Hi,
When playing with IPsec I noticed that the Linux generic
ODP implementation creates a separate OpenSSL crypto context
for each crypto-operation as opposed to doing it at ODP
crypto session creation. With IPsec this adds a lot of
overhead for every packet processed and significantly
reduces packet throughput.
I wonder what, if anything, should be done about it.
I already almost sent a patch to create and initialize
crypto contexts only once per session but realized that
it is not that easy.
Here are some alternatives that came to my mind, but all
of them have their own problems:
a) Create per-thread OpenSSL contexts at crypto session
creation time.
- Does not work with ODP threads that do not share
their address space since OpenSSL is allocating
memory through malloc() during context creation.
b) Do a) plus provide OpenSSL a custom memory allocator
on top of shared memory.
- There is no generic heap allocator in ODP code base.
c) Create per-thread contexts lazily when needed.
- Creation would work as it would happen in the right
thread but there would be no way to delete the
contexts. The thread destroying the ODP crypto
session cannot delete the per-thread contexts that
might reside in a different address spaces. That
thread could ask every other thread to do the
per-thread cleanup, except that there is no mechanism
for that without application assistance or big
changes in the generic ODP code.
d) Create a limited-size cache of per-thread contexts.
- This would allow postponing the deletion of each
context either to the point the cache slot needs
to be reused or all the way to ODP termination,
both occuring in the right thread. But this is
getting complicated and sizing the cache is nasty.
Any thoughts?
Janne
