[Swan] IPsec PFP support on linux
Sowmini Varadhan
sowmini.varadhan at oracle.com
Wed May 3 17:47:59 UTC 2017
On (05/03/17 13:09), Paul Wouters wrote:
> Thanks for the link. So I think you are saying that different tenants
> are using a single TCP stream so you need to have different IPsec SA's
> for these? But what I don't understand is that if these are the same
No.
I am saying that if there are multiple TCP streams between the same
pair of IP addresses, we want each stream to get a different SPI.
For RDS-TCP, we have the concept of mprds:
https://www.spinics.net/lists/netdev/msg381424.html
where I pointed out that a single tcp stream can only give me
4 Gbps, but 8 streams (with 8 different client ports, single server port)
can give me 32 Gbps.
Today, without PFP, IPsec leaves me at single-stream throughput,
even when I have 8 TCP connections going on.
> How does using different IPsec SA's per TCP stream get you anything?
See other mail about entropy. Everything that uses flow-based
parallelism (RSS at the host, ECMP at the switches) needs to be able to
spread flows across multiple paths, while making sure there is
no packet reordering within the flow.
having as much granularity in the flow-id as possible is the key
to getting this to work well.
--Sowmini
More information about the Swan
mailing list