On (05/03/17 13:09), Paul Wouters wrote: > Thanks for the link. So I think you are saying that different tenants > are using a single TCP stream so you need to have different IPsec SA's > for these? But what I don't understand is that if these are the same
No. I am saying that if there are multiple TCP streams between the same pair of IP addresses, we want each stream to get a different SPI. For RDS-TCP, we have the concept of mprds: https://www.spinics.net/lists/netdev/msg381424.html where I pointed out that a single tcp stream can only give me 4 Gbps, but 8 streams (with 8 different client ports, single server port) can give me 32 Gbps. Today, without PFP, IPsec leaves me at single-stream throughput, even when I have 8 TCP connections going on. > How does using different IPsec SA's per TCP stream get you anything? See other mail about entropy. Everything that uses flow-based parallelism (RSS at the host, ECMP at the switches) needs to be able to spread flows across multiple paths, while making sure there is no packet reordering within the flow. having as much granularity in the flow-id as possible is the key to getting this to work well. --Sowmini _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
