2015 11:00
To: Gabriele Beltrame <belgab@drvsource.net>
Cc: netdev@vger.kernel.org
Subject: Re: Random packet loss using IPsec with AES128-SHA1
On Wed, Dec 16, 2015 at 10:17:54AM +0100, Gabriele Beltrame wrote:
> Hi,
>
> I'm running a few Strongswan 5.3.* CentOS (Kernel 3.16.7, 4.2.6,
> 4.1.*) instances on AWS to terminate VPNs between each other and/or to
> other devices across the Internet.
> While investigating some application issues, I've noticed that on
> every VPNs I have random packet losses (from 1% to 4% over 100 to 300
requests sent).
> This only happens when the two following conditions are met: (a) AES
> encryption used, (b) IP packet size shorter than about (150+8+20)Bytes.
I've never seen this.
If xfrm statistics are compiled in, a counter is bumped for each packet
dropped by IPsec. You can check these counters in /proc/net/xfrm_stat.
This will tell you at least whether IPsec is the reason for your packet
loss.
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
next prev parent reply other threads:[~2015-12-17 15:36 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-16 9:17 Random packet loss using IPsec with AES128-SHA1 Gabriele Beltrame
2015-12-16 9:59 ` Steffen Klassert
2015-12-17 15:36 ` Gabriele Beltrame [this message]
2015-12-18 7:41 ` Steffen Klassert
-- strict thread matches above, loose matches on Subject: below --
2015-12-06 10:05 Gabriele Beltrame
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='005901d138e0$a6a7a750$f3f6f5f0$@drvsource.net' \
--to=belgab@drvsource.net \
--cc=netdev@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).