Hi, When playing with IPsec I noticed that the Linux generic ODP implementation creates a separate OpenSSL crypto context for each crypto-operation as opposed to doing it at ODP crypto session creation. With IPsec this adds a lot of overhead for every packet processed and significantly reduces packet throughput.
I wonder what, if anything, should be done about it. I already almost sent a patch to create and initialize crypto contexts only once per session but realized that it is not that easy. Here are some alternatives that came to my mind, but all of them have their own problems: a) Create per-thread OpenSSL contexts at crypto session creation time. - Does not work with ODP threads that do not share their address space since OpenSSL is allocating memory through malloc() during context creation. b) Do a) plus provide OpenSSL a custom memory allocator on top of shared memory. - There is no generic heap allocator in ODP code base. c) Create per-thread contexts lazily when needed. - Creation would work as it would happen in the right thread but there would be no way to delete the contexts. The thread destroying the ODP crypto session cannot delete the per-thread contexts that might reside in a different address spaces. That thread could ask every other thread to do the per-thread cleanup, except that there is no mechanism for that without application assistance or big changes in the generic ODP code. d) Create a limited-size cache of per-thread contexts. - This would allow postponing the deletion of each context either to the point the cache slot needs to be reused or all the way to ODP termination, both occuring in the right thread. But this is getting complicated and sizing the cache is nasty. Any thoughts? Janne