Hi, On 28.04.2017 16:57, Peltonen, Janne (Nokia - FI/Espoo) wrote: > Hi, > > I believe the current API is complete in the sense that all necessary > things can be done safely. Maybe ODP could provide an easier-to-use > API but if the application and the API give fewer guarantees to the > ODP implementation (e.g. regarding when SA disable call or similar may > happen), then the ODP implementation has to do more, possibly costing > some performance. > > There are many ways an application might do its own IPsec related > synchronization. Reference counting the application level SAs is one way > (and used in the OFP draft code) but I do not think it is the only way. > Epoch based synchronization mechanism could also be used for some of the > things and some applications might just simply stop traffic for a while > when they are reconfiguring IPsec. > > Anyway, here is one way to handle concurrency with the current ODP IPsec > API in api-next when SA deletion must happen without stopping traffic > at all.
Yes, you are 100% correct saying that it is possible to handle concurrency wrt SA creation and deletion. I just asked if we would like to expose internal reference counting to be used by application. Well, I have received the answer, that we wouldn't. Anyway, thank you for your great review of possible cases. I'll keep it in mind. -- With best wishes Dmitry