Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp69417imd; Fri, 26 Oct 2018 05:19:40 -0700 (PDT) X-Google-Smtp-Source: AJdET5ewmnHmd2wcz4srDu9ZkZfG+K87WtcsaAk9uCvnRZ+E6BroB1uWsJD5nXIkXZe8l2fhXMlA X-Received: by 2002:a63:c0f:: with SMTP id b15-v6mr3315007pgl.400.1540556380931; Fri, 26 Oct 2018 05:19:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540556380; cv=none; d=google.com; s=arc-20160816; b=mP+3t0mVaKaYZHhXSSwMUXt6jldwBjvYJwg8NUABF1ymHsTI+Pw+362KZJcxtyb3Go UyW06ko5MSSt57RyrNZgnGC568cCinTRh15G/Tvrkmc22gxpKyN4a4FvpYGm2sMjmt+O jrlguZe+EW2qLyojxF6fGU3sdz/frFtA3mIw09qKBmg8mlv2FcjjoEzD1qNru5EyvaQa IAVY+oJLjFVFUyz5jNnUGKrJB27pSyedEdK/QfP5JGJKrTh3+PDaBEZvSqSWanXx4ezd 7WHTfU8G9fnMqQJaChpCOjpS88ns45zfAE59IrgqWaV3oYgi3nZq5ErV6lD9cv2mUmpR KNTQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:user-agent:message-id:date:subject:cc:to :from; bh=XBfUp8H7V02bpLfKh9noZ2GbhxQQQ+15Pwr8av13Wlg=; b=tnk0CafUCddjewUFNBvZy2sKszwL6oOyow+/0SNkeJC9GLawvnu7o9g0V9dqMAHFBv Kyqu3S94/skjZ7u9h0h5Q4jTdHqPegqtJSimTsEHO6deBh1MSm6CSnC7bbkghGFUFtV+ 38yABIrle+oauGF2nY35tHxU/Dzb4IsSOGYdCt31iDkED2Ed10MV55FtS89pAzEC/4Ws cHVjDPT4LetCrC1/5mOktUlO0UqMlc2uwDvUkJ8i3yN7rKVs8Crk/5yg4gQ3kEAabYMf 9AQSfx9A8Zl/WofdTsepzIZWf6hKrraqn4DUVV6txdY2pm2nH+ES73AA2b8WWv8Gm6SI i+3g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id go3si10556829plb.266.2018.10.26.05.19.24; Fri, 26 Oct 2018 05:19:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727639AbeJZUzy convert rfc822-to-8bit (ORCPT + 99 others); Fri, 26 Oct 2018 16:55:54 -0400 Received: from dresden.studentenwerk.mhn.de ([141.84.225.229]:37610 "EHLO email.studentenwerk.mhn.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727507AbeJZUzy (ORCPT ); Fri, 26 Oct 2018 16:55:54 -0400 Received: from mailhub.studentenwerk.mhn.de (mailhub.studentenwerk.mhn.de [127.0.0.1]) by email.studentenwerk.mhn.de (Postfix) with ESMTP id 42hNMR0HJgzMkw4; Fri, 26 Oct 2018 14:18:59 +0200 (CEST) From: Wolfgang Walter To: David Miller Cc: netdev@vger.kernel.org, fw@strlen.de, steffen.klassert@secunet.com, linux-kernel@vger.kernel.org, torvalds@linux-foundation.org, christophe.gouault@6wind.com, gregkh@linuxfoundation.org Subject: Re: Regression: kernel 4.14 an later very slow with many ipsec tunnels Date: Fri, 26 Oct 2018 14:18:58 +0200 Message-ID: <3245883.cYmPfsiBkz@stwm.de> User-Agent: KMail/4.14.3 (Linux/4.18.12-041812-generic; KDE/4.14.13; x86_64; ; ) In-Reply-To: <20181025.103450.1966639999117342457.davem@davemloft.net> References: <20181002213536.sgjansduqenps2md@breakpoint.cc> <2766296.15tpkxTHJV@stwm.de> <20181025.103450.1966639999117342457.davem@davemloft.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8BIT Content-Type: text/plain; charset="iso-8859-1" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Am Donnerstag, 25. Oktober 2018, 10:34:50 schrieb David Miller: > From: Wolfgang Walter > Date: Thu, 25 Oct 2018 11:38:19 +0200 > > > there is now a new 4.19 which still has the big performance regression > > when > > many ipsec tunnels are configured (throughput and latency get worse by 10 > > to 50 times) which makes any kernel > 4.9 unusable for our routers. > > > > I still don't understand why a revert of the flow cache removal at least > > for the longterm kernels is that a bad option (maybe as a compile time > > option), especially as there is no workaround available. > > You do know that the flow cache is DDoS targettable, right? > > That's why we removed it, we did not make the change lightly. Though this is true, we now have simply a permanent DDoS situation. The removal of the flow cache leads to the situation so that with enough ipsec- tunnels you are now always as bad as you would have been prior under a DDoS attack. This is not comparable to the routing cache situation where a fast, well tested solution already existed (for routes in a table; if you use a lot of rules for policy routing this may be a different story). Futher I don't think that the DoS is that a strong argument for the removal of the routing cache if the routing performance would have dropped 10 times and more. Also, the routing cache was even a problem with legitimate traffic, so I never had a problem with the moderate performance regression it caused here. > > Adding a DDoS vector back into the kernel is not an option sorry. All kernels >= 4.14 are in our use case as bad as if they were under attack. They are completely unusable and I even can't > > Please work diligently with Florian and others to try and find ways to > soften the performance hit. > I proposed to revert this for the longterm kernels and I only depending on a compile time option which explicitely had to be switched on. Then we could start using 4.19. People not using ipsec or who use it only with < 100 rules would still live without flow cache. Regards, -- Wolfgang Walter Studentenwerk M?nchen Anstalt des ?ffentlichen Rechts