Dan, > I want to keep this thread on crossbow for now, in case it's something not > already in place. > > The recent processor affinity thread got me thinking again. A given NIC > can scatter its inbound traffic to one or more CPUs, and crossbow makes > this even more configurable (per the dladm(1M) changes). > > Beyond that, will inbound traffic scatter across multiple CPUs? Consider a > node that has multiple inbound IPsec SAs. Each inbound SA will have one or > more individual flows inside it, AND if all of them hammer one CPU their > high-overhead decrypt/verify operations cannot be shared among multiple CPUs.
Yes, you can scatter this across multiple CPUs. Again using dladm/flowadm, you will be able to specify a '-C' option for CPU list which can apply to both VNIC or a flow. The way ti works is that after classification, the upcall function is a fanout function which takes as an argument a set of soft rings with their own worker thread boudn to CPUs specified via '-C' option. I don't think we have code to do optimal fanout based on SA but that should be easy to do. > Does crossbow improve this situation? Or are we already there w.r.t. > sharing in bound load? More interesting would be setting up a flow/VNIC and a CPU list to deal with encrypted traffic but feed it back to classifier after decryption so that policies based on IP address, ports etc can still be honoured and decryption can be done on separate set of CPUs altogether. With N2 crypto offload engines, it would be a interesting comboniation. Cheers, Sunay -- Sunay Tripathi Distinguished Engineer Solaris Core Operating System Sun MicroSystems Inc. Solaris Networking: http://www.opensolaris.org/os/community/networking Project Crossbow: http://www.opensolaris.org/os/project/crossbow
