I agree with Neale. I looked at the ike plugin and we seem to always manipulate SA under the worker barrier, which should guarantee no workers are active. If not, we need to fix the bug in ike. You mentioned you rewrote the ike plugin, which changes did you made?
Best ben > -----Original Message----- > From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of Neale Ranns > Sent: Tuesday, November 22, 2022 22:28 > To: vpp-dev@lists.fd.io > Subject: Re: [vpp-dev] There is bug in esp decrypt > > > > A SA is in-use if it is referred to by a policy. Remove it from the policy > and no more traffic will use it. If you’re doing that with the workers > running, then wait one worker loop before deleting the SA. > > > > /neale > > > > > > From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> on behalf of jiangxiaoming > via lists.fd.io <jiangxiaoming=outlook....@lists.fd.io> > Date: Monday, 21 November 2022 at 12:30 > To: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> > Subject: Re: [vpp-dev] There is bug in esp decrypt > > Hi neale, > Currently there is only one way detecting whether the sa is in using > by checking sa counter. But if the ike is timeout and is rekeying the sa > which first used by ipsec4-input-feature, the sa may has been deleted in > esp_encrypt node. > I rewrite the ike plugin, in my test case, there are 10k ike sessions with > 20k sa in ipsec layer, and the ike timeout is 30s sa rekey timeout is 10s. > The esp_encrypt node crashed frequently.
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#22228): https://lists.fd.io/g/vpp-dev/message/22228 Mute This Topic: https://lists.fd.io/mt/95086868/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
