From: Tom Herbert Subject: Re: ipsec impact on performance Date: Wed, 2 Dec 2015 13:44:20 -0800 Message-ID: References: <20151201175953.GC21252@oracle.com> <20151201183720.GE21252@oracle.com> <063D6719AE5E284EB5DD2968C1650D6D1CBE0ED7@AcuExch.aculab.com> <20151202121156.GK23178@oracle.com> <063D6719AE5E284EB5DD2968C1650D6D1CBE0F39@AcuExch.aculab.com> <20151202205028.GB15262@oracle.com> <20151202211201.GD15262@oracle.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Cc: David Laight , Linux Kernel Network Developers , "linux-crypto@vger.kernel.org" , Rick Jones To: Sowmini Varadhan Return-path: In-Reply-To: <20151202211201.GD15262@oracle.com> Sender: netdev-owner@vger.kernel.org List-Id: linux-crypto.vger.kernel.org On Wed, Dec 2, 2015 at 1:12 PM, Sowmini Varadhan wrote: > On (12/02/15 13:07), Tom Herbert wrote: >> That's easy enough to add to flow dissector, but is SPI really >> intended to be used an L4 entropy value? We would need to consider the > > yes. To quote https://en.wikipedia.org/wiki/Security_Parameter_Index > "This works like port numbers in TCP and UDP connections. What it means > is that there could be different SAs used to provide security to one > connection. An SA could therefore act as a set of rules." > >> effects of running multiple TCP connections over an IPsec. Also, you >> might want to try IPv6, the flow label should provide a good L4 hash >> for RPS/RFS, it would be interesting to see what the effects are with >> IPsec processing. (ESP/UDP could also if RSS/ECMP is critical) > > IPv6 would be an interesting academic exercise, but it's going > to be a while before we get RDS-TCP to go over IPv6. > Huh? Who said anything about RDS-TCP? I thought you were trying to improve IPsec performance...