On 18.7.2021. 20:11, Alexander Bluhm wrote: > On Sat, Jul 17, 2021 at 06:32:59PM +0200, Hrvoje Popovski wrote: >> with this diff i'm getting very stable traffic over tunnel and it's >> little faster. > > This is expected. Too much queueing creates oscilating behavior > and suboptimal throughput. > >> Even with your last diff on tech@ >> https://marc.info/?l=openbsd-tech&m=162645141414262&w=2 >> i'm seeing traffic drops, less frequent, but i'm seeing it... > > There is another reason for traffic drops. iked(8) is not clever > when rekeying. The idea is to have SAs with old key and new key > simultaneously. After both machines have new SA, the old should > be removed. But currently we have a window when sender uses new > SA, but receiver only has old SA and cannot decrypt the packets. > This is a temproray problem, I see drops for a short time. tobhe@ > wants to fix this. > > I think you use isakmpd(8), I don't know how rekeying works there.
Yes, I'm using isakmpd, but I can test iked and isakmpd, no problem ... >> Do you want me to test this diff combined with your ipsec diff >> on tech@ ? > > I have commited the replay diff. This fixes permanent packet drop. > Do you see permanent traffic stalls with current? With isakmpd yes, iked haven't tested, but i will now .. But with your diff from bugs@ everything seems smooth and stable without drops and panics even with isakmpd :) > Temporary drops are still possible. The rekey problem is known. > The crypto queuing problem is known. You could disable iked lifetime > bytes rekeying and try my no crypto queue diff. > Do you see traffic drops with that? > >> And this diff with parallel forwarding? > > Parallel forwarding still crashes with IPsec. We must commit fixes > step by step until we get it stable. Of course you can try it, but > currently I can reproduce problems myself. Ok, great, now i will concentrate to test iked and isakmpd ..
