Date: Tue, 23 Oct 2001 23:26:57 -0700 From: Terry Lambert <tlambert2@mindspring.com> To: Shoichi Sakane <sakane@kame.net> Cc: hackers@FreeBSD.ORG, net@FreeBSD.ORG Subject: Re: IPSEC sucking up memory Message-ID: <3BD65F31.24768789@mindspring.com> References: <3BBEC4F7.D15FF792@mindspring.com> <20011023130449I.sakane@kame.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Shoichi Sakane wrote: > > While investigating a problem, I noticed that the IPSEC code > > is initializing the sp -- even when no one is using IPSEC. > > > It turns out that this really, really bloats the per socket > > memory requirements, with the only real result being a lot > > of extra processing that could be replaced by a pointer is > > not NULL check. > > > It seems to me that this could be handled in the TCP, UDP, > > and IP userreq code by only initializing the thing in the > > case that a policy has been set. Is there some reason why > > this can't be done? > > IPsec specification requires to consult the SPD with all of packets > in order to handling the packet. it defines RFC2401. > if a pointer to the entry of the SPD is NULL, it means the security > policy is not defined. so the kernel consults the system wide default. > it never means nothing to do. So you are saying that I could establish a global default, and make the sp pointer NULL, and have that mean "use the global default", instead of copying identical policies all over the place, right? I think this would be the best approach, and it would get me all of the redundant "deep copy" memory back in the default case. -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3BD65F31.24768789>