Hi Emeric, > I did not test using 1K or even 10K+ tunnels but the UDP based solution > seems to be unable to provide the significant reliability needed for > these cases.
I agree. For the setups I have used, a dedicated fast link was sufficient to have packet drops at an acceptable level. But certainly that could be very different on other setups, especially if the number of connections increases. > I understand switching to a TCP based sync would require a significant > work but it seems to be quite unavoidable. Yes, HA definitely should have a reliable transport for sync messages. Not sure if TCP is the correct choice. At least for the heartbeat messages, we need controllable timeouts, which is difficult to implement with TCP. So we either would have to separate heartbeat and synchronization functionality, or extend the UDP based protocol by message throttling and/or acknowledges/retransmissions. The latter could be achieved by extending the ha_cache class that already stores some messages for re-synchronization. Regards Martin _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
