Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.os.linux.development.system > #458

Re: xfrm spi hash

Show key headers only | View raw

Rainer Weikusat <rweikusat@mssgmbh.com> writes:

[64K pointers hash table]

> Assuming the PRNG the kernel uses to generate the SPI is 'good' in
> the sense that a sequences of SPIs is statistically
> indistinguishable from a random sequence, the only effect of these
> calculations ought to be to transform a random set of bits into a
> different, equally random set of bits with no specific relation to
> any of the other input values whatsoever. I'm therefore very much
> tempted to drop all of it and just use the SPI as hash value.

Just using the lower sixteen bit of the SPI as hash value lead to a
'good enough' result I didn't really like. With the help some 'evil
inside knowledge' about the SPI numbers which are actually generated
by Linux and by the clients connecting to these VPN servers (Apple
'i'-devices or Android-based somethings), I arrived at the following
calculation:

(spi ^ ((spi & 0xffff0000) >> 12)) % 65536

For the presently largest installation, where 0 - 1732 new phase2 SAs
are created per 5 minutes interval (average 452.75, std. dev 230.34,
median 412), this results between 0 and 1.54% collisions during this
time (avg 0.25%, std dev 0.27%, median 0.21%).

Back to comp.os.linux.development.system | Previous | Next — Previous in thread | Find similar

Thread

xfrm spi hash Rainer Weikusat <rweikusat@mssgmbh.com> - 2012-07-29 20:23 +0100
  Re: xfrm spi hash Rainer Weikusat <rweikusat@mssgmbh.com> - 2012-08-12 22:17 +0100

csiph-web