Tweaks for high-bandwidth tinc
Guus Sliepen
guus at tinc-vpn.org
Sat Nov 13 00:18:51 CET 2010
On Fri, Nov 12, 2010 at 12:43:41PM -0600, Brandon Black wrote:
> >> I've been using tinc to do some high bandwidth VPNs [...]
> >
> > How high is the bandwidth exactly?
>
> The scenario is pretty extreme, 100-250Mbps bandwidth spread over
> ~45-60K long-lived TCP sessions.
That is indeed an extreme scenario.
> IFF_ONE_QUEUE:
>
> I'm still up in the air as to the utility of this flag. I made a
> patch to make it an experimental configuration parameter in tinc.conf,
> and enabling it actually seemed to make matters worse in our
> particular scenario. Reading source code and comments around the net
> (re: other VPN solutions that use TUN), it seems like most people
> think it's beneficial though, and possibly even enable it by default.
> It's probably best left as a experimental config setting defaulting to
> off (current behavior) for now until someone really digs into this
> issue deeper though. I can't claim to really understand what's going
> on here.
Looking at the tun driver code, it seems setting this flag will bypass the
normal network packet queueing on the tun device. This makes sense in a way;
the packets will already have been queued on a real network device.
> SO_SNDBUF/SO_RCVBUF for the UDP socket:
>
> I haven't actually bothered patching this in yet (because I have a
> sysctl workaround for now, it's less urgent to me), but they're
> obviously a good idea and I can add them in any patches I send up.
Sure.
> Packet sequence (/loss/replay/etc) issues:
>
> I made a patch that made the late-packet bitmap size configurable, and
> increasing it (first to 512 packets, then to 2048) did do wonders for
> us. If you've only got a handful of TCP connections flowing through a
> tunnel, given that TCP can only handle out-of-order to small degree
> (via SACK, etc), packets outside the default 128 range would be
> useless anyways. However, if you've got many thousands, it's easy for
> say 1000 packets to go through the tunnel without any two of them
> being from a single TCP session, which really changes the game and
> makes you want to save late/early packets well outside the default 128
> range in case of reordering.
Indeed. Perhaps it could be autotuned; the bitmap size should be approximately
(bandwidth * TCP retransmission timeout / packet size) to allow any reordering
of packets before they are retransmitted by the higher layers anyway.
But in the mean time, a configurable bitmap size is also welcome.
> Another thing we get hit with (thanks to the underlying network at
> Amazon under brutal conditions, I think) is isolated packets jumping
> the queue by a lot. E.g. in a given tunnel's sequence, we might see
> 1-2 packets suddenly arrive hundreds of seqnos ahead of the most
> recent seqno, but then they're immediately followed by all of the
> "missing" packets (many of which would then be dropped by tinc by
> default).
Aha. How often does that happen?
> So I also added a patch that makes tinc a little bit more
> resilient against this. When the first far-future packet arrives
> (outside the size of the late window), that packet is dropped and the
> sequence-tracking is unaffected.
[...]
> I eventually realized that this whole late-packet tracking thing is
> really all about replay security. Since I'm using tinc more to get
> around routing limitations than for security (I already disabled
> encryption and authentication too), for a scenario like mine the ideal
> solution is to simply pass all traffic and ignore the sequence numbers
> on the receiver side (and not even bother maintaining the late-packet
> bitmap). So I updated my earlier patch to allow the late-packet
> window to be set to zero, which disables the related code in the
> net_packet receiver (and again improved the situation for us in the
> real world).
Ok, that's probably the right thing to do in your scenario.
> I'm not sure how much of this you want upstream or how you want it
> broken up, but let me know,
I think all of this can be merged. Each feature in its own patch would be very
nice, the order is less important.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc-devel/attachments/20101113/22bd089b/attachment.pgp>
More information about the tinc-devel
mailing list