2095645 – [RFE] Increase IPSec Tunnels for an IP

Bug 2095645 - [RFE] Increase IPSec Tunnels for an IP

Summary: [RFE] Increase IPSec Tunnels for an IP

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libreswan
Sub Component:
Version:	7.9
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Daiki Ueno
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-06-10 06:02 UTC by Ravindra Patil
Modified:	2023-08-14 01:20 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-124945	0	None	None	None	2022-06-10 06:13:25 UTC

Description Ravindra Patil 2022-06-10 06:02:08 UTC

1. Proposed title of this feature request

Over RHEL 7.3, it is limiting us to create only 8,191 IPSec Tunnels for an IP. Each IPSec Tunnel needs two ports only, so ideally we are expecting around 32,000 IPSec Tunnels (which use 64,000 ports) to be created. We are seeing it as a limitation of Linux, we need your support to fix this bug.

2. Who is the customer behind the request?
Account: Lycamobile UK Ltd (5611287)

3. What is the nature and description of the request?
Request is to increase the existing limitation of number of IPSec tunnels for an IP. As of now only 8k tunnels are supported and we want to increase the IPSec tunnels to 32k
4. Why does the customer need this? (List the business requirements here)
We need to create 256,000 IPSec Tunnels in a server. As currently, 8,191 IPSec Tunnels only are supported per IP, we need around 32 IPs to serve these many IPSec Tunnels, which is cumbersome. If we are able to create 32,000 Tunnels per IP, then we need only 8 IPs to serve these many IPSec Tunnels.

5. How would the customer like to achieve this? (List the functional requirements here)
We see a parameter reqid #define IPSEC_MANUAL_REQID_MAX 0x3fff in the kernel header file /usr/include/linux/ipsec.h that limits the number of tunnel and if there is a way to increase this then number of tunnels can be increased. For this, we need input from your team.

6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.

Once 32k Tunnels are able to be created per IP, the requirement will be successful

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?
No

8. Does the customer have any specific time-line dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?
We need this at the earliest (in the next one month) and like to target for RHEL 7.3. If your R&D says, it can be achieved in a different version of RHEL, we want to hear such suggestions.

9. Is the sales team involved in this request and do they have any additional input?
No. Since this is a bug (we are not able to efficiently use an IP at it’s fullest capacity for 32k IPSec Tunnels)

10. List any affected packages or components.
libreswan

11. Would the customer be able to assist in testing this functionality if implemented?
Yes we will assist the testing functionality

Note You need to log in before you can comment on or make changes to this bug.