IPsec's use of processors

Riaan Kruger riaank at gmail.com
Tue Nov 18 03:15:25 PST 2008

On Sat, Nov 15, 2008 at 3:15 PM, Patrick Lamaizière
<patfbsd at davenulle.org>wrote:

> Le Fri, 14 Nov 2008 13:37:58 +0200,
> "Riaan Kruger" <riaank at gmail.com> a écrit :
> > I would like to know how IPsec makes use of a multi processor machine?
> >
> > I have gateway (FreeBSD 7.0) with four SAs configured. When testing
> > throughput through the configured SAs, I see (with systat) that only
> > one cpu works really hard (+-10% idle min), two others work a bit
> > (+-70% idle min) and the fourth CPU does pretty much nothing.
> >
> > Is this normal, shouldn't at least the two cpus work hard because of
> > the high throughput?
> I guess that's because the cryptographic requests are dispatched
> and done by two kernel threads. The thread 'crypto' dispatches and
> processes the requests, the thread 'crypto-returns' returns the results.
> You can see these kernel threads with top S H
> Regards.

Thanx for your reply.

So there is one thread to dispatch the crypto operations to the crypto
providers and another to get the return.  Also if i am using software crypto
providers, as supplied per default on FreeBSD, there will be effectively one
thread that does the actual symmetric crypto operations.  I think this is so
because the actual crypto operations in cryptosoft are synchronous and will
complete and then return. With hardware crypto providers the crypto thread
will pass the operation to the device and return letting the driver of the
device call back when it is done.

If my above assesment is correct then using the software crypto providers
will result in only 1 CPU effectively being used for symmetric encryption.


More information about the freebsd-questions mailing list