Date: Tue, 18 Nov 2008 13:15:23 +0200 From: "Riaan Kruger" <riaank@gmail.com> To: "=?ISO-8859-1?Q?Patrick_Lamaizi=E8re?=" <patfbsd@davenulle.org> Cc: freebsd-questions@freebsd.org Subject: Re: IPsec's use of processors Message-ID: <85c4b1850811180315l2ab11d00l24e2f4c628aaa5ef@mail.gmail.com> In-Reply-To: <20081115141505.029273ca@baby-jane-lamaiziere-net.local> References: <85c4b1850811140337n75321b0ao24a1361b076002c5@mail.gmail.com> <20081115141505.029273ca@baby-jane-lamaiziere-net.local>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Nov 15, 2008 at 3:15 PM, Patrick Lamaizi=E8re <patfbsd@davenulle.org>wrote: > Le Fri, 14 Nov 2008 13:37:58 +0200, > "Riaan Kruger" <riaank@gmail.com> a =E9crit : > > > I would like to know how IPsec makes use of a multi processor machine? > > > > I have gateway (FreeBSD 7.0) with four SAs configured. When testing > > throughput through the configured SAs, I see (with systat) that only > > one cpu works really hard (+-10% idle min), two others work a bit > > (+-70% idle min) and the fourth CPU does pretty much nothing. > > > > Is this normal, shouldn't at least the two cpus work hard because of > > the high throughput? > > I guess that's because the cryptographic requests are dispatched > and done by two kernel threads. The thread 'crypto' dispatches and > processes the requests, the thread 'crypto-returns' returns the results. > > You can see these kernel threads with top S H > > Regards. > Thanx for your reply. So there is one thread to dispatch the crypto operations to the crypto providers and another to get the return. Also if i am using software crypt= o providers, as supplied per default on FreeBSD, there will be effectively on= e thread that does the actual symmetric crypto operations. I think this is s= o because the actual crypto operations in cryptosoft are synchronous and will complete and then return. With hardware crypto providers the crypto thread will pass the operation to the device and return letting the driver of the device call back when it is done. If my above assesment is correct then using the software crypto providers will result in only 1 CPU effectively being used for symmetric encryption. Regards
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?85c4b1850811180315l2ab11d00l24e2f4c628aaa5ef>