[Openswan dev] IPComp

James Morris jmorris at redhat.com
Tue Jul 6 19:50:44 CEST 2004


On Wed, 7 Jul 2004, Herbert Xu wrote:

> With most KMs the SAs are renegotiated periodically.  So as time
> goes on memory fragmentation will eventually cause this to fail.
> You also to consider IPsec gateways where there are hundreds or
> thousands of SAs.
> 
> Maybe we can use a vmalloc instead? That seems to be what the
> deflate module does.

I think it would be better to go with your original idea of allocating a
scratch buffer for each packet, based on the size of the packet.  IPComp
is very slow path, and allocating 64k for each SA is optimizing for an
uncommon worst case in a way which will potentially eat up a lot of memory
(e.g. > 6MB for 100 tunnels).


- James
-- 
James Morris
<jmorris at redhat.com>




More information about the Dev mailing list