From owner-freebsd-hackers  Tue Oct 23 23:27:52 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from albatross.prod.itd.earthlink.net (albatross.mail.pas.earthlink.net [207.217.120.120])
	by hub.freebsd.org (Postfix) with ESMTP
	id 0823937B405; Tue, 23 Oct 2001 23:27:48 -0700 (PDT)
Received: from mindspring.com (dialup-209.244.104.31.Dial1.SanJose1.Level3.net [209.244.104.31])
	by albatross.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id XAA06367;
	Tue, 23 Oct 2001 23:27:41 -0700 (PDT)
Message-ID: <3BD65F31.24768789@mindspring.com>
Date: Tue, 23 Oct 2001 23:26:57 -0700
From: Terry Lambert <tlambert2@mindspring.com>
Reply-To: tlambert2@mindspring.com
X-Mailer: Mozilla 4.7 [en]C-CCK-MCD {Sony}  (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Shoichi Sakane <sakane@kame.net>
Cc: hackers@FreeBSD.ORG, net@FreeBSD.ORG
Subject: Re: IPSEC sucking up memory
References: <3BBEC4F7.D15FF792@mindspring.com> <20011023130449I.sakane@kame.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

Shoichi Sakane wrote:
> > While investigating a problem, I noticed that the IPSEC code
> > is initializing the sp -- even when no one is using IPSEC.
> 
> > It turns out that this really, really bloats the per socket
> > memory requirements, with the only real result being a lot
> > of extra processing that could be replaced by a pointer is
> > not NULL check.
> 
> > It seems to me that this could be handled in the TCP, UDP,
> > and IP userreq code by only initializing the thing in the
> > case that a policy has been set.  Is there some reason why
> > this can't be done?
> 
> IPsec specification requires to consult the SPD with all of packets
> in order to handling the packet.  it defines RFC2401.
> if a pointer to the entry of the SPD is NULL, it means the security
> policy is not defined.  so the kernel consults the system wide default.
> it never means nothing to do.

So you are saying that I could establish a global default, and
make the sp pointer NULL, and have that mean "use the global
default", instead of copying identical policies all over the
place, right?

I think this would be the best approach, and it would get me
all of the redundant "deep copy" memory back in the default
case.

-- Terry

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message