From owner-freebsd-security Sat Aug 24 0: 7: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4757237B400 for ; Sat, 24 Aug 2002 00:06:59 -0700 (PDT) Received: from mail.npubs.com (npubs.com [207.111.208.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id D216843E75 for ; Sat, 24 Aug 2002 00:06:58 -0700 (PDT) (envelope-from nielsen@memberwebs.com) From: "Nielsen" To: "Sam Leffler (at Usenix)" , "Ju Ichi" , References: <200208231624.14487.freebsd-security@ichi.net> <006101c24aff$cce8cd00$52557f42@errno.com> Subject: Re: IPSec SPD limit? MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-Id: <20020824070827.0770A43B742@mail.npubs.com> Date: Sat, 24 Aug 2002 07:08:27 +0000 (GMT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What I did here was pipe the values in batches through 'setkey -c'. It seems like the limit is much higher in the kernel than you can set in one shot. Nate Nielsen ----- Original Message ----- From: "Sam Leffler (at Usenix)" To: "Ju Ichi" ; Sent: Friday, August 23, 2002 17:54 Subject: Re: IPSec SPD limit? > > We are trying to setup a large IPSec SPD (in excess of 1000 SAs) on the > > following hardware/software config: > > > > Compaq DL360 with dual 1.4GHz processsors > > 2GB RAM > > 4GB swap space > > > > 4.6.1-RELEASE-p11 > > racoon-20020507a > > > > We get a "send: No buffer space available" when trying to read in the > > /etc/ipsec.conf file if it has more than about 1000 entries. Also, if we > do > > a setkey -DP after trying to read in /etc/ipsec.conf we get > > "recv: Resource temporarily unavailable" after it lists some of the SAs. > > > > Several kernel tweaks have been tried. For example, we have tried setting > > MAXUSERS from 0 to 1024 on bit boundaries (0, 128, 256, 512, and 1024). > > FWIW, setting it to 1024 seems to be evil. ;-) We have also tried > various > > settings in the kernel config file on NMBCLUSTERS, NMBUFS, NBUF, MAXDSIZ, > > MAXSSIZ, DFLDSIZ, and MAXFILES. In addition, we have tweaked > > kern.ipc.somaxconn, net.inet.tcp.sendspace, net.inet.tcp.recvspace, > > net.inet.udp.recvspace, and net.inet.udp.maxdgram after reading some > > performance tuning web pages. I can provide additional details as needed, > > but didn't want to make this initial request too long. > > > > Does anyone know of any limits on the number of entries the SPD can hold > and > > if so how to make the limits higher? > > > > setkey -DP returns the SA's via a PF_KEY socket. You're hitting the upper > bound on the amount of data that can be stored in a socket of this type as > all the data is returned en masse (i.e. the process isn't given an > opportunity to read data). PF_KEY sockets inherit the send+recv space > reserves of raw sockets: > > ebb# gdb -k /kernel /dev/mem > ... > (kgdb) p raw_sendspace > $1 = 8192 > (kgdb) p raw_recvspace > $2 = 8192 > > You can either work around this by upping these values or patch the PF_KEY > code to set the reserves on the socket explicitly (and provide sysctl's a la > udp+tcp to control the upper bounds). > > Sam > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message