On Sat, 4 Jun 2005 09:46:23 +1000
Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> wrote:
> Hi:
>
> I was looking at how we can move the IPsec input/output processing out
> of the critical section protected by the spin locks on the xfrm_state.
> This is useful because it would allow concurrent processing of IPsec
> packets for the same SA. It is also necessary if we're ever going to
> add support for asynchronous crypto to IPsec.
Asynchronous schemas already works without any changes to scaterlist
processing code. And you can not easily move away of SA lock due to
synchronous problems with the same tfm.
Existing asynchronous schemas do not use any shared object in SA,
only skb.
> The first requirement for this is that we need to stop using data that
> is shared across a single SA in the IPsec input/output routines. The
> biggest hurdle there as it stands is sgbuf in esp_data. This was
> introduced to reduce stack usage in esp_input/esp_output as sgbuf
> would consume up to 64 bytes of space.
No need to have it at all, I think.
> Cheers,
> --
> Visit Openswan at http://www.openswan.org/
> Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
> Home Page: http://gondor.apana.org.au/~herbert/
> PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
> -
> To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
Evgeniy Polyakov
Only failure makes us experts. -- Theo de Raadt
|