So much entropy it's coming out of our ears?
sam at errno.com
Wed Aug 4 21:40:30 PDT 2004
On Wednesday 04 August 2004 08:56 pm, Robert Watson wrote:
> Another observation is that we seem to be doing a lot of entropy
> gathering. That is to say -- a lot. On a busy system, I have to wonder
> whether we're not paying a high cost to gather more entropy than we really
> need. I'm not familiar with the Yarrow implementation nor harvesting
> bits, but I'd pose this question to you: right now, we appear to pay four
> mutex operations per packet if the fifo isn't full. Can we rate limit
> entropy gathering in entropy-rich systems to avoid doing so much work? If
> we're processing 25,000 or 100,000 packets a second, that's a lot of goup
> passing through Yarrow. Is it possible to do lockless rate limiting so
> that we gather it only once every few seconds? This might make a big
> aggregate difference when processing ethernet packets at a high rate, such
> as in bridging/forwarding scenarios, etc.
Virtually all performance-sensitive installations will disable entropy
gathering through fast paths. I've suggested for a long time that this sort
of collection should be enabled only under dire circumstances and never by
default. Regardless the last time I looked at the entropy harvesting it used
a model where entropy was unilateraly sent for harvest and discarded when too
plentiful. I term this the "push model". I've advocated a "pull model"
where the PRNG requests entropy when a low water mark is hit and/or a hybrid
scheme where producers have some sort of flow control or feedback mechanism.
Everything that goes on inside the PRNG is a separate issue.
More information about the freebsd-current