Page MenuHomeFreeBSD

Reduce overhead of IPSEC for traffic generated from host
ClosedPublic

Authored by eri on Jul 3 2015, 7:14 AM.
Referenced Files
Unknown Object (File)
Wed, Nov 6, 8:16 AM
Unknown Object (File)
Sep 12 2024, 2:01 AM
Unknown Object (File)
Sep 12 2024, 2:01 AM
Unknown Object (File)
Sep 8 2024, 11:44 PM
Unknown Object (File)
Sep 8 2024, 8:05 AM
Unknown Object (File)
Sep 8 2024, 6:54 AM
Unknown Object (File)
Sep 7 2024, 12:23 PM
Unknown Object (File)
Sep 1 2024, 7:36 PM
Subscribers

Details

Summary

When IPSEC is enabled on the kernel the forwarding path has an optimization to not enter the code paths
for checking security policies but first checks if there is any security policy active at all.

The patch introduces the same optimization but for traffic generated from the host itself.
This reduces the overhead by 50% on my tests for generated host traffic without and SP active.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

eri retitled this revision from to Reduce overhead of IPSEC for traffic generated from host.
eri updated this object.
eri edited the test plan for this revision. (Show Details)
eri added reviewers: ae, gnn.
eri set the repository for this revision to rS FreeBSD src repository - subversion.
eri added a project: network.
eri added a subscriber: network.

I think it is acceptable as a workaround of the real problem.
Currently we have initialized INPCB security policy for each PCB, when IPSEC is compiled in. And this is cause of overhead for locally generated traffic. It will be better to initialize inpcbpolicy only when application has configured it. And by default it should be NULL. So, this check can be replaced with if (pcbsp == NULL). This also simplifies the migration to the enabled IPSEC in GENERIC kernel. I have WIP in this area, but currently I'm busy with other tasks.

Yes, you are right that this is a workaround.

Also, i am not totally convinced that the SP needs to reside on the PCB at all.
If the code does not reside in PCB all the infrastructure put in protocol specific code is not required at all, maybe TCP-MD5 will just need special handling.
I have looked and am not sure where the requirement of the SP per socket/application comes from.... but for sure that is something to be looked in more general scope.

As I see, this code currently is used only by IKE daemons to skip IPSEC processing for packets from IKE.
It seems possible for some application to configure security policies for its packets to require IPSEC protection. But I didn't seen any applications that use this feature.

Yes application can put some SPDs.
The PCB is used as a cache for better performance but really not much gain there since it complicates the code and scenarios needed to be considered.
For me the link can be broken and everything treated as in the forwarding path!

I will see to prepare such diff and post it here.

So ae@ do you approve this diff to push it?

ae edited edge metadata.
This revision is now accepted and ready to land.Jul 3 2015, 1:01 PM
gnn edited edge metadata.

This will do for now. We may want to revisit how we make this decision later but this should clear the path to IPSEC in GENERIC.

This revision was automatically updated to reflect the committed changes.