From owner-freebsd-questions@FreeBSD.ORG Tue Nov 18 11:15:25 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0DDD31065673 for ; Tue, 18 Nov 2008 11:15:25 +0000 (UTC) (envelope-from riaank@gmail.com) Received: from fk-out-0910.google.com (fk-out-0910.google.com [209.85.128.186]) by mx1.freebsd.org (Postfix) with ESMTP id 874EF8FC14 for ; Tue, 18 Nov 2008 11:15:24 +0000 (UTC) (envelope-from riaank@gmail.com) Received: by fk-out-0910.google.com with SMTP id k31so3471762fkk.11 for ; Tue, 18 Nov 2008 03:15:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type:references; bh=56AUDfeAMyv6Y1sz/Buq22g9GetCEiou48Q47ss1rUs=; b=ghTP8ERKc0iC+uvVBDVKm0exfj3baox5inn8CGuh3rSpeBIUHzE8TyxNqvqzmIVjtS 9JWPnoTZHCqq860UAfx2hKbGawu0dU6wuGUWDh8s5xJag+bSlQqjo+HMrfqMYujwx7qO QfIh4TuAz8d+q1tWCMsXLRM2QjEW0MvRhlTaI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:references; b=U+f6+l9hgQb2Zs1LJ6TyL8Rsz6rDQj87IQSg4X2OQ7asSd1y7pgzJ0+vTjWdTKDump 6hamzdZf6uTVNklDfpO5Ow8HWF0bvBeBupB1tn1qaVoX9DvE/aMME0n9uOvYEG6IWd6N U6f7N/wEdPzMsApFFjggiIw6TYYzeZUqp05/I= Received: by 10.187.198.8 with SMTP id a8mr644220faq.4.1227006923378; Tue, 18 Nov 2008 03:15:23 -0800 (PST) Received: by 10.187.221.16 with HTTP; Tue, 18 Nov 2008 03:15:23 -0800 (PST) Message-ID: <85c4b1850811180315l2ab11d00l24e2f4c628aaa5ef@mail.gmail.com> Date: Tue, 18 Nov 2008 13:15:23 +0200 From: "Riaan Kruger" To: "=?ISO-8859-1?Q?Patrick_Lamaizi=E8re?=" In-Reply-To: <20081115141505.029273ca@baby-jane-lamaiziere-net.local> MIME-Version: 1.0 References: <85c4b1850811140337n75321b0ao24a1361b076002c5@mail.gmail.com> <20081115141505.029273ca@baby-jane-lamaiziere-net.local> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: IPsec's use of processors X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Nov 2008 11:15:25 -0000 On Sat, Nov 15, 2008 at 3:15 PM, Patrick Lamaizi=E8re wrote: > Le Fri, 14 Nov 2008 13:37:58 +0200, > "Riaan Kruger" a =E9crit : > > > I would like to know how IPsec makes use of a multi processor machine? > > > > I have gateway (FreeBSD 7.0) with four SAs configured. When testing > > throughput through the configured SAs, I see (with systat) that only > > one cpu works really hard (+-10% idle min), two others work a bit > > (+-70% idle min) and the fourth CPU does pretty much nothing. > > > > Is this normal, shouldn't at least the two cpus work hard because of > > the high throughput? > > I guess that's because the cryptographic requests are dispatched > and done by two kernel threads. The thread 'crypto' dispatches and > processes the requests, the thread 'crypto-returns' returns the results. > > You can see these kernel threads with top S H > > Regards. > Thanx for your reply. So there is one thread to dispatch the crypto operations to the crypto providers and another to get the return. Also if i am using software crypt= o providers, as supplied per default on FreeBSD, there will be effectively on= e thread that does the actual symmetric crypto operations. I think this is s= o because the actual crypto operations in cryptosoft are synchronous and will complete and then return. With hardware crypto providers the crypto thread will pass the operation to the device and return letting the driver of the device call back when it is done. If my above assesment is correct then using the software crypto providers will result in only 1 CPU effectively being used for symmetric encryption. Regards