Bug #12335
openIPsec DNS inefficiency
0%
Description
Various aspects of configuring IPsec are inefficiently using DNS. There is a lot of room for improvement here.
For example: At the end of rc.bootup
, it calls ipsec_configure()
and then filter_configure()
, but ipsec_configure()
already calls filter_configure()
at the start, so unless there is a difference before/after I'm not seeing why it should be called both places. Both ipsec_configure()
and filter_configure()
end up trying to resolve all the remote FQDNs in IPsec so at the end of the boot process it's trying at least 3x (maybe more) to resolve these FQDNs. If DNS is unavailable, that will lead to massive slowdown.
It may make sense to use a very limited DNS cache to consolidate this for short-term usage, for example, start a cache in ipsec_configure()
which shares it with the filter_configure()
it calls, so that it doesn't need to re-resolve the same hostnames multiple times in these contexts.
Additionally, look at all calls of ipsec_get_phase1_dst()
such as when configuring VTI interfaces, configuring IPsec, on status_ipsec.php
, in the widget, etc -- We should do a DNS availability check to avoid every call of that function being forced to wait on DNS to timeout over and over.
ipsec_get_phase1_dst()
now calls resolve_retry()
which defaults to 10x attempts, we should change this to a function parameter so that different timing (e.g. at boot) can use less retries vs later. It's more common for DNS to be unavailable at boot for various reasons.
Marking for the next version since this needs more research and planning than we have time for at the moment.
Related issues
Updated by Jim Pingle over 3 years ago
- Related to Bug #12328: IPsec VTI interface remote endpoint is not resolved the correct way added
Updated by Viktor Gurov about 3 years ago
Jim Pingle wrote:
Additionally, look at all calls of
ipsec_get_phase1_dst()
such as when configuring VTI interfaces, configuring IPsec, onstatus_ipsec.php
, in the widget, etc -- We should do a DNS availability check to avoid every call of that function being forced to wait on DNS to timeout over and over.
see check_dnsavailable()
: https://github.com/pfsense/pfsense/blob/master/src/etc/inc/system.inc#L2732
Updated by Jim Pingle about 3 years ago
- Plus Target Version changed from 22.01 to 22.05
Updated by Jim Pingle over 2 years ago
- Plus Target Version changed from 22.05 to 22.09
Updated by Jim Pingle over 2 years ago
- Plus Target Version changed from 22.09 to 22.11
Updated by Jim Pingle about 2 years ago
- Plus Target Version changed from 22.11 to 23.01
Updated by Jim Pingle about 2 years ago
- Plus Target Version changed from 23.01 to 23.05
Bump this forward again, not enough spare cycles this release to dig into it.
Updated by Jim Pingle over 1 year ago
- Plus Target Version changed from 23.05 to 23.09
Updated by Jim Pingle over 1 year ago
- Plus Target Version changed from 23.09 to 24.01
Updated by Jim Pingle about 1 year ago
- Plus Target Version changed from 24.01 to 24.03
Updated by Jim Pingle about 1 year ago
- Related to Bug #14893: Large number of IPsec tunnels causes long filter reload times added
Updated by Jim Pingle 9 months ago
- Plus Target Version changed from 24.03 to 24.07
Updated by Jim Pingle 7 months ago
- Plus Target Version changed from 24.07 to 24.08
Updated by Jim Pingle 2 months ago
- Assignee deleted (
Jim Pingle) - Plus Target Version changed from 24.08 to 24.11
Updated by Jim Pingle 2 months ago
- Plus Target Version changed from 24.11 to 25.01
Updated by Jim Pingle 2 days ago
- Plus Target Version changed from 25.01 to 25.03