Groups | Search | Server Info | Login | Register
Groups > comp.os.linux.development.system > #458
| From | Rainer Weikusat <rweikusat@mssgmbh.com> |
|---|---|
| Newsgroups | comp.os.linux.development.system |
| Subject | Re: xfrm spi hash |
| Date | 2012-08-12 22:17 +0100 |
| Message-ID | <87628n7qtl.fsf@sapphire.mobileactivedefense.com> (permalink) |
| References | <87y5m25q36.fsf@sapphire.mobileactivedefense.com> |
Rainer Weikusat <rweikusat@mssgmbh.com> writes: [64K pointers hash table] > Assuming the PRNG the kernel uses to generate the SPI is 'good' in > the sense that a sequences of SPIs is statistically > indistinguishable from a random sequence, the only effect of these > calculations ought to be to transform a random set of bits into a > different, equally random set of bits with no specific relation to > any of the other input values whatsoever. I'm therefore very much > tempted to drop all of it and just use the SPI as hash value. Just using the lower sixteen bit of the SPI as hash value lead to a 'good enough' result I didn't really like. With the help some 'evil inside knowledge' about the SPI numbers which are actually generated by Linux and by the clients connecting to these VPN servers (Apple 'i'-devices or Android-based somethings), I arrived at the following calculation: (spi ^ ((spi & 0xffff0000) >> 12)) % 65536 For the presently largest installation, where 0 - 1732 new phase2 SAs are created per 5 minutes interval (average 452.75, std. dev 230.34, median 412), this results between 0 and 1.54% collisions during this time (avg 0.25%, std dev 0.27%, median 0.21%).
Back to comp.os.linux.development.system | Previous | Next — Previous in thread | Find similar
xfrm spi hash Rainer Weikusat <rweikusat@mssgmbh.com> - 2012-07-29 20:23 +0100 Re: xfrm spi hash Rainer Weikusat <rweikusat@mssgmbh.com> - 2012-08-12 22:17 +0100
csiph-web