Re: [vpp-dev] Threading issue in IKEv2 implementation

Radu Nicolau Fri, 13 Jul 2018 03:16:44 -0700

Hi,

If by "try to simultaneously establish a large number of SA" you mean 
requesting the SA Init exchanges as a batch of commands without waiting for 
each individual exchange to complete, then this is very likely the cause. 
Normally you should wait for one exchange to complete before issuing another 
one, as there is no provided thread safety in the IKEv2 responder/initiator.


Regards,
Radu

From: Foucher Berenger [mailto:berenger.fouc...@stagiaires.ssi.gouv.fr]
Sent: Friday, July 13, 2018 9:09 AM
To: vpp-dev@lists.fd.io; Nicolau, Radu <radu.nico...@intel.com>
Subject: Threading issue in IKEv2 implementation


Hi,

I am evaluating the robustness of IKEv2 implementation in VPP. I try to 
simultaneously establish a large number of SA between a VPP initiator and a VPP 
responder, and it turns out that a thread error occurs on the responder before 
I can reach a few hundred established SA. This issue occurs only when 
interactive mode is disabled.

The error I obtain is the following:

vlib_worker_thread_barrier_sync_int: worker thread deadlock

The configuration for the initiator is the following:
set ikev2 local key ./Gateway-1.local.key.pem
ikev2 profile add pr1
ikev2 profile set pr1 auth rsa-sig cert-file  ./Client-1.local.pem
ikev2 profile set pr1 id local  fqdn Gateway-1.local
ikev2 profile set pr1 id remote fqdn Client-1.local
ikev2 profile set pr1 traffic-selector local ip-range 10.1.1.0 - 10.1.1.255 
port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector remote ip-range 10.1.2.0 - 10.1.2.255 
port-range 0 - 65535 protocol 0
ikev2 profile set pr1 responder TenGigabitEthernet5/0/0 192.168.101.2
ikev2 profile set pr1 ike-crypto-alg aes-cbc 256  ike-integ-alg sha1-96 ike-dh 
modp-3072
ikev2 profile set pr1 esp-crypto-alg aes-cbc 256  esp-integ-alg sha1-96  esp-dh 
ecp-256
ikev2 profile set pr1 sa-lifetime 3600 10 5 0

ikev2 initiate sa-init pr1The configuration for the responder is the following:

set ikev2 local key  ./Client-1.local.key.pem

ikev2 profile add pr1

ikev2 profile set pr1 auth rsa-sig cert-file  ./Gateway-1.local.pem

ikev2 profile set pr1 id remote  fqdn Gateway-1.local

ikev2 profile set pr1 id local fqdn Client-1.local

ikev2 profile set pr1 traffic-selector remote ip-range 10.1.1.0 - 10.1.1.255 
port-range 0 - 65535 protocol 0

ikev2 profile set pr1 traffic-selector local ip-range 10.1.2.0 - 10.1.2.255 
port-range 0 - 65535 protocol 0Is there a way to solve this issue?

Thanks,

Berenger

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#9836): https://lists.fd.io/g/vpp-dev/message/9836
Mute This Topic: https://lists.fd.io/mt/23377822/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] Threading issue in IKEv2 implementation

Reply via email to