From owner-freebsd-arch@FreeBSD.ORG  Wed Aug 20 08:53:43 2003
Return-Path: <owner-freebsd-arch@FreeBSD.ORG>
Delivered-To: freebsd-arch@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id A441B16A4C0; Wed, 20 Aug 2003 08:53:43 -0700 (PDT)
Received: from ebb.errno.com (ebb.errno.com [66.127.85.87])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id E51B043F93; Wed, 20 Aug 2003 08:53:42 -0700 (PDT)
	(envelope-from sam@errno.com)
Received: from melange.errno.com (melange.errno.com [66.127.85.82])
	(authenticated bits=0)
	by ebb.errno.com (8.12.9/8.12.9) with ESMTP id h7KFrb7N026573
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO);
	Wed, 20 Aug 2003 08:53:41 -0700 (PDT)
	(envelope-from sam@errno.com)
Date: Wed, 20 Aug 2003 08:53:49 -0700
From: Sam Leffler <sam@errno.com>
To: freebsd-net@freebsd.org, freebsd-arch@freebsd.org
Message-ID: <508312264.1061369629@melange.errno.com>
X-Mailer: Mulberry/3.0.3 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Subject: CFR: fast ipsec locking
X-BeenThere: freebsd-arch@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussion related to FreeBSD architecture
	<freebsd-arch.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
	<mailto:freebsd-arch-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-arch>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Help: <mailto:freebsd-arch-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
	<mailto:freebsd-arch-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Aug 2003 15:53:44 -0000

http://www.freebsd.org/~sam/fastipsec.patch

These changes add locking and cleanup some of the infrastructure; e.g. to 
do better accounting of dynamically allocated data structures.

Basic operation is well-tested but I haven't done extensive testing of the 
re-keying (e.g. with racoon).  There is one known performance bottleneck: 
the lock in the ipsecrequest structure is held for every outbound packet to 
guard against modification to the data structure.  This looks to be fixable 
by redoing the SADB but won't happen for a while.  Note that with these 
changes much of fast ipsec runs Giant-free because the crypto code is 
already Giant-free.  I did some performance measurements a while back with 
this code and a Giant-free em driver and got netperf results over a 
h/w-accelerated 3DES+SHA1 tunnel that was about the same as -stable.

	Sam