Re: [RFC] IPv6 ifaddr hash

Sat, 08 Dec 2012 01:49:53 -0800 

On 07.12.2012 16:27, Andrey V. Elsukov wrote:

Hi All,

We have discovered that ipfw(4) shows very low performance results with
our rules. One of the biggest problems is rules with O_IP6_XXX_ME
opcode. They checks match or not match packet's addresses with locally
configured IPv6 addresses.

For IPv4 we have an in_ifaddr hash for the quick search an address, but
not for the IPv6. So, I have implemented the first patch based on the
code for the IPv4, but there are several questions I want to discuss.

The patch is here:
        http://people.freebsd.org/~ae/in6_ifaddrhash.diff

1. The hash size. I made it the same what IPv4 has. But I think 512
buckets is too many.
While the same IPv6 configuration can have up to x2 addresses as in IPv4 (link-local addresses), 512 is really too much, maybe 64, or 128 
be better for common-use case?


2. What hash function is better to use?

We've got at least 3 (known to me) hashes in our kernel:
ng_netflow one, flowtable and in ipfw.
Can you provide some benchmarks and hashing effectiveness for some real-world data for those? 

3. Using the whole 128 bit of address to hash seems like overkill.


There are people using IPv6 address space just as plain IPv4, e.g:
XX:YY:ZZ::1, XX:YY:ZZ::2, ... ::n, or even XX:YY:ZZ::A.B.C.D, so hashing upper 64 bits can lead to collisions. 

Hashing lower 64 is more promising, but there can be other use cases, too.
Imho we can just test test performance of hashing functions and see how much is the different and is it worth talking.
There is another problem: link-local addresses. They are all the same, (or there are some small number of different groups) so one (or more) bucket will always be filled by them. 

This can result in
* some searches for global addresses being much slower
* IPv6 code accepting packet to link-local address of the other interface ( RFC 4291 sec 2.5.6 )
We can workaround first problem by adding global unicast to list head, and link-local - to list tail, but this leaves us with the second one.
One of possible solutions is to add interface index as another parameter to hash function, and use it IFF address is site-local. 





_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

Reply via email to