HI Tero, > In your discussion you were talking about cases where one device has > hundreds of cpus and other have few. Only case where such > configurations would be useful when other has lots of really low > powered cpus and other one has few very fast ones. My understanding is > that this is not really happening. Usually the one that has more cpus > has cpus which are about the same speed then the one having fewer > cpus. > > There is no point of one having for example 10 fast cpus sending > traffic over 10 Child SA, when the receiving end only has two cpus > which are about same than the other ends cpus. The receiving end will > not be able to keep up with the traffic it is getting in, thus it will > drop packets as it can't decrypt them fast enough.
I'm not so sure. Consider the situation when one host a single HSMs which is optimized for high-performance crypto operations, while the other is a general purpose server with several tens of CPUs. In this situation the HSM beats any CPU in performance, so if the HSM can handle several SAs, it's beneficial to create as many SAs as it can handle and distribute those SAs over CPUs on the other peer. > Talking about locking and such thing is bit distracting, as you can do > lots of things without locking depending on the datastructures and who > writes them and so on. This goes so low level that I am not sure it is > that beneficial to talk about them here. Agree. > Also I think it is just better to create all Child SAs at the > beginning, i.e., no point of doing that much per CPU aquiring etc. I > mean you have some way of distributing packets going out to CPUs > before that and if that is round robin then you will create all per > CPU SAs very quickly, and if that is something else (like this TCP > stream is locked to this CPU), then you mostly keep using only that > one CPU (in which case per cpu aquire will be useful), but all of > these depends so much on the implementation we are not talking about > here that I think that should be left to implementations to decide. > > If we use per cpu aquiring things then other end might need to create > Child SAs too, just in case if the one inititing the connection only > sent out one packet and create one SA, and then the other end would > like to have 8 SAs for its 8 cpus, but only one was created, so would > it now create 7 missing one, or wait for the other end to create them > etc. I think it's OK if it the other side creates the missing 7 SAs. Regards, Valery. > -- > kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
