Pre-release of Version 2.1.8

Alan DeKok aland at deployingradius.com
Tue Dec 8 15:43:14 CET 2009


Garber, Neal wrote:
>> This limit is around 8K packets in 2.1.x, and will be 64K packets in
>> 2.2.x.  So if you're getting 500 packets/s for a home server, 16s after
>> it goes down, all 8k "slots" will be used.
> 
> I'm not sure if this is feasible and/or easy to implement, but I thought I'd ask..  As a suggestion, can there be a separate pool for each home server?  It seems like increasing the limit of a shared pool just lengthens the time before the same problem can occur.  If each home server had a separate pool, then one home server could not affect the others, regardless of the size of the pool.

  Yes and no.  Let me explain in more detail.

  In 2.1.x, there are a limited number of UDP sockets that can be used
for proxied traffic.  This number is limited to 32, in src/lib/packet.c,
 macro MAX_SOCKETS.

  Due to the "unconnected" nature of UDP, each socket can be used to
send packets to *multiple* home servers at the same time.  So this means
that the limitation isn't really 32 sockets *total*, but (semantically)
32 sockets for every home server.

  Due to RADIUS limitations, it can only have 256 packets outstanding
for any combination of (src/ds IP/port).  So each socket can send 256
packets to every home server.

  Since there are 32 sockets and 256 packets/s, a proxy can handle 8192
packets sent to *each* home server.  If you have 13 home servers, then
the proxy can send 13*8192 = ~100K packets.

  Packets are added to the "outstanding" list when proxied, and removed
a short time after a response is received from the home server.  If no
response is received from the home server, the packets are removed 30s
after they were received.

  Once a packet has been removed from the "outstanding" list, its place
can be used by a new packet that is proxied using the same socket/id to
the same home server.

  To answer your question: Yes, there is a separate pool for each home
server.  However, they share a global set of sockets.

  The *intent* is for the pools to not affect each other.  i.e. "filling
up" all 8K slots for one home server should have no affect on other home
servers.

  Alan DeKok.



More information about the Freeradius-Users mailing list