Thanks a lot Paul, for the detailed response.<br>This helps a lot in clearing some doubts in my mind.<br><br>Regards,<br>Samba<br><br>------------------------------------------------------------------------------------------------------------------------------------<br>
<div class="gmail_quote">On Sun, Aug 28, 2011 at 10:36 PM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@xelerance.com">paul@xelerance.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On Wed, 24 Aug 2011, Samba wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Here are my questions/doubts regarding the scalability/performance of this setup:<br>
* First of all, we plan to use CentOS6, so will the kernel support for IPSec in CentOS6 sufficient to establish<br>
tunnels between machines or should I need to OpenSwan still?<br>
</blockquote>
<br></div>
openswan is part of centos. You have a choice of NETKEY kernel stack and KLIPS kernel stack.<br>
You can pick the default NETKEY stack, unless you have overlapping IPs on your connecting clients<br>
subnets (eg multiple <a href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a> subnets or duplicate subnets behind a NAT router). Then you<br>
need to use KLIPS with SAref.<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
* Can the IPSec software scale as much as we need to support creating a few thousand tunnels on the server machine<div class="im"><br>
with the above mentioned hardware configuration?<br>
</div></blockquote>
<br>
Yes.<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
* What will be the CPU and memory consumption when we make those many tunnels on the server machine?<br>
</blockquote>
<br>
Memory consumption is pretty low. CPU usage depends on amount of traffic, not the amount of tunnels.<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
* It is said that a web server scales many times for ordinary https requests than keep-alive https requests; wouldn't<div class="im"><br>
that same analogy apply here where having each application make a separate SSL request for a short period of time<br>
and closing the connection scale much better than having those many thousands of dedicated tunnels running live,<br>
although idly?<br>
</div></blockquote>
<br>
Yes, it should reduce the overhead of SSL/TLS. The IPsec SA lookup should be really fast per-packet.<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
* we would want the server system to also do some very essential stuff other than managing this tunnelling business,<div class="im"><br>
so can this design scale and perform reasonably?<br>
</div></blockquote>
<br>
I think so, but it depends on the other things you run and how much resources those take.<br><font color="#888888">
<br>
Paul<br>
</font></blockquote></div><br>