[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: RFC: localcount_hadref() or localcount_trydarin()
On Mon, Jun 12, 2017 at 12:51:29PM +0000, Taylor R Campbell wrote:
> > Date: Mon, 12 Jun 2017 10:53:52 +0900
> > From: Kengo NAKAHARA <k-nakahara%iij.ad.jp@localhost>
> > I want to avoid detaching the encryption device while it is used by IPsec.
> > That is, once someone creates Security Assocatation(SA) to call
> > crypto_newsession(), the encryption device related the SA must not be
> > detached until the SA is flushed(done crypto_freesession()) and the SA
> > is not used(done crypto_dispatch() and cryptointr()).
> Why don't you just use a global reference count first? Is the latency
> and scalability of crypto_newsession and crypto_freesession critical?
For many workloads, it will be, yes. This pair of operations will occur:
* Once per SSL/TLS connection even if the connection is resumed,
which is tens of thousands of times per second on a busy server,
possibly even hundreds of thousands of times per second.
This assumes someone has an SSL/TLS library that can efficiently
use our kernel crypto, but there's at least one out there that I
know of. With modern instruction-based accelerators rather than
the DMA-and-interrupts style this probably matters less.
* Once per Phase 2 IPsec association -- potentially tens of
thousands per second in recovery from an outage -- this likely
matters more to most users of our opencrypto today.
Thor Lancelot Simon tls%panix.com@localhost
"We cannot usually in social life pursue a single value or a single moral
aim, untroubled by the need to compromise with others." - H.L.A. Hart
Main Index |
Thread Index |