linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Wolfgang Walter <linux@stwm.de>
To: David Miller <davem@davemloft.net>
Cc: netdev@vger.kernel.org, fw@strlen.de,
	steffen.klassert@secunet.com, linux-kernel@vger.kernel.org,
	torvalds@linux-foundation.org, christophe.gouault@6wind.com,
	gregkh@linuxfoundation.org
Subject: Re: Regression: kernel 4.14 an later very slow with many ipsec tunnels
Date: Fri, 26 Oct 2018 14:18:58 +0200	[thread overview]
Message-ID: <3245883.cYmPfsiBkz@stwm.de> (raw)
In-Reply-To: <20181025.103450.1966639999117342457.davem@davemloft.net>

Am Donnerstag, 25. Oktober 2018, 10:34:50 schrieb David Miller:
> From: Wolfgang Walter <linux@stwm.de>
> Date: Thu, 25 Oct 2018 11:38:19 +0200
> 
> > there is now a new 4.19 which still has the big performance regression
> > when
> > many ipsec tunnels are configured (throughput and latency get worse by 10
> > to 50 times) which makes any kernel > 4.9 unusable for our routers.
> > 
> > I still don't understand why a revert of the flow cache removal at least
> > for the longterm kernels is that a bad option (maybe as a compile time
> > option), especially as there is no workaround available.
> 
> You do know that the flow cache is DDoS targettable, right?
> 
> That's why we removed it, we did not make the change lightly.

Though this is true, we now have simply a permanent DDoS situation. The 
removal of the flow cache leads to the situation so that with enough ipsec-
tunnels you are now always as bad as you would have been prior under a DDoS 
attack.

This is not comparable to the routing cache situation where a fast, well 
tested solution already existed (for routes in a table; if you use a lot of 
rules for policy routing this may be a different story).

Futher I don't think that the DoS is that a strong argument for the removal of 
the routing cache if the routing performance would have dropped 10 times and 
more.

Also, the routing cache was even a problem with legitimate traffic, so I never 
had a problem with the moderate performance regression it caused here.

> 
> Adding a DDoS vector back into the kernel is not an option sorry.

All kernels >= 4.14 are in our use case as bad as if they were under attack. 
They are completely unusable and I even can't 

> 
> Please work diligently with Florian and others to try and find ways to
> soften the performance hit.
> 

I proposed to revert this for the longterm kernels and I only depending on a 
compile time option which explicitely had to be switched on. Then we could 
start using 4.19. People not using ipsec or who use it only with < 100 rules 
would still live without flow cache.

Regards,
-- 
Wolfgang Walter
Studentenwerk München
Anstalt des öffentlichen Rechts

  parent reply	other threads:[~2018-10-26 12:19 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-09-13 11:30 Wolfgang Walter
2018-09-13 13:58 ` Florian Westphal
2018-09-13 15:46   ` Wolfgang Walter
2018-09-13 16:38     ` Florian Westphal
2018-09-13 17:23       ` David Miller
2018-09-13 21:03         ` Florian Westphal
2018-09-13 21:12           ` David Miller
2018-09-14  5:06           ` Steffen Klassert
2018-09-14  5:54             ` Florian Westphal
2018-09-14  6:01               ` Steffen Klassert
2018-09-14  8:01                 ` Christophe Gouault
2018-09-14 11:49               ` Wolfgang Walter
2018-10-02 14:45               ` Wolfgang Walter
2018-10-02 14:56                 ` Florian Westphal
2018-10-02 17:34                   ` Wolfgang Walter
2018-10-02 21:35                     ` Florian Westphal
2018-10-04 13:57                       ` Wolfgang Walter
2018-10-25  9:38                         ` Wolfgang Walter
2018-10-25 17:34                           ` David Miller
2018-10-25 19:24                             ` Florian Westphal
2018-10-26 12:18                             ` Wolfgang Walter [this message]
2018-10-25 22:45                           ` Florian Westphal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3245883.cYmPfsiBkz@stwm.de \
    --to=linux@stwm.de \
    --cc=christophe.gouault@6wind.com \
    --cc=davem@davemloft.net \
    --cc=fw@strlen.de \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=steffen.klassert@secunet.com \
    --cc=torvalds@linux-foundation.org \
    --subject='Re: Regression: kernel 4.14 an later very slow with many ipsec tunnels' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).