summaryrefslogtreecommitdiffstats
path: root/src/vnet/unix
diff options
context:
space:
mode:
authorPiotr Bronowski <piotrx.bronowski@intel.com>2022-05-10 09:08:47 +0000
committerFan Zhang <roy.fan.zhang@intel.com>2022-06-28 15:04:08 +0000
commitd699a347c02c1b0c3825b7a97800cf6a467abea7 (patch)
treeb5b57bd6fd05a5585392c6fc27283e86b82ebab7 /src/vnet/unix
parent815c6a4fbcbb636ce3b4dc98446ad205a30670a6 (diff)
ipsec: introduce spd fast path types
This patch introdcues basic types supporting fast path lookup. Fast path performs policy matching with use of hash lookup (particularly bihash tries has been used for that purpose). Fast path lookup addresses situation where huge number of policies is created (~100k or more). In such scenario adding/removing a policy and policy matching is not efficient and poorly scales (for example adding 500k policies takes a few hours. Also lookup time increases significantly). With fast path adding and matching up to 1M flows scales up linearly (adding 1M of policies takes about 150s on the test machine vs many hours in case of original implementation, also matching time is significantly improved). Fast path will not deal well with a huge number of policies that are spanning large ip/port ranges. Large range will be masked out almost entirely leaving only a few bits for calculating the hash key. Such keys will tend to gather much more policies than other keys and hash will match most of the packets anihilating advantages of hashing. Having said that we also think that it is not the real life scenario. Type: feature Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Change-Id: I600dae5111a37768ed4b23aa18426e66bbf7b529
Diffstat (limited to 'src/vnet/unix')
0 files changed, 0 insertions, 0 deletions