tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: RFC: localcount_hadref() or localcount_trydarin()



On Mon, Jun 12, 2017 at 12:51:29PM +0000, Taylor R Campbell wrote:
> > Date: Mon, 12 Jun 2017 10:53:52 +0900
> > From: Kengo NAKAHARA <k-nakahara%iij.ad.jp@localhost>
> > 
> > I want to avoid detaching the encryption device while it is used by IPsec.
> > That is, once someone creates Security Assocatation(SA) to call
> > crypto_newsession(), the encryption device related the SA must not be
> > detached until the SA is flushed(done crypto_freesession()) and the SA
> > is not used(done crypto_dispatch() and cryptointr()).
> 
> Why don't you just use a global reference count first?  Is the latency
> and scalability of crypto_newsession and crypto_freesession critical?

For many workloads, it will be, yes.  This pair of operations will occur:

	* Once per SSL/TLS connection even if the connection is resumed,
	  which is tens of thousands of times per second on a busy server,
	  possibly even hundreds of thousands of times per second.

	  This assumes someone has an SSL/TLS library that can efficiently
	  use our kernel crypto, but there's at least one out there that I
	  know of.  With modern instruction-based accelerators rather than
	  the DMA-and-interrupts style this probably matters less.

	* Once per Phase 2 IPsec association -- potentially tens of
	  thousands per second in recovery from an outage -- this likely
	  matters more to most users of our opencrypto today.

-- 
  Thor Lancelot Simon	                                     tls%panix.com@localhost

  "We cannot usually in social life pursue a single value or a single moral
   aim, untroubled by the need to compromise with others."      - H.L.A. Hart


Home | Main Index | Thread Index | Old Index