diff options
author | Piotr Bronowski <piotrx.bronowski@intel.com> | 2022-05-10 09:08:47 +0000 |
---|---|---|
committer | Fan Zhang <roy.fan.zhang@intel.com> | 2022-06-28 15:04:08 +0000 |
commit | d699a347c02c1b0c3825b7a97800cf6a467abea7 (patch) | |
tree | b5b57bd6fd05a5585392c6fc27283e86b82ebab7 /src/vnet/unix | |
parent | 815c6a4fbcbb636ce3b4dc98446ad205a30670a6 (diff) |
ipsec: introduce spd fast path types
This patch introdcues basic types supporting fast path lookup.
Fast path performs policy matching with use of hash lookup
(particularly bihash tries has been used for that purpose). Fast path
lookup addresses situation where huge number of policies is created
(~100k or more). In such scenario adding/removing a policy
and policy matching is not efficient and poorly scales (for example
adding 500k policies takes a few hours. Also lookup time
increases significantly). With fast path adding and matching up to
1M flows scales up linearly (adding 1M of policies takes about 150s
on the test machine vs many hours in case of original implementation,
also matching time is significantly improved). Fast path will not
deal well with a huge number of policies that are spanning large
ip/port ranges. Large range will be masked out almost entirely leaving
only a few bits for calculating the hash key. Such keys will tend to
gather much more policies than other keys and hash will match most of
the packets anihilating advantages of hashing. Having said that
we also think that it is not the real life scenario.
Type: feature
Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com>
Change-Id: I600dae5111a37768ed4b23aa18426e66bbf7b529
Diffstat (limited to 'src/vnet/unix')
0 files changed, 0 insertions, 0 deletions