From: Steffen Klassert <steffen.klassert@secunet.com>
To: Christophe Gouault <christophe.gouault@6wind.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>
Subject: Re: IPsec policy database customization proposal
Date: Mon, 21 Jul 2014 13:01:43 +0200 [thread overview]
Message-ID: <20140721110143.GA3396@secunet.com> (raw)
In-Reply-To: <CADdy8Hps=2Xfs5TTgSQZtCKTCmL32AyxbuCeT59s3MmRZF6Bbg@mail.gmail.com>
On Wed, Jul 16, 2014 at 09:35:41AM +0200, Christophe Gouault wrote:
>
> There are several multi-field classification algorithms, but few seem
> adapted to SPD/SAD lookup:
>
> - linear search
> - hierarchical tries
> - set-pruning tries
> - grid-of-tries
> - bit-vector linear search
> - cross-producting
We used a cross-producting algorithm for a while to do
policy lookups. It scaled for policy lookups because
the policy database was rather static. It does not
scale at all for state lookups because states change
quite often and the cross-product table must be
reconstructed whenever the database changes.
>
> As far as I understand, the only things that concerned you about the
> patchset were:
>
> - using /proc to configure the algorithm, you prefer netlink.
> - adding a configuration API that could potentially be later
> deprecated. My feeling is that the choice of a brand new SPD algorithm
> will not happen before long.
> - calculation of thresholds is not automatic. As I already suggested,
> it may be configured by a daemon if an automatic system is needed.
Why do you think a daemon can do a better job in automatic
configuration? We maintain the policy hashlists inside the
kernel, so we should know the best about their sizes.
But I agree that not everybody wants to have such an automatic
configuration, so we need some knobs to tune it from userspace.
>
> What if I rework the patchset and replace the configuration via /proc
> by a configuration by netlink:
>
> - supporting message XFRM_MSG_NEWSPDINFO from userland, with
> attribute XFRMA_SPD_HTHRESH
> - adding XFRMA_SPD_HTHRESH attribute to XFRM_MSG_NEWSPDINFO messages
> from the kernel in reply to XFRM_MSG_GETSPDINFO?
>
OK.
prev parent reply other threads:[~2014-07-21 11:01 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-30 12:50 IPsec policy database customization proposal Christophe Gouault
2014-07-08 11:35 ` Steffen Klassert
2014-07-16 7:35 ` Christophe Gouault
2014-07-21 11:01 ` Steffen Klassert [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140721110143.GA3396@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=christophe.gouault@6wind.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).