So much entropy it's coming out of our ears?

Sam Leffler sam at
Wed Aug 4 21:40:30 PDT 2004

On Wednesday 04 August 2004 08:56 pm, Robert Watson wrote:

> Another observation is that we seem to be doing a lot of entropy
> gathering.  That is to say -- a lot.  On a busy system, I have to wonder
> whether we're not paying a high cost to gather more entropy than we really
> need.  I'm not familiar with the Yarrow implementation nor harvesting
> bits, but I'd pose this question to you: right now, we appear to pay four
> mutex operations per packet if the fifo isn't full.  Can we rate limit
> entropy gathering in entropy-rich systems to avoid doing so much work?  If
> we're processing 25,000 or 100,000 packets a second, that's a lot of goup
> passing through Yarrow.  Is it possible to do lockless rate limiting so
> that we gather it only once every few seconds?  This might make a big
> aggregate difference when processing ethernet packets at a high rate, such
> as in bridging/forwarding scenarios, etc.

Virtually all performance-sensitive installations will disable entropy 
gathering through fast paths.  I've suggested for a long time that this sort 
of collection should be enabled only under dire circumstances and never by 
default.  Regardless the last time I looked at the entropy harvesting it used 
a model where entropy was unilateraly sent for harvest and discarded when too 
plentiful.  I term this the "push model".  I've advocated a "pull model" 
where the PRNG requests entropy when a low water mark is hit and/or a hybrid 
scheme where producers have some sort of flow control or feedback mechanism. 

Everything that goes on inside the PRNG is a separate issue.


More information about the freebsd-current mailing list